Date: Fri, 9 Nov 2001 13:14:27 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Luigi Rizzo <rizzo@aciri.org> Cc: Archie Cobbs <archie@dellroad.org>, freebsd-net@FreeBSD.ORG Subject: Re: Fixing ipfw(8)'s 'tee' Message-ID: <20011109131427.X51134@blossom.cjclark.org> In-Reply-To: <20011109063143.A12504@iguana.aciri.org>; from rizzo@aciri.org on Fri, Nov 09, 2001 at 06:31:43AM -0800 References: <20011107154601.A301@blossom.cjclark.org> <200111082338.fA8NcBK41060@arch20m.dellroad.org> <20011109021747.A11137@iguana.aciri.org> <20011109033753.T51134@blossom.cjclark.org> <20011109063143.A12504@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 09, 2001 at 06:31:43AM -0800, Luigi Rizzo wrote:
> > > You can implement the above by replacing all terminal actions
> > > (accept or deny) with "tee" and "divert" statements, respectively.
> >
> > Ouch. I think that you can get any behavior you want in that manner,
> > but that could be one long and ugly rule set.
>
> why do you think it is "long" ? it is a one-by-one replacement.
Almost, it can be more like adding one or two extra rules for every
existing rule. For example, if I want to watch all traffic going to
specific 'host' with one monitoring daemon and all traffic going to a
certain 'subnet' on another (both of which are only subsets of the
total traffic going through the gateway),
1000 tee 8668 ip from any to <host>
1050 tee 8668 ip from <host> to any
1100 tee 8669 ip from any to <subnet>
1150 tee 8669 ip from <subnet> to host
# Allowed outgoing TCP
2000 pass tcp from any to any 80,8080,110,<whatever> out via <oif> setup keep-state
# Allowed outgoing UDP
2100 pass udp from any to any 53,123,<whatever> out via <oif> keep-state
# Pass everything on inner interface
3000 pass ip from any to any via <iif>
# Pass incoming HTTP
4000 pass tcp from any to any 80 in via <oif>
4100 pass tcp from any 80 to any out via <oif>
.
.
.
# Default deny and log
65000 deny log ip from any to any
Would work if 'tee' fell through.
But in reality, the above rules do not work that way. The method you
mention works, but the rules become,
# Allowed outgoing TCP
2000 tee 8668 tcp from any to <host> 80,8080,110,<whatever> out via <oif> setup keep-state
2100 tee 8669 tcp from any to <subnet> 80,8080,110,<whatever> out via <oif> setup keep-state
2200 pass tcp from any to any 80,8080,110,<whatever> out via <oif> setup keep-state
# Allowed outgoing UDP
2300 tee 8668 udp from any to <host> 53,123,<whatever> out via <oif> keep-state
2400 tee 8669 udp from any to <subnet> 53,123,<whatever> out via <oif> keep-state
2500 pass udp from any to any 53,123,<whatever> out via <oif> keep-state
# Pass everything on inner interface
3100 tee 8668 ip from any to <host> via <iif>
3100 tee 8668 ip from <host> to any via <iif>
3200 tee 8669 ip from any to <subnet> via <iif>
3200 tee 8669 ip from <subnet> to any via <iif>
3300 pass ip from any to any via <iif>
# Pass incoming HTTP
4000 tee 8668 tcp from any to <host> 80 in via <oif>
4100 tee 8668 tcp from <host> 80 to any out via <oif>
4200 tee 8669 tcp from any to <subnet> 80 in via <oif>
4300 tee 8669 tcp from <subnet> 80 to any out via <oif>
4400 pass tcp from any to any 80 in via <oif>
4500 pass tcp from any 80 to any out via <oif>
.
.
.
# Default deny and log
61000 divert 8668 log ip from any to <host>
62000 divert 8668 log ip from <host> to any
63000 divert 8669 log ip from any to <subnet>
64000 divert 8669 log ip from <subnet> to any
65000 deny log ip from any to any
Which seems a bit unweildy. Each single 'pass' or 'deny' rule from the
first example has become several rules. Then again, I may be
overlooking a much easier way to write these.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011109131427.X51134>