Date: Tue, 2 May 2006 14:00:07 -0700 (PDT) From: Kelly Yancey <kbyanc@posi.net> To: Daniel Walker <dwalker@zbi.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering Message-ID: <20060502135158.N93644@gateway.posi.net> In-Reply-To: <OF939DCF20.0D7C96D2-ON8525715D.00628F03-8525715D.00642ED9@zbi.com> References: <OF939DCF20.0D7C96D2-ON8525715D.00628F03-8525715D.00642ED9@zbi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Apr 2006, Daniel Walker wrote: > hey all, > > here's what I'm looking to do. I know it could be done with IPTABLES, but > as it's not available for the Mac OS X I'm trying to figure out how it > would be done in IPFW ... > > RELAY is a workstation forwarding packets from a SOURCE workstation to all > DESTINATION end points. RELAY is able to receive all packets from SOURCE > bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE > that are name resolution attempts to DESTINATION DNS server specifically > for host WWW.YAHOO.COM (for example). To do this I need to create a rule > that will look into the Data field of an DNS packet and match the query. > The Data field of a DNS query packet would be written in hex. > > With IPTABLES I would write something like this: > > RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string > "|01 00 00 01 00 00 00 00 00 00 03 77 77 77 05 79 61 68 6f ff 03 63 6f 6d > 00 00 01 00 01|" -j DROP > > How would I write this in IPFW? I can not see how to apply a rule based > on the data of a packet. I've reviewed the man page of ipfw, but don't > see anything there. What am I miss? > > Thanks. > > Dan This is truly evil, but I have old patches (against FreeBSD 4.10) which allow Henry Spencer's regex library to be used in the kernel: http://people.freebsd.org/~kbyanc/kernel-regex.diff However, this is only a proof-of-concept, you would need to modify ipfw (both userland and kernel) to actually invoke the regex routines in response to an ipfw rule. As others have pointed out, though, you should probably just write a userland utility using the divert(4) interface and do your matching there. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060502135158.N93644>