From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 28 15:39:41 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFD7116A412 for ; Fri, 28 Apr 2006 15:39:41 +0000 (UTC) (envelope-from dwalker@zbi.com) Received: from mail1.zbi.com (mail1.zbi.com [208.195.65.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 724C243D6B for ; Fri, 28 Apr 2006 15:39:36 +0000 (GMT) (envelope-from dwalker@zbi.com) Received: from ZBINY1.ZBINY.ZBINET.COM ([192.168.96.16]) by mail1.zbi.com (Lotus Domino Release 6.5.5) with ESMTP id 2006042811411887-21150 ; Fri, 28 Apr 2006 11:41:18 -0400 In-Reply-To: <1753864896.20060428175200@spaingsm.com> To: vladone , ipfw@freebsd.org MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.2 June 01, 2004 Message-ID: From: Daniel Walker Date: Fri, 28 Apr 2006 11:39:25 -0400 X-MIMETrack: Serialize by Router on ZBINY1/ZBI(Release 6.5.5|November 30, 2005) at 04/28/2006 11:39:30 AM, Serialize complete at 04/28/2006 11:39:30 AM, Itemize by SMTP Server on ZBINY4/ZBI(Release 6.5.5|November 30, 2005) at 04/28/2006 11:41:18 AM, Serialize by Router on ZBINY4/ZBI(Release 6.5.5|November 30, 2005) at 04/28/2006 11:41:25 AM, Serialize complete at 04/28/2006 11:41:25 AM Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 15:39:43 -0000 vladone, I appreciate the response, but after doing a little more research on the issue I've discovered it is not possible to do what I want with IPFW. what I'm trying to do is block DNS queries for a specific domain name (the domain name is not the DESTINATION but an value to be handled by the any DNS server). to do this I need to be able to match a string within the body of the data field with a string I provide and have the firewall drop packets that match. with IPTABLES I'm able to do this by predicting the hex value of the data field containing a query for the domain name www.yahoo.com. IPTABLES allows for string matching. IPFW does not. I'll have to fire up my Ubuntu to do this. thanks. dan vladone Sent by: owner-freebsd-ipfw@freebsd.org 04/28/06 10:52 AM Please respond to vladone To ipfw@freebsd.org cc Subject Re: IPTABLES to IPFW for Packet Inspection Filtering Hello Daniel, Thursday, April 27, 2006, 9:13:02 PM, you wrote: > hey all, > here's what I'm looking to do. I know it could be done with IPTABLES, but > as it's not available for the Mac OS X I'm trying to figure out how it > would be done in IPFW ... > RELAY is a workstation forwarding packets from a SOURCE workstation to all > DESTINATION end points. RELAY is able to receive all packets from SOURCE > bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE > that are name resolution attempts to DESTINATION DNS server specifically > for host WWW.YAHOO.COM (for example). To do this I need to create a rule > that will look into the Data field of an DNS packet and match the query. > The Data field of a DNS query packet would be written in hex. > With IPTABLES I would write something like this: > RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string U have in man ipfw explanation for this. src and dst: {addr | { addr or ... }} [[not] ports] An address (or a list, see below) optionally followed by ports specifiers. The second format ( or-block with multiple addresses) is provided for convenience only and its use is discouraged. addr: [not] {any | me | addr-list | addr-set} any matches any IP address. me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed. addr-list: ip-addr[,addr-list] ip-addr: A host or subnet address specified in one of the following ways: numeric-ip | hostname Matches a single IPv4 address, specified as dotted-quad or a hostname. Hostnames are resolved at the time the rule is added to the firewall list. So if u want to deny packets from some hostname u have an rule like: ipfw add 100 deny ip from me to www.hahoo.com -- Best regards, vladone mailto:vladone@spaingsm.com _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"