even with this configuration (see below) in place (with no application to
catch the diverted packets), I can still pass packets through that should
match the divert rule.  If I change the divert rule to:

00150 divert 9999 ip from any to any

then I can still send and receive packets through the bridge, but I can no
longer access the bridging machine via the network.  It seems as though
divert is only working on packets that are destined for the bridge machine.

Is there any way to have divert act on packets that would normally just pass
through the bridge?

TIA for any pointers/RTFM/etc...

Bridge configuration:
---------------------

FreeBSD-Current as of 2-16-2003

Options in kernel
-----------------
options IPDIVERT
options BRIDGE
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT

athena root:sys/i386/conf#>sysctl -a | grep bridge
net.link.ether.bridge_cfg: fxp0,fxp1
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0

athena root:sys/i386/conf#>sysctl -a | grep fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 6
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0
net.link.ether.bdg_fw_avg: 0
net.link.ether.bdg_fw_ticks: 0
net.link.ether.bdg_fw_count: 0
net.link.ether.ipfw: 0

athena root:sys/i386/conf#>ipfw list
00100 allow ip from any to any via lo0
00150 divert 9999 ip from <ip on local side of bridge> to <ip on internet
side of bridge>
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to