From owner-freebsd-net  Fri Nov  9  3:40:12 2001
Delivered-To: freebsd-net@freebsd.org
Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120])
	by hub.freebsd.org (Postfix) with ESMTP id 4AA2A37B421
	for <freebsd-net@freebsd.org>; Fri,  9 Nov 2001 03:40:07 -0800 (PST)
Received: from dialup-209.245.136.224.dial1.sanjose1.level3.net ([209.245.136.224] helo=blossom.cjclark.org)
	by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 162A0o-0005oG-00; Fri, 09 Nov 2001 03:39:59 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id fA9BbrC17597;
	Fri, 9 Nov 2001 03:37:53 -0800 (PST)
	(envelope-from cjc)
Date: Fri, 9 Nov 2001 03:37:53 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Luigi Rizzo <rizzo@aciri.org>
Cc: Archie Cobbs <archie@dellroad.org>, freebsd-net@FreeBSD.ORG
Subject: Re: Fixing ipfw(8)'s 'tee'
Message-ID: <20011109033753.T51134@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011107154601.A301@blossom.cjclark.org> <200111082338.fA8NcBK41060@arch20m.dellroad.org> <20011109021747.A11137@iguana.aciri.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011109021747.A11137@iguana.aciri.org>; from rizzo@aciri.org on Fri, Nov 09, 2001 at 02:17:47AM -0800
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Fri, Nov 09, 2001 at 02:17:47AM -0800, Luigi Rizzo wrote:
> On Thu, Nov 08, 2001 at 03:38:11PM -0800, Archie Cobbs wrote:
> > Crist J. Clark writes:
> > > The issue may be that you wish to make a decision on the packet in
> > > later rules. For example, someone might wish to 'tee' all traffic to
> > > and from a certain machine to some unspecified traffic monitoring
> > > program listening on the divert socket. However, all of the traffic
> > > too and from that IP address may or may not be allowed by the security
> > > policy. With 'tee' as it exists, one cannot catch _all_ of the traffic
> > > (whether or not allowed by policy) and still apply policy.
> 
> You can implement the above by replacing all terminal actions
> (accept or deny) with "tee" and "divert" statements, respectively.

Ouch. I think that you can get any behavior you want in that manner,
but that could be one long and ugly rule set.

Still, it'd be nice if 'tee' worked at all. I'm going to commit the
patch.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message