From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 03:54:52 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B924CA9 for ; Tue, 6 Jan 2015 03:54:52 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 385E526CF for ; Tue, 6 Jan 2015 03:54:51 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-233-252.lns20.per1.internode.on.net [121.45.233.252]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t063sZSm002617 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 5 Jan 2015 19:54:38 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <54AB5C75.8020001@freebsd.org> Date: Tue, 06 Jan 2015 11:54:29 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Luigi Rizzo , =?UTF-8?B?T2xpdmllciBDb2NoYXJkLUxhYg==?= =?UTF-8?B?YsOp?= Subject: Re: Why ipfw didn't filter neither log DHCP packets ? References: <20150105122809.GD31058@vpn.offrom.nl> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "freebsd-ipfw@freebsd.org" , Willy@offermans.rompen.nl X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2015 03:54:52 -0000 On 1/5/15 9:51 PM, Luigi Rizzo wrote: > On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé > wrote: > >> >> I believe that when Luigi says "that acts before the firewall has a chance >> to see the packets", he was not speaking of the RC script order, but about >> the FreeBSD network stack layer order. >> Do you confirm Luigi ? >> >> > ​correct, it's not a matter of time but of placement > of the modules in the stack. > > injection through bpf goes just above the > device driver, so there is no chance to see > bpf-generated packets. > For incoming traffic, bpf sees a copy, so the > original still goes through the stack, > but if you want to see it with ipfw you should > probably enable layer2 firewalling. the ordering of the various "special" packet intercepts has always been an 'unsolved problem'. Packets may be intercepted by several different agents in the networkng code. There are (at least): bpf/tcpdump divert netgraph ipfw/pf/ipf if_bridge vlan handling And maybe others I didn't think of in the 20 seconds it took to write this. Each of these has an equivalent outgoing injection point as well. It is possible to make arguments for several different orders in which packets should hit these. For example: It makes perfect sense for tcpdump to see everything on the wire regardless of what else is going on, however it may also make sense to filter what gets to dhclient. Unfortunately, they both use the same way of getting packets. Maybe the answer is to change dhclient to use a different method. When it was originally done only bpf existed. > cheers > luigi > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > >