From owner-freebsd-ipfw  Mon Jan 20 18:10:28 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 146F437B401; Mon, 20 Jan 2003 18:10:27 -0800 (PST)
Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 47A3043F5F; Mon, 20 Jan 2003 18:10:26 -0800 (PST)
	(envelope-from nick@rogness.net)
Received: from skywalker.rogness.net (localhost [127.0.0.1])
	by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h0L2AeFH047917;
	Mon, 20 Jan 2003 19:10:40 -0700 (MST)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h0L2Acv4047914;
	Mon, 20 Jan 2003 19:10:39 -0700 (MST)
X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs
Date: Mon, 20 Jan 2003 19:10:34 -0700 (MST)
From: Nick Rogness <nick@rogness.net>
To: Jian Song <Jian.Song@nominum.com>
Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>, <freebsd-ipfw@FreeBSD.ORG>
Subject: Re: How to do tcp payload validation
In-Reply-To: <20030120231904.GE34751@blossom.cjclark.org>
Message-ID: <20030120190425.Y47844-100000@skywalker.rogness.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Mon, 20 Jan 2003, Crist J. Clark wrote:

> On Fri, Jan 17, 2003 at 01:39:02PM +0000, Jian Song wrote:
> > Hi:
> >
> > I need to do tcp payload validation.  Specifically, the tcp stream I am
> > looking at contains multiple messages.  Each message has a two byte
> > length header and immediately follow by the body.  I would like to
> > monitor the tcp traffic and intercept each message.  If there is an
> > error, I will send RSTs to both ends of the connection.  While I can do
> > a BPF tap and do ip reassembly and tcp processing myself, I was
> > wondering whether this can be achieved through ipfw or ipfilter.  I
> > would like a TCP tap which pass tcp payload data to a user process for
> > further validation.  This way, I don't have to worry about matching ACKs
> > and do TCP stream reassembly.
>
> It sounds like what you really want is to just have a proxy running on
> the firewall. Write a userland app that just handles the TCP connection
> like any other daemon would. I don't see where a kernel-level firewall
> would ever have to enter into it, unless for some reason you cannot
> change the addresses used by the applications at either end of the
> proxied connection. In that case, you can use transparent proxying via
> 'fwd' or using natd(8) with ipfw(8), or ipnat(8) with ipf(8).

	Or if that doesn't tickle your tube, you can write a something
	using divert(4) sockets and interface it with ipfw.


Nick Rogness <nick@rogness.net>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message