IPFW, DIVERT, and if_bridge
Ronald Roskens
ronr at econet.com
Thu Mar 13 08:52:18 PDT 2008
On Thu, 2008-03-13 at 07:16 -0700, Chris wrote:
> Hello,
>
> I posted a similar message to Questions but received no
> answer so I'm reposting a paraphrase here to see if anyone
> knows.
>
> I built FreeBSD 7.0 with options DIVERT and if_bridge to
> see if I could make snort_inline work with the bridging
> firewall I'm building. I found that the divert would not
> direct packets to snort_inline which sounded a little like
> the experiences people had when they tried to do this
> with the pre-6.x bridge.
>
> Is it still not possible to use divert with if_bridge? Here
> is what I'm seeing in ipfw.
>
> 65000 48 7382 count ip from any to any
> 65001 0 0 divert 8300 ip from any to any
> 65010 48 7382 allow ip from any to any
Yes, it is possible to use divert with if_bridge and ipfw. It sounds
like you have not enabled packet filtering on the bridge.
I use the following:
# /etc/sysctl.conf
net.link.ether.ipfw=1
net.link.bridge.ipfw=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=1
# ipfw.conf
10000 divert 8000 ip from any to any out via bridge0
>
> Thank you,
> Chris Pratt
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list