From owner-freebsd-hackers Fri Dec 8 3:31:47 2000 From owner-freebsd-hackers@FreeBSD.ORG Fri Dec 8 03:31:45 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id 09FB937B400 for ; Fri, 8 Dec 2000 03:31:44 -0800 (PST) Received: from lanczos.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 8 Dec 2000 11:31:43 +0000 (GMT) Date: Fri, 8 Dec 2000 11:31:40 +0000 From: David Malone To: Alwyn Goodloe Cc: freebsd-hackers@FreeBSD.org Subject: Re: Packet Header Filtering Message-ID: <20001208113140.A21021@lanczos.maths.tcd.ie> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from agoodloe@gradient.cis.upenn.edu on Fri, Dec 08, 2000 at 12:03:12AM -0500 Sender: dwmalone@maths.tcd.ie Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Dec 08, 2000 at 12:03:12AM -0500, Alwyn Goodloe wrote: > i) look at an ip packet header. If some conditions are met let the packet pass > otherwise reject the packet. > > ii) Look at ip packet headers of established connections and when certain > conditions are met tear down the connection. I presume you mean TCP in the second case, IP doesn't have a notion of an established connection by itself. > Obviously this isn't the kind of thing we will be using the usual > firewall software, at least not as I understand the software. What I > want to know from you FreeBSD hackers is: This sounds exactly like what regular packet filtering software like ipfw or ipf do (both have man pages). Another possibility would be to use netgraph and the ng_bpf device, which can do any filtering that the Berekley Packet Filter can do. David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message