On Thu, 2008-03-13 at 07:16 -0700, Chris wrote: > Hello, > > I posted a similar message to Questions but received no > answer so I'm reposting a paraphrase here to see if anyone > knows. > > I built FreeBSD 7.0 with options DIVERT and if_bridge to > see if I could make snort_inline work with the bridging > firewall I'm building. I found that the divert would not > direct packets to snort_inline which sounded a little like > the experiences people had when they tried to do this > with the pre-6.x bridge. > > Is it still not possible to use divert with if_bridge? Here > is what I'm seeing in ipfw. > > 65000 48 7382 count ip from any to any > 65001 0 0 divert 8300 ip from any to any > 65010 48 7382 allow ip from any to any
Yes, it is possible to use divert with if_bridge and ipfw. It sounds like you have not enabled packet filtering on the bridge. I use the following: # /etc/sysctl.conf net.link.ether.ipfw=1 net.link.bridge.ipfw=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1 # ipfw.conf 10000 divert 8000 ip from any to any out via bridge0 > > Thank you, > Chris Pratt > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
