Date: Tue, 06 Jan 2015 11:54:29 +0800 From: Julian Elischer <julian@freebsd.org> To: Luigi Rizzo <rizzo@iet.unipi.it>, =?UTF-8?B?T2xpdmllciBDb2NoYXJkLUxhYg==?= =?UTF-8?B?YsOp?= <olivier@cochard.me> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, Willy@offermans.rompen.nl Subject: Re: Why ipfw didn't filter neither log DHCP packets ? Message-ID: <54AB5C75.8020001@freebsd.org> In-Reply-To: <CA%2BhQ2%2BjfHej17z6GUKLv9R0toa8ac5Q6Yd1yk4gSmdJp=ofDLg@mail.gmail.com> References: <CA%2Bq%2BTcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com> <CA%2BhQ2%2Bgt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com> <20150105122809.GD31058@vpn.offrom.nl> <CA%2Bq%2BTcoX7_0%2B%2BG8b77T-CXGDzmNZhww8hGXVsJxL0C0Qf5cQ7Q@mail.gmail.com> <CA%2BhQ2%2BjfHej17z6GUKLv9R0toa8ac5Q6Yd1yk4gSmdJp=ofDLg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/5/15 9:51 PM, Luigi Rizzo wrote: > On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé <olivier@cochard.me> > wrote: > >> >> I believe that when Luigi says "that acts before the firewall has a chance >> to see the packets", he was not speaking of the RC script order, but about >> the FreeBSD network stack layer order. >> Do you confirm Luigi ? >> >> > ​correct, it's not a matter of time but of placement > of the modules in the stack. > > injection through bpf goes just above the > device driver, so there is no chance to see > bpf-generated packets. > For incoming traffic, bpf sees a copy, so the > original still goes through the stack, > but if you want to see it with ipfw you should > probably enable layer2 firewalling. the ordering of the various "special" packet intercepts has always been an 'unsolved problem'. Packets may be intercepted by several different agents in the networkng code. There are (at least): bpf/tcpdump divert netgraph ipfw/pf/ipf if_bridge vlan handling And maybe others I didn't think of in the 20 seconds it took to write this. Each of these has an equivalent outgoing injection point as well. It is possible to make arguments for several different orders in which packets should hit these. For example: It makes perfect sense for tcpdump to see everything on the wire regardless of what else is going on, however it may also make sense to filter what gets to dhclient. Unfortunately, they both use the same way of getting packets. Maybe the answer is to change dhclient to use a different method. When it was originally done only bpf existed. > cheers > luigi > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54AB5C75.8020001>