Date: Sun, 25 Oct 1998 20:29:14 -0800 From: "Jan B. Koum " <jkb@best.com> To: Stanley.Hopcroft@ipaustralia.gov.au, isp@FreeBSD.ORG Subject: Re: Using IPFW and DIVERT/TEE sockest to capture data (for intensive firewall logging) Message-ID: <19981025202914.D14664@best.com> In-Reply-To: <4A2566A9.001A19A2.00@noteshub01.aipo.gov.au>; from Stanley.Hopcroft@ipaustralia.gov.au on Mon, Oct 26, 1998 at 02:44:58PM %2B1000 References: <4A2566A9.001A19A2.00@noteshub01.aipo.gov.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 26, 1998 at 02:44:58PM +1000, Stanley.Hopcroft@ipaustralia.gov.au wrote: > > Dear Ladies and Gentlemen, > > I am writing to ask your help use 2.2.7-RELEASE ipfw with tee/divert > sockets to provide intensive logging (ie capturing the packet or the > packets data) in a firewall conetxt. > > My kernel is built with options FIREWALL and options DIVERT; my ipfw rules > appear to load correctly eg > > ipfw add tee 1000 from any 1-23- to <server> <server_port> > ipfw add tee 1000 from <server> server_port> to any 1023- > > There is a small perl UDP or TCP server listening on port 1000 (visible > with netstat -a) that copies the packet to stdout. > > Unfortunately, whether or not the server listening on port 1000 (having > bound the socket to localhost port 1000), when the ipfw rule with tee is > active, the rule seeminlgy doesnt' > > . log data (via the server) > . allow packets through to the normal destination (address <server> port > <server_port>) > > A client trying to connect to the subject of the rule returns > > - connection refused > - permission denied. > > Thanks for any comments you may have. > > Yours sincerely. > [ You might try questions@freebsd.org since this is ISP relates list.] To answer your question: I don't think tee is actually implemented right now. I remember Archie Cobbs and Luigi Rizzo talking about it back a month or two ago on one of the lists.. If you want to log your traffic, consider using tcpdump, or you might want to also check out NFR: www.nfr.net -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981025202914.D14664>