Date: Tue, 28 Sep 2004 14:23:56 +0400 From: "Nickolay A. Kritsky" <nkritsky@star-sw.com> To: Zrelli Saber Ben Mohamed <zrelli@jaist.ac.jp> Cc: freebsd-hackers@freebsd.org Subject: Re: divert , ipfw question Message-ID: <381891561234.20040928142356@star-sw.com> In-Reply-To: <41593824.9030006@jaist.ac.jp> References: <41593824.9030006@jaist.ac.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Zrelli, the rule 65000 allow ip from any to any stops processing of a packet, so it will never reach diverting rule 65100. see man ipfw about rule-processing Tuesday, September 28, 2004, 2:08:36 PM, Zrelli Saber Ben Mohamed wrote: ZSBM> Hi , ZSBM> I'm interesed in the "divert" mechanism and want to try it out , ZSBM> so I recompiled the kernel ( FreeBSD 5.2.1-RELEASE #0 ) after adding the ZSBM> IPDIVERT option and then added the needed lines in the rc.conf file, ZSBM> after that , I set up ipfw to divert packets to some port ZSBM> here is my ipfw rule set . ZSBM> 00100 allow ip from any to any via lo0 ZSBM> 00200 deny ip from any to 127.0.0.0/8 ZSBM> 00300 deny ip from 127.0.0.0/8 to any ZSBM> 65000 allow ip from any to any ZSBM> 65100 divert 5000 ip from any 22 to me <---- the divert rule ZSBM> 65535 deny ip from any to any ZSBM> then, I wanted to monitor the diverted traffic using tcpdump : ZSBM> $ tcpdump port 5000 ZSBM> when I do a telnet connection to the port 22 from a remote host , I was ZSBM> expecting that tcpdump will display packets diverted to the port 5000 by ZSBM> ipfw. ZSBM> The remote host I use shows that it connects to port 22 and the ipfw ZSBM> divert rule seems not to work. ZSBM> I can set another rule to block the traffic in the port 22 , and it works. ZSBM> only the divert rule seems to fail. ZSBM> I wrote some piece of code using divert socket to read packets from the ZSBM> divert port , but no result ... ZSBM> I think I'm missing something , ZSBM> so please enlighten my mind ... ZSBM> Many Thanks ZSBM> -- ZSBM> Saber -- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:nkritsky@star-sw.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?381891561234.20040928142356>