On Mar 13, 2008, at 8:34 AM, Ronald Roskens wrote:
On Thu, 2008-03-13 at 07:16 -0700, Chris wrote:
Hello,
I posted a similar message to Questions but received no
answer so I'm reposting a paraphrase here to see if anyone
knows.
I built FreeBSD 7.0 with options DIVERT and if_bridge to
see if I could make snort_inline work with the bridging
firewall I'm building. I found that the divert would not
direct packets to snort_inline which sounded a little like
the experiences people had when they tried to do this
with the pre-6.x bridge.
Is it still not possible to use divert with if_bridge? Here
is what I'm seeing in ipfw.
65000 48 7382 count ip from any to any
65001 0 0 divert 8300 ip from any to any
65010 48 7382 allow ip from any to any
Yes, it is possible to use divert with if_bridge and ipfw. It sounds
like you have not enabled packet filtering on the bridge.
I use the following:
# /etc/sysctl.conf
net.link.ether.ipfw=1
net.link.bridge.ipfw=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=1
# ipfw.conf
10000 divert 8000 ip from any to any out via bridge0
Thanks very much. I had commented out two of these. The
reason was that I was unable to differentiate between the
local interface and the bridge (this is from memory). The
reason isn't relevant anymore so I've set them correctly.
The divert appears to work fine now as shown.
65000 5 288 count ip from any to any
65001 5 288 divert 8300 ip from any to any
65010 0 0 allow ip from any to any
Thank you very much.
Thank you,
Chris Pratt
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-
[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
