rdr + bridge
max at love2party.net
Fri Oct 15 14:36:24 PDT 2004
Unfortunately FreeBSD's bridge code is far from optimal. It lacks a lot of
functionality when compared to Net/OpenBSD's if_bridge. At the moment this
constrains pf to a very limited subset of possible functionalities. There has
been an effort to port over if_bridge, but that died for some reason.
In order to fix your specific problem you might want to try to add a "route-to
(lo0 127.0.0.1)"-rule for the redirected traffic but I can't confirm that
this will really help.
All in all, I have to admit that pf gives a rather poor performance with the
FreeBSD bridge code.
On Friday 15 October 2004 18:25, Sergey Lyubka wrote:
> I am trying to setup transparent proxy.
> The box has two interfaces,
> em0 (0.0.0.0, outside interface)
> em1 (10.0.0.3, inside interface)
> pf and bridge are running on the box.
> Proxy is running on the box, listening on 127.0.0.1:8080
> This is the pf.conf:
> rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port
> pass in
> pass out
> But, when I am trying to access any site from the inside,
> I see packets emitted by em0, which have destination address
> Proxy does not receive anything.
> nfa# sysctl -a | grep bridge
> net.link.ether.bridge_cfg: em0,em1
> net.link.ether.bridge_ipfw: 1
> net.link.ether.bridge_ipf: 1
> net.link.ether.bridge.config: em0,em1
> net.link.ether.bridge.enable: 1
> net.link.ether.bridge.predict: 45
> net.link.ether.bridge.dropped: 0
> net.link.ether.bridge.packets: 80
> net.link.ether.bridge.ipfw_collisions: 0
> net.link.ether.bridge.ipfw_drop: 0
> net.link.ether.bridge.copy: 0
> net.link.ether.bridge.ipfw: 1
> net.link.ether.bridge.ipf: 1
> net.link.ether.bridge.debug: 0
> net.link.ether.bridge.version: 031224
> nfa# uname -a
> FreeBSD nfa 5.3-BETA7 FreeBSD 5.3-BETA7 #20: Fri Oct 15 15:41:14 UTC
> 2004 root at valenok.netfort-iss.com:/usr/obj/usr/src/sys/MANAGER
> Any ideas ?
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> freebsd-pf at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041015/63851ea2/attachment.bin
More information about the freebsd-pf