# bridge filtering



## zader (Oct 1, 2021)

Not sure if it’s possible, but I have a bridge setup on a host with a basic pf.conf

I also have a jail on the same host.. 0.10

any idea how I could forward a copy of traffic on a specific port.. without actually using a redirect

the basic rule would be something like, clone all traffic on port 8080 and send a copy to 192.168.0.10.. 

the trick here is i can’t use a rdr or forward rule because I don’t want to intercept the original packet

thanks!


----------



## Argentum (Oct 1, 2021)

zader said:


> the trick here is i can’t use a rdr or forward rule because I don’t want to intercept the original packet


Just asking *why*?

I have similar setup running with bhyve guests an virtual switch, but the pf configuration has *rdr* rules in it.


----------



## SirDice (Oct 1, 2021)

zader said:


> the basic rule would be something like, clone all traffic on port 8080 and send a copy to 192.168.0.10..


How is the source supposed to deal with two responses from different IP addresses? Suppose I send a SYN to that port 8080, and I get two SYN/ACKs from two different IP address in return. Or worse, one IP responds with SYN/ACK and the other with RST. How will this be handled?

Or are you trying to setup something akin to a SPAN (monitoring) port on a Cisco switch? If you want to hookup an IDS for example, there are better ways to accomplish this (a network tap for example).


----------



## zader (Oct 1, 2021)

hum let me clarify the exact usecase..

I need to find a way to clone some traffic based at minimum via port number or ideally at the frame / protocol level.. the purpose is to pick out amqp messages and send a copy to a rabbitmq server where it is is injested..

the idea is to be able to clone the traffic in a way that allows rabbit to get a “copy” of the data it can process and destroy.. this allows the original copy to continue on its way for storage..

the ideal solution would be a transparent inline bridge but i’m not sure if i can even get away with that configuration.

thanks again


----------



## SirDice (Oct 1, 2021)

zader said:


> I need to find a way to clone some traffic based at minimum via port number or ideally at the frame / protocol level.. the purpose is to pick out amqp messages and send a copy to a rabbitmq server where it is is injested..


Those are TCP connections. You can't just duplicate the packets and hope it'll work (due to the responses coming back to the source from two different IP addresses). You'll have to use some sort of middleware application that can receive it and then dispatch it further.


----------



## zader (Oct 1, 2021)

squid to the rescue then?  or is there something else that may work better?..  also would you tap the bridge and do it that way? or do as Argentum said and just rdr to a jail/vm

thanks!


----------



## Argentum (Oct 1, 2021)

zader said:


> squid to the rescue then?  or is there something else that may work better?..  also would you tap the bridge and do it that way? or do as Argentum said and just rdr to a jail/vm


net/rabbitmq messages are TCP as SirDice already pointed out. I think you can use *rabbitmq* itself to replicate the incoming stream. Competing Consumers


----------



## zader (Oct 2, 2021)

yea normally I would use rabbit to split traffic .. the issue here is each environment is unique, so I wont know what the downstream ip to split to is..


the other important note here (sorry i wasn’t ware of until today)

the traffic is actually all broadcast UDP


----------

