From owner-freebsd-net@FreeBSD.ORG Sat Oct 1 02:44:18 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94BCA16A41F for ; Sat, 1 Oct 2005 02:44:18 +0000 (GMT) (envelope-from jesus@omniti.com) Received: from mail.omniti.com (longsword.omniti.com [66.80.117.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBAE143D48 for ; Sat, 1 Oct 2005 02:44:17 +0000 (GMT) (envelope-from jesus@omniti.com) Authentication-Results: mail.omniti.com smtp.user=jesus; auth=pass (LOGIN) DomainKey-Status: good X-DomainKeys: Ecelerity dk_sign implementing draft-delany-domainkeys-base-01 DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=test; d=omniti.com; h=Received:In-Reply-To:References:Mime-Version:Content-Type:Message-Id:Cc:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer; b=UvJCGiHnpDchcrlYMf5MyAwAXwpiKVIptJIADaINIMz3zD235QgnBCQLu/OfHE6u JxtfPsVNXR8L/aVRxv+QRow8IEDQ/t27CTk4qAHyqlKqylZS/SBkXvYQiMI8htEt Received: from ([68.55.212.69:59688] helo=[192.168.218.138]) by mail.omniti.com (ecelerity 2.0 r(6738)) with SMTP id 33/31-12789-BF7FD334 for ; Fri, 30 Sep 2005 22:44:16 -0400 In-Reply-To: <31021C278A7A6B4AB95E9A085C3552181F7608@bjngsmail01> References: <31021C278A7A6B4AB95E9A085C3552181F7608@bjngsmail01> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Message-Id: <04DBCBC0-C334-48B6-8BD0-80A0DAB2BE93@omniti.com> Content-Transfer-Encoding: quoted-printable From: Theo Schlossnagle Date: Fri, 30 Sep 2005 22:44:07 -0400 To: Ganbold X-Mailer: Apple Mail (2.734) Cc: freebsd-net@freebsd.org, Marcin Jessa , Mao Shou Yan , Theo Schlossnagle Subject: Re: ipfw bridge + fwd questions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2005 02:44:18 -0000 Allowing fwd rules on bridged traffic isn't too difficult, but does =20 require kernel modifications (in ipfw). As Mao says it can only work on layer 3 packets. But, that doesn't =20 mean you can't do it. It just means that when you add the FWD option =20= into the layer 2 ipfw switch statement you have to look deep enough =20 into the packet to make sure it is indeed IP and possible to fwd. =20 Then hand it up in the stack. We did this on one of our networking appliances. Basically, qualify =20 the packet in (args->eh) and then unlock the chain and ip_input to =20 push it into layer 3. On Sep 30, 2005, at 3:43 AM, Mao Shou Yan wrote: > NO, fwd can work only on layer 3 packet! > > -----Original Message----- > From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-=20 > net@freebsd.org] On Behalf Of Marcin Jessa > Sent: 2005=E5=B9=B49=E6=9C=8830=E6=97=A5 15:35 > To: Ganbold > Cc: freebsd-net@freebsd.org > Subject: Re: ipfw bridge + fwd questions > > On Fri, 30 Sep 2005 15:39:49 +0900 > Ganbold wrote: > > >> Hi, >> >> I have a question regarding ipfw fwd rule. >> I'm using FreeBSD 5.4-STABLE and running on it bridging firewall >> using ipfw. >> >> Now my question comes:) >> Can I use ipfw fwd rules against traffic coming to one of the bridged >> interfaces? >> > Yes you can. > sysctl net.link.ether.bridge_ipfw=3D1 just like in your sysctl =20 > variables. > > >> I would like to forward some packets (which are destined to port >> 110) >> to some other router through third vr0 interface. >> > Use a divert rule for that. > > In this example we send all the port 80 traffic to port 8000: > # ipfw add 1000 divert 8000 tcp from any to any 80 > Read this article for more info: > http://freebsd.rogness.net/snort_inline/ > > Cheers > Marcin. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >