Hello Luigi --
Thank you for your response. Btw, I've been reading over the
bridge code ... many thanks for this valuable resource!
The problem with the "just let it be a router" approach is that I
want all traffic from B to go to A and C, not just that which is
actually intended for said net (yes all can be considered nets).
I.e., a packet destined for A should be forwarded to C as well as
A. I do not see a way to do this by being a router. OTOH, a
non-learning bridge (or pretending the destination is UNKNOWN ...
my hack to labotomize the bridge) does this. If there is another
way to perform this "forward to multiple interfaces", I'd be happy
to hear what you think.
The point of clobbering ARPs is an interesting one; I'll have to
think about that a bit. I think I can just use static ARP tables
for the labs in question. The subnet-broadcast IP packets would
still have source address from A, say, so maybe some interface-
specific denies, e.g.:
deny from A via ifC
instead of
deny from A to C
I still get confused with via.
Clark
On Thu, Dec 14, 2000 at 07:44:03PM -0800, Luigi Rizzo wrote:
> if you want to use bridging and you know the IPs of the hosts on
> "networks" A, B, and C (which is what you need to use the 'deny'
> rules) you do not need to hack bridge.c
>
> On the other hand, your solution will not block ARPs and subnet-broadcast
> packets, so i really think the best solution is to use 3 real
> subnets for A B and C (i.e. different address ranges), set the
> machine to act as a router (net.inet.ip.forwarding=1) and block
> traffic between A and C using the firewall below. No bridging or
> messing with the kernel involved
>
> cheers
> luigi
>
> > I am interested in creating a pathological lab network with the
> > following forwarding rules:
> > - three networks (A,B,C)
> > - packets from A or C are forwarded to B
> > - packets from B are forward to both A and C
> >
> > I was thinking of using BRIDGE+ipfw to create this by hacking
> > bridge.c so that all dsts are UNKNOWN, then filtering via ipfw by
> > deny ip from A to C
> > deny ip from C to A
> >
> > Seems like this would work, but I was wondering what others' thoughts
> > might be on this approach. Perhaps BRIDGE could have a (compile-time?)
> > non-learning flag so that all packets get forwarded as if they are
> > UNKNOWN.
> >
> > Oh, btw, I also want tcpdump to work on any of these interfaces. ;-)
> >
> > Thanks.
> > Clark
> > [EMAIL PROTECTED]
> >
> >
> > ----- End forwarded message -----
> >
> > --
> > Clark K. Gaylord
> > Blacksburg, Virginia USA
> > [EMAIL PROTECTED]
> >
> >
> > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > with "unsubscribe freebsd-net" in the body of the message
> >
>
--
Clark K. Gaylord
Blacksburg, Virginia USA
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
