Date: Mon, 23 Apr 2001 12:28:02 -0400 (EDT) From: "Andrew R. Reiter" <arr@watson.org> To: Alex Pilosov <alex@pilosoft.com> Cc: "E.B. Dreger" <eddy+public+spam@noc.everquick.net>, hackers@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: TCP intercept? Message-ID: <Pine.NEB.3.96L.1010423122243.853A-100000@fledge.watson.org> In-Reply-To: <Pine.BSO.4.10.10104230028370.17529-100000@spider.pilosoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In light of this, I would say that it would be cool to put into the ipfw
or ipf code seeing as how there are already hooks into the network stack
in the code. I am not sure how people will take the ipfw implementation
soley because I know there was alot of "hacking" being done to it in the
recent months (??). Im also not sure how well Darren would take the code
written if it was done for ipf.
Otherwise, you'll have to add some more hooks into the stack code
(tcp_{input,output}.c and perhaps others) and then handle it that way.
Im not really familiar with how (un)successful TCP intercept has been with
Cisco, but I would find that as a cool option :-)
Take it easy,
Andrew
On Mon, 23 Apr 2001, Alex Pilosov wrote:
> In cisco terminology, 'tcp intercept' is what the 'ip and tcp reassembly'
> part of ipnat does (without port/address rewriting). For example, a router
> in the middle which is doing the intercept will have to buffer/reassemble
> tcp stream and only forward packets after they are confirmed good.
>
> Example: packets with a wrong sequence number will be bounced at the
> router. On ciscos, tcp-intercept can also rate-limit syn packets...
>
> I'm not sure if it can be enabled in ipnat separately, but hell, if
> someone wants to do it...
>
> On Sun, 22 Apr 2001, Andrew R. Reiter wrote:
>
> >
> > What's TCP intercept?
> >
> > On Mon, 23 Apr 2001, E.B. Dreger wrote:
> >
> > > Greetings all,
> > >
> > > I'm no kernel hacker, and trying to think of useful little projects to
> > > change that. ;-)
> > >
> > > AFAIK, FreeBSD lacks support for TCP intercept. Is anyone already working
> > > on this? Would it be of interest to anyone? My initial thoughts are that
> > > it should be implemented in the same neighborhood as stateful firewall
> > > code, as the two are rather closely related.
> > >
> > >
> > > Eddy
> > >
> > > ---------------------------------------------------------------------------
> > >
> > > Brotsman & Dreger, Inc.
> > > EverQuick Internet / EternalCommerce Division
> > >
> > > Phone: (316) 794-8922
> > >
> > > ---------------------------------------------------------------------------
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-hackers" in the body of the message
> > >
> >
> > *-------------.................................................
> > | Andrew R. Reiter
> > | arr@fledge.watson.org
> > | "It requires a very unusual mind
> > | to undertake the analysis of the obvious" -- A.N. Whitehead
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
> >
> >
>
>
*-------------.................................................
| Andrew R. Reiter
| arr@fledge.watson.org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010423122243.853A-100000>