From owner-freebsd-isp Sun Oct 25 19:45:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA20017 for freebsd-isp-outgoing; Sun, 25 Oct 1998 19:45:56 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA20012 for ; Sun, 25 Oct 1998 19:45:53 -0800 (PST) (envelope-from Stanley.Hopcroft@ipaustralia.gov.au) From: Stanley.Hopcroft@ipaustralia.gov.au Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.8.7/8.8.7) id OAA26072 for ; Mon, 26 Oct 1998 14:45:16 +1100 (EST) (envelope-from Stanley.Hopcroft@ipaustralia.gov.au) X-Authentication-Warning: pericles.IPAustralia.gov.au: smap set sender to using -f Received: from noteshub01.aipo.gov.au(10.0.100.21) by pericles.IPAustralia.gov.au via smap (V2.0) id xma026070; Mon, 26 Oct 98 14:45:13 +1100 Received: by noteshub01.aipo.gov.au(Lotus SMTP MTA v4.6.2 (693.3 8-11-1998)) id 4A2566A9.001A1B89 ; Mon, 26 Oct 1998 14:45:09 +1000 X-Lotus-FromDomain: IP_AUSTRALIA To: isp@FreeBSD.ORG Message-ID: <4A2566A9.001A19A2.00@noteshub01.aipo.gov.au> Date: Mon, 26 Oct 1998 14:44:58 +1000 Subject: Using IPFW and DIVERT/TEE sockest to capture data (for intensive firewall logging) Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to ask your help use 2.2.7-RELEASE ipfw with tee/divert sockets to provide intensive logging (ie capturing the packet or the packets data) in a firewall conetxt. My kernel is built with options FIREWALL and options DIVERT; my ipfw rules appear to load correctly eg ipfw add tee 1000 from any 1-23- to ipfw add tee 1000 from server_port> to any 1023- There is a small perl UDP or TCP server listening on port 1000 (visible with netstat -a) that copies the packet to stdout. Unfortunately, whether or not the server listening on port 1000 (having bound the socket to localhost port 1000), when the ipfw rule with tee is active, the rule seeminlgy doesnt' . log data (via the server) . allow packets through to the normal destination (address port ) A client trying to connect to the subject of the rule returns - connection refused - permission denied. Thanks for any comments you may have. Yours sincerely. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message