From owner-freebsd-net Wed Nov 7 15:46:36 2001 Delivered-To: freebsd-net@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 0017537B417 for ; Wed, 7 Nov 2001 15:46:33 -0800 (PST) Received: from dialup-209.247.136.232.dial1.sanjose1.level3.net ([209.247.136.232] helo=blossom.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 161cOp-00030a-00; Wed, 07 Nov 2001 15:46:28 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA7Nk1x01189; Wed, 7 Nov 2001 15:46:01 -0800 (PST) (envelope-from cjc) Date: Wed, 7 Nov 2001 15:46:01 -0800 From: "Crist J. Clark" To: Luigi Rizzo Cc: freebsd-net@FreeBSD.ORG Subject: Re: Fixing ipfw(8)'s 'tee' Message-ID: <20011107154601.A301@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011107021241.D307@blossom.cjclark.org> <20011107093404.B96033@iguana.aciri.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011107093404.B96033@iguana.aciri.org>; from rizzo@aciri.org on Wed, Nov 07, 2001 at 09:34:04AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 07, 2001 at 09:34:04AM -0800, Luigi Rizzo wrote: > On Wed, Nov 07, 2001 at 02:12:41AM -0800, Crist J. Clark wrote: > ... > > About 'accepted,' but I don't believe this is the intended > > behavior. For outgoing packets, one copy is sent to the divert port > > and the other is routed to the destination on the packet. > ... > > I'm not really sure if I understand what 'tee' is needed for. Why > > not just have whatever is listening on the 'tee' divert socket write > > packets back in? This also works around the issue that 'tee' packets > > are immediately accepted by the firewall. But if we want to keep > > 'tee,' it probably should work. > > for sure we can replace tee with divert as you say, but then > you would depend on the userland app to do its work (and you > could have drops on the divert socket, whereas forwarding within > the kernel is much faster). > > There is not an issue of accept vs. deny a "tee" packet, if > you want to deny it you just use a "divert" rule instead. The issue may be that you wish to make a decision on the packet in later rules. For example, someone might wish to 'tee' all traffic to and from a certain machine to some unspecified traffic monitoring program listening on the divert socket. However, all of the traffic too and from that IP address may or may not be allowed by the security policy. With 'tee' as it exists, one cannot catch _all_ of the traffic (whether or not allowed by policy) and still apply policy. But does everyone agree the current behavior of 'tee' is broken? The firewall should not be passing packets not destined for itself up the stack; it should be forwarding them, right? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message