From owner-freebsd-security@FreeBSD.ORG Tue Dec 13 16:02:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFE3A16A41F for ; Tue, 13 Dec 2005 16:02:34 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from sollube.sarenet.es (mx1.sarenet.es [194.30.0.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3553243D69 for ; Tue, 13 Dec 2005 16:02:33 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by sollube.sarenet.es (Postfix) with ESMTP id 890991370 for ; Tue, 13 Dec 2005 17:00:01 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v746.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Borja Marcos Date: Tue, 13 Dec 2005 16:59:54 +0100 X-Mailer: Apple Mail (2.746.2) Subject: Useful addition to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 16:02:35 -0000 Hello, I've found myself in a situation where a simple data inspection capability added to ipfw would be very useful. I'm not thinking about anything especially sophisticated, but what about adding an option to check byte values (or flags, similar to tcpdump)? An example rule could be: add deny udp from any to me 12345 udp[4]&234 being the rule true if byte 4 in the UDP packet AND the number 234 is not zero. P.S: I'm thinking about controlling some types of UDP packets than can be identified by simple flags present in the packet data. Opinions? Borja.