Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jan 2003 19:10:34 -0700 (MST)
From:      Nick Rogness <>
To:        Jian Song <>
Cc:        "Crist J. Clark" <cjc@FreeBSD.ORG>, <freebsd-ipfw@FreeBSD.ORG>
Subject:   Re: How to do tcp payload validation
Message-ID:  <>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, 20 Jan 2003, Crist J. Clark wrote:

> On Fri, Jan 17, 2003 at 01:39:02PM +0000, Jian Song wrote:
> > Hi:
> >
> > I need to do tcp payload validation.  Specifically, the tcp stream I am
> > looking at contains multiple messages.  Each message has a two byte
> > length header and immediately follow by the body.  I would like to
> > monitor the tcp traffic and intercept each message.  If there is an
> > error, I will send RSTs to both ends of the connection.  While I can do
> > a BPF tap and do ip reassembly and tcp processing myself, I was
> > wondering whether this can be achieved through ipfw or ipfilter.  I
> > would like a TCP tap which pass tcp payload data to a user process for
> > further validation.  This way, I don't have to worry about matching ACKs
> > and do TCP stream reassembly.
> It sounds like what you really want is to just have a proxy running on
> the firewall. Write a userland app that just handles the TCP connection
> like any other daemon would. I don't see where a kernel-level firewall
> would ever have to enter into it, unless for some reason you cannot
> change the addresses used by the applications at either end of the
> proxied connection. In that case, you can use transparent proxying via
> 'fwd' or using natd(8) with ipfw(8), or ipnat(8) with ipf(8).

	Or if that doesn't tickle your tube, you can write a something
	using divert(4) sockets and interface it with ipfw.

Nick Rogness <>

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>