Date: Thu, 8 Nov 2001 15:38:11 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: cjclark@alum.mit.edu Cc: Luigi Rizzo <rizzo@aciri.org>, freebsd-net@FreeBSD.ORG Subject: Re: Fixing ipfw(8)'s 'tee' Message-ID: <200111082338.fA8NcBK41060@arch20m.dellroad.org> In-Reply-To: <20011107154601.A301@blossom.cjclark.org> "from Crist J. Clark at Nov 7, 2001 03:46:01 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark writes: > The issue may be that you wish to make a decision on the packet in > later rules. For example, someone might wish to 'tee' all traffic to > and from a certain machine to some unspecified traffic monitoring > program listening on the divert socket. However, all of the traffic > too and from that IP address may or may not be allowed by the security > policy. With 'tee' as it exists, one cannot catch _all_ of the traffic > (whether or not allowed by policy) and still apply policy. Yes, this is how 'tee' should work. It was really hard to do at the time for some reason that I can't recall... I think because the interface between ip_input.c and ip_fw.c doesn't handle one packet splitting into two packets like that.. but maybe things have gotten better since then. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111082338.fA8NcBK41060>