IPFW, DIVERT, and if_bridge

[Chris Pratt]

On Mar 13, 2008, at 8:34 AM, Ronald Roskens wrote:

> On Thu, 2008-03-13 at 07:16 -0700, Chris wrote:
>> Hello,
>>
>> I posted a similar message to Questions but received no
>> answer so I'm reposting a paraphrase here to see if anyone
>> knows.
>>
>> I built FreeBSD 7.0 with options DIVERT and if_bridge to
>> see if I could make snort_inline work with the bridging
>> firewall I'm building. I found that the divert would not
>> direct packets to snort_inline which sounded a little like
>> the experiences people had when they tried to do this
>> with the pre-6.x bridge.
>>
>> Is it still not possible to use divert with if_bridge? Here
>> is what I'm seeing in ipfw.
>>
>> 65000  48  7382 count ip from any to any
>> 65001   0     0 divert 8300 ip from any to any
>> 65010  48  7382 allow ip from any to any
>
> Yes, it is possible to use divert with if_bridge and ipfw. It sounds
> like you have not enabled packet filtering on the bridge.
>
> I use the following:
>
> # /etc/sysctl.conf
> net.link.ether.ipfw=1
> net.link.bridge.ipfw=0
> net.link.bridge.pfil_bridge=0
> net.link.bridge.pfil_member=1
>
> # ipfw.conf
> 10000 divert 8000 ip from any to any out via bridge0

Thanks very much. I had commented out two of these. The
reason was that I was unable to differentiate between the
local interface and the bridge (this is from memory). The
reason isn't relevant anymore so I've set them correctly.
The divert appears to work fine now as shown.

65000   5   288 count ip from any to any
65001   5   288 divert 8300 ip from any to any
65010   0     0 allow ip from any to any

Thank you very much.


>
>>
>> Thank you,
>> Chris Pratt
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net- 
>> unsubscribe at freebsd.org"
>