From owner-freebsd-hackers Mon Apr 23 9:27:58 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id AC39E37B424; Mon, 23 Apr 2001 09:27:47 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3NGS3o00935; Mon, 23 Apr 2001 12:28:03 -0400 (EDT) (envelope-from arr@watson.org) Date: Mon, 23 Apr 2001 12:28:02 -0400 (EDT) From: "Andrew R. Reiter" To: Alex Pilosov Cc: "E.B. Dreger" , hackers@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: TCP intercept? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In light of this, I would say that it would be cool to put into the ipfw or ipf code seeing as how there are already hooks into the network stack in the code. I am not sure how people will take the ipfw implementation soley because I know there was alot of "hacking" being done to it in the recent months (??). Im also not sure how well Darren would take the code written if it was done for ipf. Otherwise, you'll have to add some more hooks into the stack code (tcp_{input,output}.c and perhaps others) and then handle it that way. Im not really familiar with how (un)successful TCP intercept has been with Cisco, but I would find that as a cool option :-) Take it easy, Andrew On Mon, 23 Apr 2001, Alex Pilosov wrote: > In cisco terminology, 'tcp intercept' is what the 'ip and tcp reassembly' > part of ipnat does (without port/address rewriting). For example, a router > in the middle which is doing the intercept will have to buffer/reassemble > tcp stream and only forward packets after they are confirmed good. > > Example: packets with a wrong sequence number will be bounced at the > router. On ciscos, tcp-intercept can also rate-limit syn packets... > > I'm not sure if it can be enabled in ipnat separately, but hell, if > someone wants to do it... > > On Sun, 22 Apr 2001, Andrew R. Reiter wrote: > > > > > What's TCP intercept? > > > > On Mon, 23 Apr 2001, E.B. Dreger wrote: > > > > > Greetings all, > > > > > > I'm no kernel hacker, and trying to think of useful little projects to > > > change that. ;-) > > > > > > AFAIK, FreeBSD lacks support for TCP intercept. Is anyone already working > > > on this? Would it be of interest to anyone? My initial thoughts are that > > > it should be implemented in the same neighborhood as stateful firewall > > > code, as the two are rather closely related. > > > > > > > > > Eddy > > > > > > --------------------------------------------------------------------------- > > > > > > Brotsman & Dreger, Inc. > > > EverQuick Internet / EternalCommerce Division > > > > > > Phone: (316) 794-8922 > > > > > > --------------------------------------------------------------------------- > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-hackers" in the body of the message > > > > > > > *-------------................................................. > > | Andrew R. Reiter > > | arr@fledge.watson.org > > | "It requires a very unusual mind > > | to undertake the analysis of the obvious" -- A.N. Whitehead > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message