From owner-freebsd-ipfw@FreeBSD.ORG Tue May 2 19:52:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAFE516A420 for ; Tue, 2 May 2006 19:52:00 +0000 (UTC) (envelope-from kbyanc@posi.net) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 482F943D45 for ; Tue, 2 May 2006 19:52:00 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from pimout5-ext.prodigy.net (pimout5-int.prodigy.net [207.115.4.21]) by ylpvm43.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id k42Jpxne023664 for ; Tue, 2 May 2006 15:52:00 -0400 X-ORBL: [70.231.148.192] Received: from gateway.posi.net (adsl-70-231-148-192.dsl.snfc21.sbcglobal.net [70.231.148.192]) by pimout5-ext.prodigy.net (8.13.6 out.dk/8.13.6) with ESMTP id k42JpvAr247690; Tue, 2 May 2006 15:51:58 -0400 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id E10D475E05F; Tue, 2 May 2006 14:00:07 -0700 (PDT) Date: Tue, 2 May 2006 14:00:07 -0700 (PDT) From: Kelly Yancey To: Daniel Walker In-Reply-To: Message-ID: <20060502135158.N93644@gateway.posi.net> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 May 2006 19:52:01 -0000 On Thu, 27 Apr 2006, Daniel Walker wrote: > hey all, > > here's what I'm looking to do. I know it could be done with IPTABLES, but > as it's not available for the Mac OS X I'm trying to figure out how it > would be done in IPFW ... > > RELAY is a workstation forwarding packets from a SOURCE workstation to all > DESTINATION end points. RELAY is able to receive all packets from SOURCE > bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE > that are name resolution attempts to DESTINATION DNS server specifically > for host WWW.YAHOO.COM (for example). To do this I need to create a rule > that will look into the Data field of an DNS packet and match the query. > The Data field of a DNS query packet would be written in hex. > > With IPTABLES I would write something like this: > > RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string > "|01 00 00 01 00 00 00 00 00 00 03 77 77 77 05 79 61 68 6f ff 03 63 6f 6d > 00 00 01 00 01|" -j DROP > > How would I write this in IPFW? I can not see how to apply a rule based > on the data of a packet. I've reviewed the man page of ipfw, but don't > see anything there. What am I miss? > > Thanks. > > Dan This is truly evil, but I have old patches (against FreeBSD 4.10) which allow Henry Spencer's regex library to be used in the kernel: http://people.freebsd.org/~kbyanc/kernel-regex.diff However, this is only a proof-of-concept, you would need to modify ipfw (both userland and kernel) to actually invoke the regex routines in response to an ipfw rule. As others have pointed out, though, you should probably just write a userland utility using the divert(4) interface and do your matching there. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com