From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 18:49:31 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 491BD771; Thu, 24 Jan 2013 18:49:31 +0000 (UTC) (envelope-from jake.guffey@eprotex.com) Received: from ePMPSDMZ01X.eprotex.com (IP-216-37-5-64.nframe.net [216.37.5.64]) by mx1.freebsd.org (Postfix) with ESMTP id 1119AE1E; Thu, 24 Jan 2013 18:49:30 +0000 (UTC) Received: from 165.sub-174-255-96.myvzw.com (HELO [172.20.10.7]) ([174.255.96.165]) by ePMPSDMZ01X.eprotex.com with ESMTP/TLS/AES128-SHA; 24 Jan 2013 13:49:29 -0500 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: IPFW divert with layer 2 interfaces From: Jake Guffey In-Reply-To: <51017174.6040205@freebsd.org> Date: Thu, 24 Jan 2013 13:49:31 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> <51017174.6040205@freebsd.org> To: Julian Elischer X-Mailer: Apple Mail (2.1499) Cc: ipfw@freebsd.org, Doug Ambrisko X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 18:49:31 -0000 Thanks for the response, Julian. Any thoughts, Doug? Thanks, Jake Guffey Network Security Engineer eProtex Network medical device security 5451 Lakeview Parkway S Drive Indianapolis, Indiana 46268, USA Mobile: 317-220-7100 jake.guffey@eprotex.com www.eprotex.com On Jan 24, 2013, at 12:37 PM, Julian Elischer = wrote: > On 1/24/13 10:16 AM, Jake Guffey wrote: >> Hi: >>=20 >> I am working on a network appliance based on FreeBSD, IPFW, and = Suricata. In the scenario that I'm developing for, I need to divert = packets sent over a layer 2 bridge for IPS processing. After = reinjection, IPFW passes this traffic back to FreeBSD for layer 3 = forwarding. I would like to get this working for layer 2 forwarding = across the bridge interface(s) involved. >>=20 >> I saw = http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-i= pfw-e-g-bridge-td4008335.html from quite some time ago (2006), and that = one of the responders said that he didn't want to commit layer 2 = diversion support before layer 2 packet filtering hooks were put in = place. To my understanding (please correct me if I'm wrong), the pfil = hooks he was referring to are in place now. >=20 > hithere.. > The original code you refer to was written by Ironport (now cisco) = after lookign at similar code bu imimic (then ironport, now cisco :-)) = for use in their > web filter appliance. >=20 > It did work well, however I'm not in that field any more so I can't = justify work time in getting it up to date.. > Nor o I have access any more to test machines that I can test the = result with. >=20 > It may be worth asking Doug Ambrisko what the current version of the = code looks like.. We had permission to > give it back (hense the email) but it never got put into the tree. >=20 >> Is there something I can do to help make this happen? I am very rusty = with C and will probably not be much help coding, but anything else, I'd = be glad to do. I suppose that I could give coding this support a shot, = with (likely) a bit of hand-holding from you. >>=20 >> The company that I work for has allocated budget for consulting, so I = would be glad to help fund development if that's an issue. >>=20 >> Thanks, >> Jake Guffey >> Network Security Engineer >>=20 >> eProtex >> Network medical device security >>=20 >> 5451 Lakeview Parkway S Drive >> Indianapolis, Indiana 46268, USA >> Mobile: 317-220-7100 >> jake.guffey@eprotex.com >> www.eprotex.com >>=20 >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to = "freebsd-ipfw-unsubscribe@freebsd.org" >>=20 >>=20 >=20