Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Jan 2013 10:37:56 -0700
From:      Julian Elischer <julian@freebsd.org>
To:        Jake Guffey <jake.guffey@eprotex.com>
Cc:        ipfw@freebsd.org, Doug Ambrisko <ambrisko@ambrisko.com>
Subject:   Re: IPFW divert with layer 2 interfaces
Message-ID:  <51017174.6040205@freebsd.org>
In-Reply-To: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com>
References:  <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 1/24/13 10:16 AM, Jake Guffey wrote:
> Hi:
>
> I am working on a network appliance based on FreeBSD, IPFW, and Suricata. In the scenario that I'm developing for, I need to divert packets sent over a layer 2 bridge for IPS processing. After reinjection, IPFW passes this traffic back to FreeBSD for layer 3 forwarding. I would like to get this working for layer 2 forwarding across the bridge interface(s) involved.
>
> I saw http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-ipfw-e-g-bridge-td4008335.html from quite some time ago (2006), and that one of the responders said that he didn't want to commit layer 2 diversion support before layer 2 packet filtering hooks were put in place. To my understanding (please correct me if I'm wrong), the pfil hooks he was referring to are in place now.

hithere..
The original code you refer to was written by Ironport (now cisco) 
after lookign at similar code bu imimic (then ironport, now cisco :-)) 
for use in their
web filter appliance.

It did work well, however I'm not in that field any more so I can't 
justify work time in getting it up to date..
Nor o I have access any more to test machines that I can test the 
result with.

It may be worth asking Doug  Ambrisko what the current version of the 
code looks like.. We had permission to
give it back (hense the email) but it never got put into the tree.

> Is there something I can do to help make this happen? I am very rusty with C and will probably not be much help coding, but anything else, I'd be glad to do. I suppose that I could give coding this support a shot, with (likely) a bit of hand-holding from you.
>
> The company that I work for has allocated budget for consulting, so I would be glad to help fund development if that's an issue.
>
> Thanks,
> Jake Guffey
> Network Security Engineer
>
> eProtex
> Network medical device security
>
> 5451 Lakeview Parkway S Drive
> Indianapolis, Indiana 46268, USA
> Mobile: 317-220-7100
> jake.guffey@eprotex.com
> www.eprotex.com
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?51017174.6040205>