Re: Redirection with a bridge ?
On Jun 22, 2004, at 9:02 AM, Matt Juszczak wrote: What are some of the other approaches (if you dont mind). I can't really do a NAT, I'd really like to stay with a bridge and not do any routing. Normally, something like squid listens on a specific port and only proxies requests which are explicitly sent to it. If you set up Squid on a dual-homed machine acting as a firewall, you can configure all clients to use it without them being able to route traffic outside of the firewall themselves. In that case, squid will talk to the outside world using the external interface, but talk to the clients using whatever local subnet IP addresses they have, without using NAT or anything else. A more complex approach would be to the network interface in promiscuous mode and use a divert socket to forward all normal web traffic (HTTP, 80/tcp) to the Squid proxy regardless. That has the advantage of not having to configure the clients to use a proxy, however. Anyway. I don't think setting this up is easier than using NAT, but perhaps you might find the concept useful -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
> What are some of the other approaches (if you dont mind). I can't > really do a NAT, I'd really like to stay with a bridge and not do any > routing. I'm using a bridging setup (specifically to grab all web traffic and divert it all to a proxy/policy manager), I had to perform a kernel patch in order to use fwd on bridged packets. Try here: http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html The briding code in OpenBSD is quite good and ipf will let you use a similar approach out of the box and is a bit more convenient than patching. Hope this is helpfull. Jason. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
What are some of the other approaches (if you dont mind). I can't really do a NAT, I'd really like to stay with a bridge and not do any routing. Charles Swiger wrote: On Jun 21, 2004, at 5:10 PM, Matt Juszczak wrote: [ ... ] So basically, I either have to use some other form of redirecting web packets (a bogus DNS server maybe), or switch to a NAT instead of a bridge. Correct? Yes, more or less. There are other approaches which could be taken which are more complex, but the basic answer is that NAT is probably the right approach. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
On Jun 21, 2004, at 5:10 PM, Matt Juszczak wrote: [ ... ] So basically, I either have to use some other form of redirecting web packets (a bogus DNS server maybe), or switch to a NAT instead of a bridge. Correct? Yes, more or less. There are other approaches which could be taken which are more complex, but the basic answer is that NAT is probably the right approach. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
On Jun 21, 2004, at 4:48 PM, [EMAIL PROTECTED] wrote: Is it possible to redirect packets that are being passed through a bridge based on their protocol/port, so that if a HTTP packet (port 80) goes through the bridge, no matter what its destination is, it will be redirected to IP address 4.3.2.1. Yes. In order to redirect packets to a different IP address, you have to rewrite those packets, which is what natd or ipnat do, working at layer 3. Thats what I'm trying to solve. I know that you can do the above successfully if you are using a NAT (ipnat) or if you are doing routing (IPFW's forward command), but is it possible to do it with a bridge? Bridging works at layer-2. Without using NAT, bridging alone will forward the traffic but not change the destination IP to 4.3.2.1. Note that the IPFW forward command redirects traffic via a specific outbound interface, it does not perform layer-3 routing (ie, your traditional IP stuff using netmasks, gateways, and the local routing table that most people mean by the word "routing"). -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
Matt Juszczak wrote: Is there a way to do IP redirection without using layer 3? (IPNAT or routing)? I have a bridge setup and want to redirect any port 80 traffic outgoing through the bridge to a specific server but it seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands ... which are all layer 3 oriented and dont work with just a bridge... Well, you can use layer-2 bridging to forward network traffic to any directly connected physical subnet you want to, and you can use "ifconfig alias" to give machines on that subnet multiple IPs. If a machine sees traffic to its MAC address and/or is in promiscuous mode (which is what a FreeBSD bridge sets the interfaces it uses to), the machine will pay attention to those packets. If the packets contain IP addresses which the machine believes belong to it, then it will respond appropriately. Frankly, however, I suspect that you are confusing yourself more than you are solving the problem you actually want to solve. :-) Given a sufficiently complex set of firewall rules, packet forwarding, NAT re-writing, and whatever else, you can mangle packets in pretty much any way one can think of. Do this only when you need to, to the extent that is useful. If setting up a "normal" network and letting the default TCP/IP local-subnet and routing behaviors do the right thing is at all possible, let the default behavior work for you. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
You can do it with a cisco like this. You can pickup a used 250x series cheap. Just make sure you are using IOS 12 > ip nat pool trans 10.10.10.0 10.10.10.254 netmask 255.255.255.0 ip nat inside source list 1 interface Ethernet0 overload ip nat inside source static tcp 10.10.10.13 110 interface Ethernet0 110 ip nat inside source static tcp 10.10.10.13 80 interface Ethernet0 80 ip nat inside source static tcp 10.10.10.13 25 interface Ethernet0 25 ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0 - Original Message - From: "Matt Juszczak" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 18, 2004 7:05 PM Subject: Redirection with a bridge ? > Hello all, > > Is there a way to do IP redirection without using layer 3? (IPNAT or > routing)? I have a bridge setup and want to redirect any port 80 > traffic outgoing through the bridge to a specific server but it > seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands > ... which are all layer 3 oriented and dont work with just a bridge... > > Any ideas? > > Thank you in advance for anyone's help, > > Matt > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
Renato Marques wrote: Hmmm.. I really can't think about some solution... All of them involve a router before, in or after the bridge. How about proxying before the bridge? I think that my be an option. I'll have to think on it, I appreciate your help though. Thanks! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
