Date: Mon, 20 Jan 2003 15:19:05 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Jian Song <Jian.Song@nominum.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: How to do tcp payload validation Message-ID: <20030120231904.GE34751@blossom.cjclark.org> In-Reply-To: <3E280776.3060502@nominum.com> References: <3E280776.3060502@nominum.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 17, 2003 at 01:39:02PM +0000, Jian Song wrote:
> Hi:
>
> I need to do tcp payload validation. Specifically, the tcp stream I am
> looking at contains multiple messages. Each message has a two byte
> length header and immediately follow by the body. I would like to
> monitor the tcp traffic and intercept each message. If there is an
> error, I will send RSTs to both ends of the connection. While I can do
> a BPF tap and do ip reassembly and tcp processing myself, I was
> wondering whether this can be achieved through ipfw or ipfilter. I
> would like a TCP tap which pass tcp payload data to a user process for
> further validation. This way, I don't have to worry about matching ACKs
> and do TCP stream reassembly.
It sounds like what you really want is to just have a proxy running on
the firewall. Write a userland app that just handles the TCP
connection like any other daemon would. I don't see where a
kernel-level firewall would ever have to enter into it, unless for
some reason you cannot change the addresses used by the applications
at either end of the proxied connection. In that case, you can use
transparent proxying via 'fwd' or using natd(8) with ipfw(8), or
ipnat(8) with ipf(8).
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030120231904.GE34751>