From owner-freebsd-hackers Fri Dec 8 5: 9:45 2000 From owner-freebsd-hackers@FreeBSD.ORG Fri Dec 8 05:09:43 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 4B56037B400 for ; Fri, 8 Dec 2000 05:09:42 -0800 (PST) Received: from victoria-173.budapest.interware.hu ([195.70.63.173] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 144NHN-0002ad-00; Fri, 08 Dec 2000 14:09:38 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A30DC79.A5F26525@elischer.org> Date: Fri, 08 Dec 2000 05:04:57 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Lists Account Cc: Alwyn Goodloe , freebsd-hackers@FreeBSD.org Subject: Re: Packet Header Filtering References: Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Lists Account wrote: > > Look at IPF/IPFW they both have state table stuff in them, and analyzing > the ip header is done by both as well. I would suggest you hack ipf to do > what you want if it doesnt do it already. > > Cheers > > Andrew > > On Fri, 8 Dec 2000, Alwyn Goodloe wrote: > > > We are about to begin a little project that has the following requiremnet. > > > > Perform IP packet filtering in the following way : > > > > > > i) look at an ip packet header. If some conditions are met let the packet pass > > otherwise reject the packet. you could hack your chacks into if_fw.c if they are not already supported.. what kinds of checks do you want to do? Alternatively you could use teh divert sockets to make all packets that might need filtering, up to a userland process that can do arbitrarily complicated filtering. If you want a framework with which to start, you could start with natd and strip out the address translation calls and replace them with your filtering calls. OR you could catch packets at the ethernet using netgraph and either write a loadable netgraph module that does your filtering, or passes it up to a daemon that can do arbitrary filtering. it would be easier for us to answer if you said what kind of filtering you want to do. > > > > > > ii) Look at ip packet headers of established connections and when certain > > conditions are met tear down the connection. > > > > > > Obviously this isn't the kind of thing we will be using the usual > > firewall software, at least not as I understand the software. What I > > want to know from you FreeBSD hackers is: > > > > i) if anyone has done something similar do you have any advice. > > ii) Anyone know where I should start hacking. Would it be best to try to > > hack the firewall code or the ipforwarding code.... > > > > Any such advise would be helpful. > > > > > > Alwyn Goodloe > > agoodloe@gradient.cis.upenn.edu > > > -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message