Re: ipfw bridge + fwd questions

Fri, 30 Sep 2005 19:44:41 -0700

Allowing fwd rules on bridged traffic isn't too difficult, but does require kernel modifications (in ipfw).
As Mao says it can only work on layer 3 packets. But, that doesn't mean you can't do it. It just means that when you add the FWD option into the layer 2 ipfw switch statement you have to look deep enough into the packet to make sure it is indeed IP and possible to fwd. Then hand it up in the stack. 


We did this on one of our networking appliances.  Basically, qualify  
the packet in (args->eh) and then unlock the chain and ip_input to  
push it into layer 3.


On Sep 30, 2005, at 3:43 AM, Mao Shou Yan wrote:


NO, fwd can work only on layer 3 packet!

-----Original Message-----

From: [EMAIL PROTECTED] [mailto:owner-freebsd- 
[EMAIL PROTECTED] On Behalf Of Marcin Jessa

Sent: 2005年9月30日 15:35
To: Ganbold
Cc: freebsd-net@freebsd.org
Subject: Re: ipfw bridge + fwd questions

On Fri, 30 Sep 2005 15:39:49 +0900
Ganbold <[EMAIL PROTECTED]> wrote:



Hi,

I have a question regarding ipfw fwd rule.
I'm using FreeBSD 5.4-STABLE and running on it bridging firewall
using ipfw.

Now my question comes:)
Can I use ipfw fwd rules against traffic coming to one of the bridged
interfaces?


Yes you can.

sysctl net.link.ether.bridge_ipfw=1 just like in your sysctl  
variables.




I would like to forward some packets (which are destined to port
110)
to some other router through third vr0 interface.


Use a divert rule for that.

In this example we send all the port 80 traffic to port 8000:
# ipfw add 1000 divert 8000 tcp from any to any 80
Read this article for more info:
http://freebsd.rogness.net/snort_inline/

Cheers
Marcin.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"














    











					Reply via email to