Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 06 Jan 2015 11:54:29 +0800
From:      Julian Elischer <julian@freebsd.org>
To:        Luigi Rizzo <rizzo@iet.unipi.it>, =?UTF-8?B?T2xpdmllciBDb2NoYXJkLUxhYg==?= =?UTF-8?B?YsOp?= <olivier@cochard.me>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, Willy@offermans.rompen.nl
Subject:   Re: Why ipfw didn't filter neither log DHCP packets ?
Message-ID:  <54AB5C75.8020001@freebsd.org>
In-Reply-To: <CA+hQ2+jfHej17z6GUKLv9R0toa8ac5Q6Yd1yk4gSmdJp=ofDLg@mail.gmail.com>
References:  <CA+q+TcpOuWXFHO73a5YuSws4ade-9r5e0=J_SY=DCxh1r9pe=Q@mail.gmail.com> <CA+hQ2+gt0JzbQo-2TWtzf_DS-di6csbuGn=GoOaoStuQJdT8sg@mail.gmail.com> <20150105122809.GD31058@vpn.offrom.nl> <CA+q+TcoX7_0++G8b77T-CXGDzmNZhww8hGXVsJxL0C0Qf5cQ7Q@mail.gmail.com> <CA+hQ2+jfHej17z6GUKLv9R0toa8ac5Q6Yd1yk4gSmdJp=ofDLg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 1/5/15 9:51 PM, Luigi Rizzo wrote:
> On Mon, Jan 5, 2015 at 2:41 PM, Olivier Cochard-Labbé <olivier@cochard.me>
> wrote:
>
>>
>> I believe that when Luigi says "that acts before the firewall has a chance
>> to see the packets", he was not speaking of the RC script order, but about
>> the FreeBSD network stack layer order.
>> Do you confirm Luigi ?
>>
>>
> ​correct, it's not a matter of time but of placement
> of the modules in the stack.
>
> injection through bpf goes just above the
> device driver, so there is no chance to see
> bpf-generated packets.
> For incoming traffic, bpf sees a copy, so the
> original still goes through the stack,
> but if you want to see it with ipfw you should
> probably enable layer2 firewalling.
the ordering of the various "special" packet intercepts has always 
been an 'unsolved problem'.
Packets may be intercepted by several different agents in the 
networkng code. There are (at least):
bpf/tcpdump
divert
netgraph
ipfw/pf/ipf
if_bridge
vlan handling

And maybe others I didn't think of in the 20 seconds it took to write 
this.
Each of these has an equivalent outgoing injection point as well.
It is possible to make arguments for several different orders in which 
packets should hit these.

For example:
It makes perfect sense for tcpdump to see everything on the wire
regardless of what else is going on, however it may also make
sense to filter what gets to dhclient.  Unfortunately, they both use
the same way of getting packets.
Maybe the answer is to change dhclient to use a different
method.  When it was originally done only bpf existed.


> cheers
> luigi
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?54AB5C75.8020001>