layer2 ipfw 'fwd' support
Luiz Otavio O Souza
lists.br at gmail.com
Sun Oct 24 12:35:56 UTC 2010
On Oct 22, 2010, at 9:49 AM, Eduardo Meyer wrote:
>>>
>>
>> To be clear, are we getting to the point of having the capability in
>> ipfw of doing something like this in pf:
>>
>> ...
>> pass in quick on $INT_IF route-to lo0 inet proto tcp from any to
>> 127.0.0.1 port 3128 keep state
>> ...
>
> Yes, pretty much that.
>
>>
>> ...thus allowing true, transparent proxying?
>>
>> I really thought that this was possible already with ipfw :( I need to
>> do some more reading...
>>
>> I would be very interested in obtaining details on your final setup,
>> once everything is in place and fully functioning :)
>
> Right. I'm still working on that. We have separated grat things
> working perfectly. Now I want to glue it together. TPROXY with
> FreeBSD's IP_BINDANY works perfectly based on L3 redirection with
> IPFW. Now we can do IPFW L2 redirection/forwarding. So I want to be
> able to use both togerther, TPROXY with IPFW L2 forwarding.
>
> I am investigating the code, learning, trying some tests; since I am
> not a developer, not good at hacking 3rd party code, I am trying some
> dirty tricks. Unsucessfull right now but still investigating.
Hi Eduardo,
I've not tried yet the TPROXY setup, but something come up in my thoughts about this...
The ipfw rule i was using to test the L2 fwd was something like this:
ipfw fwd 127.0.0.1,3128 tcp from not me to any 80
And this rule forwards all the 'output' traffic on the bridge interface to lusca. nice !
But with TPROXY lusca will try to connect to http servers with the client IP and therefore all this traffic will also match the ipfw fwd rule ! so, we end up with a loop and the game is over...
I'm not sure yet (as i'd not tested this) if this is the only problem or how we can workaround this limitation.
We probably need to 'tag' the lusca packets someway and skip the fwd rule.
Regards,
Luiz
More information about the freebsd-ipfw
mailing list