Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Jan 2013 10:41:16 -0700
From:      Julian Elischer <julian@freebsd.org>
To:        Jake Guffey <jake.guffey@eprotex.com>
Cc:        ipfw@freebsd.org, Doug Ambrisko <ambrisko@ambrisko.com>
Subject:   Re: IPFW divert with layer 2 interfaces
Message-ID:  <5101723C.1080104@freebsd.org>
In-Reply-To: <51017174.6040205@freebsd.org>
References:  <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> <51017174.6040205@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 1/24/13 10:37 AM, Julian Elischer wrote:
> On 1/24/13 10:16 AM, Jake Guffey wrote:
>> Hi:
>>
>> I am working on a network appliance based on FreeBSD, IPFW, and 
>> Suricata. In the scenario that I'm developing for, I need to divert 
>> packets sent over a layer 2 bridge for IPS processing. After 
>> reinjection, IPFW passes this traffic back to FreeBSD for layer 3 
>> forwarding. I would like to get this working for layer 2 forwarding 
>> across the bridge interface(s) involved.
>>
>> I saw 
>> http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-ipfw-e-g-bridge-td4008335.html 
>> from quite some time ago (2006), and that one of the responders 
>> said that he didn't want to commit layer 2 diversion support before 
>> layer 2 packet filtering hooks were put in place. To my 
>> understanding (please correct me if I'm wrong), the pfil hooks he 
>> was referring to are in place now.
>
> hithere..
> The original code you refer to was written by Ironport (now cisco) 
> after lookign at similar code bu imimic (then ironport, now cisco 
> :-)) for use in their
> web filter appliance.
>
> It did work well, however I'm not in that field any more so I can't 
> justify work time in getting it up to date..
> Nor o I have access any more to test machines that I can test the 
> result with.
>
> It may be worth asking Doug  Ambrisko what the current version of 
> the code looks like.. We had permission to
> give it back (hense the email) but it never got put into the tree.

I will add that I think the original code was written for the "old" 
bridge code and not if_bridge.

>
>> Is there something I can do to help make this happen? I am very 
>> rusty with C and will probably not be much help coding, but 
>> anything else, I'd be glad to do. I suppose that I could give 
>> coding this support a shot, with (likely) a bit of hand-holding 
>> from you.
>>
>> The company that I work for has allocated budget for consulting, so 
>> I would be glad to help fund development if that's an issue.
>>
>> Thanks,
>> Jake Guffey
>> Network Security Engineer
>>
>> eProtex
>> Network medical device security
>>
>> 5451 Lakeview Parkway S Drive
>> Indianapolis, Indiana 46268, USA
>> Mobile: 317-220-7100
>> jake.guffey@eprotex.com
>> www.eprotex.com
>>
>> _______________________________________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to 
>> "freebsd-ipfw-unsubscribe@freebsd.org"
>>
>>
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5101723C.1080104>