Date: Thu, 22 May 2008 10:19:52 -0700 From: Julian Elischer <julian@elischer.org> To: Ganbold <ganbold@micom.mng.net> Cc: freebsd-net@freebsd.org Subject: Re: ipfw fwd layer2/ftp proxy Message-ID: <4835AB38.40100@elischer.org> In-Reply-To: <483522F3.4090200@micom.mng.net> References: <483522F3.4090200@micom.mng.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ganbold wrote: > Hi there, > > I'm having trouble allowing ftp connections through ipfw (default deny) > enabled bridge firewall. > I'm wondering whether it is possible to have some kind of transparent > ftp proxy in such case. > > Is there anyway I can allow ftp proxying without layer2 forwarding on > ipfw bridge? > > I thought of forwarding packets in layer2, however it seems like ipfw > still doesn't support that. > I saw old patches of luigi@ and if somebody already has adapted that > patch for RELENG_6/7 please let me know. I have such patches for the old 'bridge' code that allow bridges to intercept IP sessions but not for the new 'if_bridge' code. The trick is to make a 'fwd localhost' on the Layer2 ipfw pass to result in the packet being passed to the IP stack regardless of where the header says it should go. In the IP stack a similar 'fwd localhost' rule (maybe the same one) will also trigger on the Layer 3 pass, and actually cause teh session to connect. For fully transparent (in both directions) you need to alter the IP code to allow you to bind the outgoing socket to a non-local address, and to capture the return packets you leed the L2 pirewall pass to do a test for 'uid' which has the side affect of noticing whether or not there is a local socket that matches a packet, even if it has a non local address on it. > > I know my last try is to deny everything I don't want and then allow the > rest. However I would > like to make it work in current configuration. > Please let me know your ideas. > > thanks in advance, > > Ganbold >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4835AB38.40100>