From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 17:41:28 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 499B8FC1 for ; Thu, 24 Jan 2013 17:41:28 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 083C49DD for ; Thu, 24 Jan 2013 17:41:27 +0000 (UTC) Received: from jre-mbp-2.int.fusionio.com ([216.51.42.66]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r0OHfLPh085681 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 24 Jan 2013 09:41:22 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <5101723C.1080104@freebsd.org> Date: Thu, 24 Jan 2013 10:41:16 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jake Guffey Subject: Re: IPFW divert with layer 2 interfaces References: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> <51017174.6040205@freebsd.org> In-Reply-To: <51017174.6040205@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Doug Ambrisko X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 17:41:28 -0000 On 1/24/13 10:37 AM, Julian Elischer wrote: > On 1/24/13 10:16 AM, Jake Guffey wrote: >> Hi: >> >> I am working on a network appliance based on FreeBSD, IPFW, and >> Suricata. In the scenario that I'm developing for, I need to divert >> packets sent over a layer 2 bridge for IPS processing. After >> reinjection, IPFW passes this traffic back to FreeBSD for layer 3 >> forwarding. I would like to get this working for layer 2 forwarding >> across the bridge interface(s) involved. >> >> I saw >> http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-ipfw-e-g-bridge-td4008335.html >> from quite some time ago (2006), and that one of the responders >> said that he didn't want to commit layer 2 diversion support before >> layer 2 packet filtering hooks were put in place. To my >> understanding (please correct me if I'm wrong), the pfil hooks he >> was referring to are in place now. > > hithere.. > The original code you refer to was written by Ironport (now cisco) > after lookign at similar code bu imimic (then ironport, now cisco > :-)) for use in their > web filter appliance. > > It did work well, however I'm not in that field any more so I can't > justify work time in getting it up to date.. > Nor o I have access any more to test machines that I can test the > result with. > > It may be worth asking Doug Ambrisko what the current version of > the code looks like.. We had permission to > give it back (hense the email) but it never got put into the tree. I will add that I think the original code was written for the "old" bridge code and not if_bridge. > >> Is there something I can do to help make this happen? I am very >> rusty with C and will probably not be much help coding, but >> anything else, I'd be glad to do. I suppose that I could give >> coding this support a shot, with (likely) a bit of hand-holding >> from you. >> >> The company that I work for has allocated budget for consulting, so >> I would be glad to help fund development if that's an issue. >> >> Thanks, >> Jake Guffey >> Network Security Engineer >> >> eProtex >> Network medical device security >> >> 5451 Lakeview Parkway S Drive >> Indianapolis, Indiana 46268, USA >> Mobile: 317-220-7100 >> jake.guffey@eprotex.com >> www.eprotex.com >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to >> "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >