Date: Mon, 22 Sep 2008 10:26:34 -0700 From: Julian Elischer <julian@elischer.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: Max Laier <max@love2party.net>, Roman Kurakin <rik@inse.ru>, freebsd-net@freebsd.org Subject: Re: Firewall redirect doesn't work any more... Message-ID: <48D7D54A.1020709@elischer.org> In-Reply-To: <20080922142452.GC6797@garage.freebsd.pl> References: <20080919075633.GA4333@garage.freebsd.pl> <20080919121602.GC4333@garage.freebsd.pl> <200809191538.02698.max@love2party.net> <20080922102209.GB2468@garage.freebsd.pl> <48D79E1C.3060003@inse.ru> <20080922134830.GA6797@garage.freebsd.pl> <48D7A797.6070009@inse.ru> <20080922142452.GC6797@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek wrote: >> And what about ipfw variant? > > For the first (bridge) case ipfw didn't work at all. No packets were > redirected. I haven't tried for the gateway case, because pf works > there. ipfw forwarding is disabled for bridge and L2 cases. (I think the man page says so.) At Ironport we added some small patche sto allow this to occur. it is relatively simple.. (less than 10 lines) When ipfw returns that a packet to the bridge, that has been marked as 'redirected', then you accept it to the IP stack as if it was addressed to the local machine. You then make sure that in L3 ipfe processing, you hit the same fwd rule, and this time it is sent to the right place. It does require that ipfw see the packet twice, but it works. A further hack would be to add code in the IP stack so that a packet tagged as redirected from the bridge would skip ipfw in the IP stack and go direct to the redirection. (but that may open security issues).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D7D54A.1020709>