From owner-freebsd-current Mon Feb 17 12:35:51 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D03537B401 for ; Mon, 17 Feb 2003 12:35:49 -0800 (PST) Received: from thunderbird.etv.net (thunderbird.etv.net [208.14.190.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E61143FA3 for ; Mon, 17 Feb 2003 12:35:48 -0800 (PST) (envelope-from lists@efinley.com) Received: from [206.104.237.250] (helo=science1) by thunderbird.etv.net with smtp (Exim 4.10) id 18krzP-00089y-00 for freebsd-current@freebsd.org; Mon, 17 Feb 2003 13:35:47 -0700 Message-ID: <00bb01c2d6c4$2554be40$faed68ce@science1> Reply-To: "Elliot Finley" From: "Elliot Finley" To: Subject: Can't get divert to work Date: Mon, 17 Feb 2003 13:35:39 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG even with this configuration (see below) in place (with no application to catch the diverted packets), I can still pass packets through that should match the divert rule. If I change the divert rule to: 00150 divert 9999 ip from any to any then I can still send and receive packets through the bridge, but I can no longer access the bridging machine via the network. It seems as though divert is only working on packets that are destined for the bridge machine. Is there any way to have divert act on packets that would normally just pass through the bridge? TIA for any pointers/RTFM/etc... Bridge configuration: --------------------- FreeBSD-Current as of 2-16-2003 Options in kernel ----------------- options IPDIVERT options BRIDGE options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT athena root:sys/i386/conf#>sysctl -a | grep bridge net.link.ether.bridge_cfg: fxp0,fxp1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 athena root:sys/i386/conf#>sysctl -a | grep fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 6 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 net.link.ether.bdg_fw_avg: 0 net.link.ether.bdg_fw_ticks: 0 net.link.ether.bdg_fw_count: 0 net.link.ether.ipfw: 0 athena root:sys/i386/conf#>ipfw list 00100 allow ip from any to any via lo0 00150 divert 9999 ip from to 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message