ipfw bridge + fwd questions

Theo Schlossnagle jesus at omniti.com
Fri Sep 30 19:44:18 PDT 2005 

Allowing fwd rules on bridged traffic isn't too difficult, but does  
require kernel modifications (in ipfw).

As Mao says it can only work on layer 3 packets.  But, that doesn't  
mean you can't do it.  It just means that when you add the FWD option  
into the layer 2 ipfw switch statement you have to look deep enough  
into the packet to make sure it is indeed IP and possible to fwd.   
Then hand it up in the stack.

We did this on one of our networking appliances.  Basically, qualify  
the packet in (args->eh) and then unlock the chain and ip_input to  
push it into layer 3.

On Sep 30, 2005, at 3:43 AM, Mao Shou Yan wrote:

> NO, fwd can work only on layer 3 packet!
>
> -----Original Message-----
> From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd- 
> net at freebsd.org] On Behalf Of Marcin Jessa
> Sent: 2005年9月30日 15:35
> To: Ganbold
> Cc: freebsd-net at freebsd.org
> Subject: Re: ipfw bridge + fwd questions
>
> On Fri, 30 Sep 2005 15:39:49 +0900
> Ganbold <ganbold at micom.mng.net> wrote:
>
>
>> Hi,
>>
>> I have a question regarding ipfw fwd rule.
>> I'm using FreeBSD 5.4-STABLE and running on it bridging firewall
>> using ipfw.
>>
>> Now my question comes:)
>> Can I use ipfw fwd rules against traffic coming to one of the bridged
>> interfaces?
>>
> Yes you can.
> sysctl net.link.ether.bridge_ipfw=1 just like in your sysctl  
> variables.
>
>
>> I would like to forward some packets (which are destined to port
>> 110)
>> to some other router through third vr0 interface.
>>
> Use a divert rule for that.
>
> In this example we send all the port 80 traffic to port 8000:
> # ipfw add 1000 divert 8000 tcp from any to any 80
> Read this article for more info:
> http://freebsd.rogness.net/snort_inline/
>
> Cheers
> Marcin.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list