Date: Fri, 9 Nov 2001 02:17:47 -0800 From: Luigi Rizzo <rizzo@aciri.org> To: Archie Cobbs <archie@dellroad.org> Cc: cjclark@alum.mit.edu, freebsd-net@FreeBSD.ORG Subject: Re: Fixing ipfw(8)'s 'tee' Message-ID: <20011109021747.A11137@iguana.aciri.org> In-Reply-To: <200111082338.fA8NcBK41060@arch20m.dellroad.org> References: <20011107154601.A301@blossom.cjclark.org> <200111082338.fA8NcBK41060@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 08, 2001 at 03:38:11PM -0800, Archie Cobbs wrote: > Crist J. Clark writes: > > The issue may be that you wish to make a decision on the packet in > > later rules. For example, someone might wish to 'tee' all traffic to > > and from a certain machine to some unspecified traffic monitoring > > program listening on the divert socket. However, all of the traffic > > too and from that IP address may or may not be allowed by the security > > policy. With 'tee' as it exists, one cannot catch _all_ of the traffic > > (whether or not allowed by policy) and still apply policy. You can implement the above by replacing all terminal actions (accept or deny) with "tee" and "divert" statements, respectively. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011109021747.A11137>