Date: Fri, 30 Sep 2005 22:44:07 -0400 From: Theo Schlossnagle <jesus@omniti.com> To: Ganbold <ganbold@micom.mng.net> Cc: freebsd-net@freebsd.org, Marcin Jessa <lists@yazzy.org>, Mao Shou Yan <david.mao@thomson.net>, Theo Schlossnagle <jesus@omniti.com> Subject: Re: ipfw bridge + fwd questions Message-ID: <04DBCBC0-C334-48B6-8BD0-80A0DAB2BE93@omniti.com> In-Reply-To: <31021C278A7A6B4AB95E9A085C3552181F7608@bjngsmail01> References: <31021C278A7A6B4AB95E9A085C3552181F7608@bjngsmail01>
next in thread | previous in thread | raw e-mail | index | archive | help
Allowing fwd rules on bridged traffic isn't too difficult, but does =20 require kernel modifications (in ipfw). As Mao says it can only work on layer 3 packets. But, that doesn't =20 mean you can't do it. It just means that when you add the FWD option =20= into the layer 2 ipfw switch statement you have to look deep enough =20 into the packet to make sure it is indeed IP and possible to fwd. =20 Then hand it up in the stack. We did this on one of our networking appliances. Basically, qualify =20 the packet in (args->eh) and then unlock the chain and ip_input to =20 push it into layer 3. On Sep 30, 2005, at 3:43 AM, Mao Shou Yan wrote: > NO, fwd can work only on layer 3 packet! > > -----Original Message----- > From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-=20 > net@freebsd.org] On Behalf Of Marcin Jessa > Sent: 2005=E5=B9=B49=E6=9C=8830=E6=97=A5 15:35 > To: Ganbold > Cc: freebsd-net@freebsd.org > Subject: Re: ipfw bridge + fwd questions > > On Fri, 30 Sep 2005 15:39:49 +0900 > Ganbold <ganbold@micom.mng.net> wrote: > > >> Hi, >> >> I have a question regarding ipfw fwd rule. >> I'm using FreeBSD 5.4-STABLE and running on it bridging firewall >> using ipfw. >> >> Now my question comes:) >> Can I use ipfw fwd rules against traffic coming to one of the bridged >> interfaces? >> > Yes you can. > sysctl net.link.ether.bridge_ipfw=3D1 just like in your sysctl =20 > variables. > > >> I would like to forward some packets (which are destined to port >> 110) >> to some other router through third vr0 interface. >> > Use a divert rule for that. > > In this example we send all the port 80 traffic to port 8000: > # ipfw add 1000 divert 8000 tcp from any to any 80 > Read this article for more info: > http://freebsd.rogness.net/snort_inline/ > > Cheers > Marcin. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04DBCBC0-C334-48B6-8BD0-80A0DAB2BE93>