Hi Julian, Thanks for the explanation.
Since it is on layer2, that means we can differentiate traffic by MAC or other layer2 filters only. e.g , forward the traffic when the type is 0x800 and destination MAC is xx:yy:zz.... I meant the accuracy is a big concern. Regards, Bill Yuan On 21 December 2015 at 22:40, Julian Elischer <jul...@freebsd.org> wrote: > On 21/12/2015 5:47 PM, bycn82 wrote: > > why fwd based on MAC? Can share more info of your requirement? > > > you still decide to FWD based on IP address, but you do it while the > packet is still in the layer 2 bridge. > > let me give you a concrete example > > If I have a bridge between two networks. it is a transparent bridge, in > other words nothing sees the bridge. > However using layer 2 IPFW, I can block packets from side A from getting > to side B. > In addition I can redirect (using ipfw fwd and this patch) packets that > are coming in, from side A to port 80 on side B, to a local proxy or http > filter. > Everything else just flows back and forth across the bridge. > Using IP spoofing/forwarding the proxy filter will create a socket that > pretends to be the side B destination and respond directly, even though it > doesn't have that address. It may in turn open a socket to the original > destination and forward the request, or, maybe it won't, depending on > policy. > But nothing else is aware of its existence. it is as though a segment of > cable started filtering web content. > > This is EXACTLY what the cisco/ironport web filter appliance does... > > > > > On Monday, 21 December 2015, Julian Elischer < <jul...@freebsd.org> > jul...@freebsd.org> wrote: > >> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: >> >>> Hi, >>> >>> Does ipfw support layer2 fwd to support transparent proxying on bridge? >>> >>> Does similar change like >>> >>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>> ever get committed? >>> >> I don't believe this was applied.. >> I did similar when I worked for Ironport/Cisco. >> But it's a trade-off between bloat and usefulness. >> >> >>> thanks a lot, >>> >>> Ganbold >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" >>> >>> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" >> > > _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
