ipfw fwd layer2/ftp proxy
julian at elischer.org
Thu May 22 17:19:50 UTC 2008
> Hi there,
> I'm having trouble allowing ftp connections through ipfw (default deny)
> enabled bridge firewall.
> I'm wondering whether it is possible to have some kind of transparent
> ftp proxy in such case.
> Is there anyway I can allow ftp proxying without layer2 forwarding on
> ipfw bridge?
> I thought of forwarding packets in layer2, however it seems like ipfw
> still doesn't support that.
> I saw old patches of luigi@ and if somebody already has adapted that
> patch for RELENG_6/7 please let me know.
I have such patches for the old 'bridge' code that allow bridges to
intercept IP sessions but not for the new 'if_bridge' code.
The trick is to make a 'fwd localhost' on the Layer2 ipfw pass
to result in the packet being passed to the IP stack regardless
of where the header says it should go.
In the IP stack a similar 'fwd localhost' rule (maybe the same one)
will also trigger on the Layer 3 pass, and actually cause teh session
For fully transparent (in both directions) you need to alter the IP
code to allow you to bind the outgoing socket to a non-local address,
and to capture the return packets you leed the L2 pirewall pass to
do a test for 'uid' which has the side affect of noticing whether or
not there is a local socket that matches a packet, even if it has
a non local address on it.
> I know my last try is to deny everything I don't want and then allow the
> rest. However I would
> like to make it work in current configuration.
> Please let me know your ideas.
> thanks in advance,
More information about the freebsd-net