Date: Fri, 30 Sep 2005 22:44:07 -0400 From: Theo Schlossnagle <jesus@omniti.com> To: Ganbold <ganbold@micom.mng.net> Cc: freebsd-net@freebsd.org, Marcin Jessa <lists@yazzy.org>, Mao Shou Yan <david.mao@thomson.net>, Theo Schlossnagle <jesus@omniti.com> Subject: Re: ipfw bridge + fwd questions Message-ID: <04DBCBC0-C334-48B6-8BD0-80A0DAB2BE93@omniti.com> In-Reply-To: <31021C278A7A6B4AB95E9A085C3552181F7608@bjngsmail01> References: <31021C278A7A6B4AB95E9A085C3552181F7608@bjngsmail01>
next in thread | previous in thread | raw e-mail | index | archive | help
Allowing fwd rules on bridged traffic isn't too difficult, but does require kernel modifications (in ipfw). As Mao says it can only work on layer 3 packets. But, that doesn't mean you can't do it. It just means that when you add the FWD option into the layer 2 ipfw switch statement you have to look deep enough into the packet to make sure it is indeed IP and possible to fwd. Then hand it up in the stack. We did this on one of our networking appliances. Basically, qualify the packet in (args->eh) and then unlock the chain and ip_input to push it into layer 3. On Sep 30, 2005, at 3:43 AM, Mao Shou Yan wrote: > NO, fwd can work only on layer 3 packet! > > -----Original Message----- > From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd- > net@freebsd.org] On Behalf Of Marcin Jessa > Sent: 2005年9月30日 15:35 > To: Ganbold > Cc: freebsd-net@freebsd.org > Subject: Re: ipfw bridge + fwd questions > > On Fri, 30 Sep 2005 15:39:49 +0900 > Ganbold <ganbold@micom.mng.net> wrote: > > >> Hi, >> >> I have a question regarding ipfw fwd rule. >> I'm using FreeBSD 5.4-STABLE and running on it bridging firewall >> using ipfw. >> >> Now my question comes:) >> Can I use ipfw fwd rules against traffic coming to one of the bridged >> interfaces? >> > Yes you can. > sysctl net.link.ether.bridge_ipfw=1 just like in your sysctl > variables. > > >> I would like to forward some packets (which are destined to port >> 110) >> to some other router through third vr0 interface. >> > Use a divert rule for that. > > In this example we send all the port 80 traffic to port 8000: > # ipfw add 1000 divert 8000 tcp from any to any 80 > Read this article for more info: > http://freebsd.rogness.net/snort_inline/ > > Cheers > Marcin. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04DBCBC0-C334-48B6-8BD0-80A0DAB2BE93>