From owner-freebsd-net  Fri Nov  9 13:17:43 2001
Delivered-To: freebsd-net@freebsd.org
Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49])
	by hub.freebsd.org (Postfix) with ESMTP id C7C1237B41C
	for <freebsd-net@freebsd.org>; Fri,  9 Nov 2001 13:17:38 -0800 (PST)
Received: from dialup-209.245.133.43.dial1.sanjose1.level3.net ([209.245.133.43] helo=blossom.cjclark.org)
	by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 162J1r-0007mg-00; Fri, 09 Nov 2001 13:17:36 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id fA9LERd18692;
	Fri, 9 Nov 2001 13:14:27 -0800 (PST)
	(envelope-from cjc)
Date: Fri, 9 Nov 2001 13:14:27 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Luigi Rizzo <rizzo@aciri.org>
Cc: Archie Cobbs <archie@dellroad.org>, freebsd-net@FreeBSD.ORG
Subject: Re: Fixing ipfw(8)'s 'tee'
Message-ID: <20011109131427.X51134@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011107154601.A301@blossom.cjclark.org> <200111082338.fA8NcBK41060@arch20m.dellroad.org> <20011109021747.A11137@iguana.aciri.org> <20011109033753.T51134@blossom.cjclark.org> <20011109063143.A12504@iguana.aciri.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011109063143.A12504@iguana.aciri.org>; from rizzo@aciri.org on Fri, Nov 09, 2001 at 06:31:43AM -0800
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Fri, Nov 09, 2001 at 06:31:43AM -0800, Luigi Rizzo wrote:
> > > You can implement the above by replacing all terminal actions
> > > (accept or deny) with "tee" and "divert" statements, respectively.
> > 
> > Ouch. I think that you can get any behavior you want in that manner,
> > but that could be one long and ugly rule set.
> 
> why do you think it is "long" ? it is a one-by-one replacement.

Almost, it can be more like adding one or two extra rules for every
existing rule. For example, if I want to watch all traffic going to
specific 'host' with one monitoring daemon and all traffic going to a
certain 'subnet' on another (both of which are only subsets of the
total traffic going through the gateway),

  1000 tee 8668 ip from any to <host>
  1050 tee 8668 ip from <host> to any
  1100 tee 8669 ip from any to <subnet>
  1150 tee 8669 ip from <subnet> to host
  # Allowed outgoing TCP
  2000 pass tcp from any to any 80,8080,110,<whatever> out via <oif> setup keep-state
  # Allowed outgoing UDP
  2100 pass udp from any to any 53,123,<whatever> out via <oif> keep-state
  # Pass everything on inner interface
  3000 pass ip from any to any via <iif>
  # Pass incoming HTTP
  4000 pass tcp from any to any 80 in via <oif>
  4100 pass tcp from any 80 to any out via <oif>
  .
  .
  .
  # Default deny and log
  65000 deny log ip from any to any

Would work if 'tee' fell through.

But in reality, the above rules do not work that way. The method you
mention works, but the rules become,

  # Allowed outgoing TCP
  2000 tee 8668 tcp from any to <host> 80,8080,110,<whatever> out via <oif> setup keep-state
  2100 tee 8669 tcp from any to <subnet> 80,8080,110,<whatever> out via <oif> setup keep-state
  2200 pass tcp from any to any 80,8080,110,<whatever> out via <oif> setup keep-state
  # Allowed outgoing UDP
  2300 tee 8668 udp from any to <host> 53,123,<whatever> out via <oif> keep-state
  2400 tee 8669 udp from any to <subnet> 53,123,<whatever> out via <oif> keep-state
  2500 pass udp from any to any 53,123,<whatever> out via <oif> keep-state
  # Pass everything on inner interface
  3100 tee 8668 ip from any to <host> via <iif>
  3100 tee 8668 ip from <host> to any via <iif>
  3200 tee 8669 ip from any to <subnet> via <iif>
  3200 tee 8669 ip from <subnet> to any via <iif>
  3300 pass ip from any to any via <iif>
  # Pass incoming HTTP
  4000 tee 8668 tcp from any to <host> 80 in via <oif>
  4100 tee 8668 tcp from <host> 80 to any out via <oif>
  4200 tee 8669 tcp from any to <subnet> 80 in via <oif>
  4300 tee 8669 tcp from <subnet> 80 to any out via <oif>
  4400 pass tcp from any to any 80 in via <oif>
  4500 pass tcp from any 80 to any out via <oif>
  .
  .
  .
  # Default deny and log
  61000 divert 8668 log ip from any to <host>
  62000 divert 8668 log ip from <host> to any
  63000 divert 8669 log ip from any to <subnet>
  64000 divert 8669 log ip from <subnet> to any
  65000 deny log ip from any to any

Which seems a bit unweildy. Each single 'pass' or 'deny' rule from the
first example has become several rules. Then again, I may be
overlooking a much easier way to write these.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message