Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jan 2003 19:10:34 -0700 (MST)
From:      Nick Rogness <nick@rogness.net>
To:        Jian Song <Jian.Song@nominum.com>
Cc:        "Crist J. Clark" <cjc@FreeBSD.ORG>, <freebsd-ipfw@FreeBSD.ORG>
Subject:   Re: How to do tcp payload validation
Message-ID:  <20030120190425.Y47844-100000@skywalker.rogness.net>
In-Reply-To: <20030120231904.GE34751@blossom.cjclark.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, 20 Jan 2003, Crist J. Clark wrote:

> On Fri, Jan 17, 2003 at 01:39:02PM +0000, Jian Song wrote:
> > Hi:
> >
> > I need to do tcp payload validation.  Specifically, the tcp stream I am
> > looking at contains multiple messages.  Each message has a two byte
> > length header and immediately follow by the body.  I would like to
> > monitor the tcp traffic and intercept each message.  If there is an
> > error, I will send RSTs to both ends of the connection.  While I can do
> > a BPF tap and do ip reassembly and tcp processing myself, I was
> > wondering whether this can be achieved through ipfw or ipfilter.  I
> > would like a TCP tap which pass tcp payload data to a user process for
> > further validation.  This way, I don't have to worry about matching ACKs
> > and do TCP stream reassembly.
>
> It sounds like what you really want is to just have a proxy running on
> the firewall. Write a userland app that just handles the TCP connection
> like any other daemon would. I don't see where a kernel-level firewall
> would ever have to enter into it, unless for some reason you cannot
> change the addresses used by the applications at either end of the
> proxied connection. In that case, you can use transparent proxying via
> 'fwd' or using natd(8) with ipfw(8), or ipnat(8) with ipf(8).

	Or if that doesn't tickle your tube, you can write a something
	using divert(4) sockets and interface it with ipfw.


Nick Rogness <nick@rogness.net>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030120190425.Y47844-100000>