rdr + bridge

Max Laier max at love2party.net
Fri Oct 15 14:36:24 PDT 2004 

Unfortunately FreeBSD's bridge code is far from optimal. It lacks a lot of 
functionality when compared to Net/OpenBSD's if_bridge. At the moment this 
constrains pf to a very limited subset of possible functionalities. There has 
been an effort to port over if_bridge, but that died for some reason.

In order to fix your specific problem you might want to try to add a "route-to 
(lo0 127.0.0.1)"-rule for the redirected traffic but I can't confirm that 
this will really help.

All in all, I have to admit that pf gives a rather poor performance with the 
FreeBSD bridge code.

On Friday 15 October 2004 18:25, Sergey Lyubka wrote:
> I am trying to setup transparent proxy.
> The box has two interfaces,
> em0 (0.0.0.0, outside interface)
> em1 (10.0.0.3, inside interface)
>
> pf and bridge are running on the box.
> Proxy is running on the box, listening on 127.0.0.1:8080
> This is the pf.conf:
> ------------------
> int_if="em1"
> ext_if="em0"
> rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port
> 8080
> pass in
> pass out
> -------------------
>
> But, when I am trying to access any site from the inside,
> I see packets emitted by em0, which have destination address
> 127.0.0.1:8080
>
> Proxy does not receive anything.
>
> nfa# sysctl -a | grep bridge
> net.link.ether.bridge_cfg: em0,em1
> net.link.ether.bridge_ipfw: 1
> net.link.ether.bridge_ipf: 1
> net.link.ether.bridge.config: em0,em1
> net.link.ether.bridge.enable: 1
> net.link.ether.bridge.predict: 45
> net.link.ether.bridge.dropped: 0
> net.link.ether.bridge.packets: 80
> net.link.ether.bridge.ipfw_collisions: 0
> net.link.ether.bridge.ipfw_drop: 0
> net.link.ether.bridge.copy: 0
> net.link.ether.bridge.ipfw: 1
> net.link.ether.bridge.ipf: 1
> net.link.ether.bridge.debug: 0
> net.link.ether.bridge.version: 031224
>
> nfa# uname -a
> FreeBSD nfa 5.3-BETA7 FreeBSD 5.3-BETA7 #20: Fri Oct 15 15:41:14 UTC
> 2004     root at valenok.netfort-iss.com:/usr/obj/usr/src/sys/MANAGER
> i386
>
> Any ideas ?
>
>
>
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041015/63851ea2/attachment.bin

More information about the freebsd-pf mailing list