From owner-freebsd-net  Mon Sep 14 05:37:01 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA28060
          for freebsd-net-outgoing; Mon, 14 Sep 1998 05:37:01 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA28055
          for <net@FreeBSD.ORG>; Mon, 14 Sep 1998 05:36:57 -0700 (PDT)
          (envelope-from peter@netplex.com.au)
Received: from spinner.netplex.com.au (localhost [127.0.0.1])
	by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id UAA10513;
	Mon, 14 Sep 1998 20:35:36 +0800 (WST)
	(envelope-from peter@spinner.netplex.com.au)
Message-Id: <199809141235.UAA10513@spinner.netplex.com.au>
X-Mailer: exmh version 2.0.2 2/24/98
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
cc: archie@whistle.com (Archie Cobbs), net@FreeBSD.ORG
Subject: Re: Will the TEE function of IPFW be ever implemented/necessary ? 
In-reply-to: Your message of "Wed, 09 Sep 1998 07:41:23 +0200."
             <199809090541.HAA17889@labinfo.iet.unipi.it> 
Date: Mon, 14 Sep 1998 20:35:35 +0800
From: Peter Wemm <peter@netplex.com.au>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Luigi Rizzo wrote:
> > Luigi Rizzo writes:
> > > > I'd prefer that someone implemented it, because a few people have
> > > > asked for it, but on the other hand if no one is even going to implemen
    t
> ...
> > Well, all I can say is that I don't know what people might want
> > to use it for, but people always seem to find a way to suprise us
> 
> but you said a few people have asked for it! so what they want it for...

One thing that ipfilter can do that ipfw can't untill tee is implemented 
is intercept packets.  Suppose a scenario arrises where a box has a heap 
of ppp connections and one needs logging or tracing and it needs to be 
done discretely.  ipfilter can forward another copy of the packets to 
another host (eg: outside of crackers vision) for logging.

The main difference is that you can have packets logged that wouldn't 
otherwise be visible on an ethernet segment, eg: if a ppp user was trying 
to break into another ppp user on the same host and you needed a secure 
logging point.

Mind you, tcpdump / tcpshow make a pretty good combination, especially 
when the dump file is being accessed via NFS so that there isn't as much 
running to tip off an intruder.

Cheers,
-Peter




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message