Firewall redirect doesn't work any more...
Julian Elischer
julian at elischer.org
Mon Sep 22 17:26:43 UTC 2008
Pawel Jakub Dawidek wrote:
>> And what about ipfw variant?
>
> For the first (bridge) case ipfw didn't work at all. No packets were
> redirected. I haven't tried for the gateway case, because pf works
> there.
ipfw forwarding is disabled for bridge and L2 cases.
(I think the man page says so.)
At Ironport we added some small patche sto allow this to occur.
it is relatively simple..
(less than 10 lines)
When ipfw returns that a packet to the bridge, that has been
marked as 'redirected', then you accept it to the IP stack
as if it was addressed to the local machine. You then make
sure that in L3 ipfe processing, you hit the same fwd rule,
and this time it is sent to the right place.
It does require that ipfw see the packet twice, but it works.
A further hack would be to add code in the IP stack so that
a packet tagged as redirected from the bridge would skip
ipfw in the IP stack and go direct to the redirection.
(but that may open security issues).
More information about the freebsd-net
mailing list