Hmmm.. I really can't think about some solution... All of them involve a router before, in or after the bridge. How about proxying before the bridge? > So in summary, do I basically either have to do routing or a NAT, or > find another alternative? There's no way to just bridge the traffic and > do what i want? > > Thanks! :) > > -Matt > > Renato Marques wrote: > > >Well, in the TCP/IP Model, IP is layer 2 and TCP/UDP layer3. > > > > > > > > > >>I dont think a bridge could do some like that. A bridge see only IP > >>packets, where are no information about ports, ports are used in TCP and > >>UDP. > >>Actualy, I think Layer 3 is where the IP protocol besides. NAT is done > >>on layer 4... but i could be wrong... > >> > >> > >> > >> > >>>Hello all, > >>> > >>>Is there a way to do IP redirection without using layer 3? (IPNAT or > >>>routing)? I have a bridge setup and want to redirect any port 80 > >>>traffic outgoing through the bridge to a specific server but it > >>>seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands > >>>... which are all layer 3 oriented and dont work with just a bridge... > >>> > >>>Any ideas? > >>> > >>>Thank you in advance for anyone's help, > >>> > >>>Matt > >>>___ > >>>[EMAIL PROTECTED] mailing list > >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>>To unsubscribe, send any mail to > >>> > >>> > >>"[EMAIL PROTECTED]" > >> > >> > >>___ > >>[EMAIL PROTECTED] mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>To unsubscribe, send any mail to > >> > >> > >"[EMAIL PROTECTED]" > > > > > > > >___ > >[EMAIL PROTECTED] mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > >!DSPAM:40d37ad3273001065514757! > > > > > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
I know its layer 3 ... my point is that FreeBSD's bridge supports IPFW, and IPFW allows for some IP-related things ...filtering by source IP, destination IP, etc. etc. But in the man page for ipfw, it says that the "forward" command in ipfw is not supported on layer 2 (bridging, etc.). So I was wondering if there was a way to forward specific IP traffic without using NAT or routing (just strictly bridging). Someone on IRC mentioned that its possible, but would require a custom program Thanks, -Matt Lowell Gilbert wrote: Matt Juszczak <[EMAIL PROTECTED]> writes: Is there a way to do IP redirection without using layer 3? IP *is* layer 3. !DSPAM:40d3a0f4293241197476410! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
Matt Juszczak <[EMAIL PROTECTED]> writes: > Is there a way to do IP redirection without using layer 3? IP *is* layer 3. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
So in summary, do I basically either have to do routing or a NAT, or find another alternative? There's no way to just bridge the traffic and do what i want? Thanks! :) -Matt Renato Marques wrote: Well, in the TCP/IP Model, IP is layer 2 and TCP/UDP layer3. I dont think a bridge could do some like that. A bridge see only IP packets, where are no information about ports, ports are used in TCP and UDP. Actualy, I think Layer 3 is where the IP protocol besides. NAT is done on layer 4... but i could be wrong... Hello all, Is there a way to do IP redirection without using layer 3? (IPNAT or routing)? I have a bridge setup and want to redirect any port 80 traffic outgoing through the bridge to a specific server but it seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands ... which are all layer 3 oriented and dont work with just a bridge... Any ideas? Thank you in advance for anyone's help, Matt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" !DSPAM:40d37ad3273001065514757! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
Well, in the TCP/IP Model, IP is layer 2 and TCP/UDP layer3. > I dont think a bridge could do some like that. A bridge see only IP > packets, where are no information about ports, ports are used in TCP and > UDP. > Actualy, I think Layer 3 is where the IP protocol besides. NAT is done > on layer 4... but i could be wrong... > > > > Hello all, > > > > Is there a way to do IP redirection without using layer 3? (IPNAT or > > routing)? I have a bridge setup and want to redirect any port 80 > > traffic outgoing through the bridge to a specific server but it > > seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands > > ... which are all layer 3 oriented and dont work with just a bridge... > > > > Any ideas? > > > > Thank you in advance for anyone's help, > > > > Matt > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
I dont think a bridge could do some like that. A bridge see only IP packets, where are no information about ports, ports are used in TCP and UDP. Actualy, I think Layer 3 is where the IP protocol besides. NAT is done on layer 4... but i could be wrong... > Hello all, > > Is there a way to do IP redirection without using layer 3? (IPNAT or > routing)? I have a bridge setup and want to redirect any port 80 > traffic outgoing through the bridge to a specific server but it > seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands > ... which are all layer 3 oriented and dont work with just a bridge... > > Any ideas? > > Thank you in advance for anyone's help, > > Matt > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Redirection with a bridge ?
Hi, You will need some type of layer 3 device, router or firewall, to do what you want. A bridge works at layer 1 & 2 (physical and transport layers) and basically just allows one type of network (cable or dsl) to talk to antother (ethernet). On Fri, Jun 18, 2004 at 07:05:14PM -0400, Matt Juszczak <[EMAIL PROTECTED]> wrote: > Hello all, > > Is there a way to do IP redirection without using layer 3? (IPNAT or > routing)? I have a bridge setup and want to redirect any port 80 > traffic outgoing through the bridge to a specific server but it > seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands > ... which are all layer 3 oriented and dont work with just a bridge... > > Any ideas? > > Thank you in advance for anyone's help, > > Matt > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Chris Sechiatano [EMAIL PROTECTED] www.chris-s.com PGP Key 0x0021EFA0 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Redirection with a bridge ?
Hello all, Is there a way to do IP redirection without using layer 3? (IPNAT or routing)? I have a bridge setup and want to redirect any port 80 traffic outgoing through the bridge to a specific server but it seems I can only do this with ipfw's forward/fwd or ipnat's rdr commands ... which are all layer 3 oriented and dont work with just a bridge... Any ideas? Thank you in advance for anyone's help, Matt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"