From owner-freebsd-ipfw Mon Jan 20 15:19: 8 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49B8037B405 for ; Mon, 20 Jan 2003 15:19:07 -0800 (PST) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id B625643F43 for ; Mon, 20 Jan 2003 15:19:06 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP id <2003012023190505100plhqqe>; Mon, 20 Jan 2003 23:19:05 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0KNJ5eq035871; Mon, 20 Jan 2003 15:19:05 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0KNJ5Pv035870; Mon, 20 Jan 2003 15:19:05 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 20 Jan 2003 15:19:05 -0800 From: "Crist J. Clark" To: Jian Song Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: How to do tcp payload validation Message-ID: <20030120231904.GE34751@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <3E280776.3060502@nominum.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E280776.3060502@nominum.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jan 17, 2003 at 01:39:02PM +0000, Jian Song wrote: > Hi: > > I need to do tcp payload validation. Specifically, the tcp stream I am > looking at contains multiple messages. Each message has a two byte > length header and immediately follow by the body. I would like to > monitor the tcp traffic and intercept each message. If there is an > error, I will send RSTs to both ends of the connection. While I can do > a BPF tap and do ip reassembly and tcp processing myself, I was > wondering whether this can be achieved through ipfw or ipfilter. I > would like a TCP tap which pass tcp payload data to a user process for > further validation. This way, I don't have to worry about matching ACKs > and do TCP stream reassembly. It sounds like what you really want is to just have a proxy running on the firewall. Write a userland app that just handles the TCP connection like any other daemon would. I don't see where a kernel-level firewall would ever have to enter into it, unless for some reason you cannot change the addresses used by the applications at either end of the proxied connection. In that case, you can use transparent proxying via 'fwd' or using natd(8) with ipfw(8), or ipnat(8) with ipf(8). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message