From owner-freebsd-questions Thu Oct 22 21:47:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA19528 for freebsd-questions-outgoing; Thu, 22 Oct 1998 21:47:09 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA19523 for ; Thu, 22 Oct 1998 21:47:06 -0700 (PDT) (envelope-from Stanley.Hopcroft@ipaustralia.gov.au) From: Stanley.Hopcroft@ipaustralia.gov.au Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.8.7/8.8.7) id OAA03833 for ; Fri, 23 Oct 1998 14:46:36 +1000 (EST) (envelope-from Stanley.Hopcroft@ipaustralia.gov.au) X-Authentication-Warning: pericles.IPAustralia.gov.au: smap set sender to using -f Received: from noteshub01.aipo.gov.au(10.0.100.21) by pericles.IPAustralia.gov.au via smap (V2.0) id xma003827; Fri, 23 Oct 98 14:46:21 +1000 Received: by noteshub01.aipo.gov.au(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 4A2566A6.001A3828 ; Fri, 23 Oct 1998 14:46:23 +1000 X-Lotus-FromDomain: IP_AUSTRALIA To: questions@FreeBSD.ORG Message-ID: <4A2566A6.0018943D.00@noteshub01.aipo.gov.au> Date: Fri, 23 Oct 1998 14:44:16 +1000 Subject: Using IPFW and DIVERT/TEE sockest to capture data (for intensive firewall logging) Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear Ladies and Gentlemen, I am writing to ask your help use 2.2.7-RELEASE ipfw with tee/divert sockets to provide intensive logging (ie capturing the packet or the packets data) in a firewall conetxt. My kernel is built with options FIREWALL and options DIVERT; my ipfw rules appear to laod correctly eg ipfw add tee 1000 from any 1-23- to ipfw add tee 1000 from server_port> to any 1023- There is a small perl UDP or TCP server listening on port 1000 (visible with netstat -a) that copies the packet to stdout. Unfortunately, whether or not the server listening on port 1000 (having bound the socket to localhost port 1000), when the ipfw rule with tee is active, the rule seeminlgy doesnt' . log data (via the server) . allow packets through to the normal destination (address port ) A client trying to connect to the subject of the rule returns - connection refused - permission denied. Thanks for any comments you may have. Yours sincerely. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message