From owner-freebsd-isp Sun Oct 25 20:30:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA24799 for freebsd-isp-outgoing; Sun, 25 Oct 1998 20:30:59 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA24787 for ; Sun, 25 Oct 1998 20:30:57 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id UAA17853; Sun, 25 Oct 1998 20:29:15 -0800 (PST) Message-ID: <19981025202914.D14664@best.com> Date: Sun, 25 Oct 1998 20:29:14 -0800 From: "Jan B. Koum " To: Stanley.Hopcroft@ipaustralia.gov.au, isp@FreeBSD.ORG Subject: Re: Using IPFW and DIVERT/TEE sockest to capture data (for intensive firewall logging) References: <4A2566A9.001A19A2.00@noteshub01.aipo.gov.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4A2566A9.001A19A2.00@noteshub01.aipo.gov.au>; from Stanley.Hopcroft@ipaustralia.gov.au on Mon, Oct 26, 1998 at 02:44:58PM +1000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 26, 1998 at 02:44:58PM +1000, Stanley.Hopcroft@ipaustralia.gov.au wrote: > > Dear Ladies and Gentlemen, > > I am writing to ask your help use 2.2.7-RELEASE ipfw with tee/divert > sockets to provide intensive logging (ie capturing the packet or the > packets data) in a firewall conetxt. > > My kernel is built with options FIREWALL and options DIVERT; my ipfw rules > appear to load correctly eg > > ipfw add tee 1000 from any 1-23- to > ipfw add tee 1000 from server_port> to any 1023- > > There is a small perl UDP or TCP server listening on port 1000 (visible > with netstat -a) that copies the packet to stdout. > > Unfortunately, whether or not the server listening on port 1000 (having > bound the socket to localhost port 1000), when the ipfw rule with tee is > active, the rule seeminlgy doesnt' > > . log data (via the server) > . allow packets through to the normal destination (address port > ) > > A client trying to connect to the subject of the rule returns > > - connection refused > - permission denied. > > Thanks for any comments you may have. > > Yours sincerely. > [ You might try questions@freebsd.org since this is ISP relates list.] To answer your question: I don't think tee is actually implemented right now. I remember Archie Cobbs and Luigi Rizzo talking about it back a month or two ago on one of the lists.. If you want to log your traffic, consider using tcpdump, or you might want to also check out NFR: www.nfr.net -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message