Date: Mon, 17 Feb 2003 13:35:39 -0700 From: "Elliot Finley" <lists@efinley.com> To: <freebsd-current@freebsd.org> Subject: Can't get divert to work Message-ID: <00bb01c2d6c4$2554be40$faed68ce@science1>
next in thread | raw e-mail | index | archive | help
even with this configuration (see below) in place (with no application to catch the diverted packets), I can still pass packets through that should match the divert rule. If I change the divert rule to: 00150 divert 9999 ip from any to any then I can still send and receive packets through the bridge, but I can no longer access the bridging machine via the network. It seems as though divert is only working on packets that are destined for the bridge machine. Is there any way to have divert act on packets that would normally just pass through the bridge? TIA for any pointers/RTFM/etc... Bridge configuration: --------------------- FreeBSD-Current as of 2-16-2003 Options in kernel ----------------- options IPDIVERT options BRIDGE options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT athena root:sys/i386/conf#>sysctl -a | grep bridge net.link.ether.bridge_cfg: fxp0,fxp1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 athena root:sys/i386/conf#>sysctl -a | grep fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 6 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 net.link.ether.bdg_fw_avg: 0 net.link.ether.bdg_fw_ticks: 0 net.link.ether.bdg_fw_count: 0 net.link.ether.ipfw: 0 athena root:sys/i386/conf#>ipfw list 00100 allow ip from any to any via lo0 00150 divert 9999 ip from <ip on local side of bridge> to <ip on internet side of bridge> 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00bb01c2d6c4$2554be40$faed68ce>