Date: Fri, 28 Apr 2006 11:39:25 -0400 From: Daniel Walker <dwalker@zbi.com> To: vladone <vladone@spaingsm.com>, ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering Message-ID: <OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E@zbi.com> In-Reply-To: <1753864896.20060428175200@spaingsm.com>
next in thread | previous in thread | raw e-mail | index | archive | help
vladone,
I appreciate the response, but after doing a little more research on the
issue I've discovered it is not possible to do what I want with IPFW. what
I'm trying to do is block DNS queries for a specific domain name (the
domain name is not the DESTINATION but an value to be handled by the any
DNS server). to do this I need to be able to match a string within the
body of the data field with a string I provide and have the firewall drop
packets that match. with IPTABLES I'm able to do this by predicting the
hex value of the data field containing a query for the domain name
www.yahoo.com. IPTABLES allows for string matching. IPFW does not. I'll
have to fire up my Ubuntu to do this.
thanks.
dan
vladone <vladone@spaingsm.com>
Sent by: owner-freebsd-ipfw@freebsd.org
04/28/06 10:52 AM
Please respond to
vladone <vladone@spaingsm.com>
To
ipfw@freebsd.org
cc
Subject
Re: IPTABLES to IPFW for Packet Inspection Filtering
Hello Daniel,
Thursday, April 27, 2006, 9:13:02 PM, you wrote:
> hey all,
> here's what I'm looking to do. I know it could be done with IPTABLES,
but
> as it's not available for the Mac OS X I'm trying to figure out how it
> would be done in IPFW ...
> RELAY is a workstation forwarding packets from a SOURCE workstation to
all
> DESTINATION end points. RELAY is able to receive all packets from
SOURCE
> bound to DESTINATION. I want RELAY to deny packets forwarding from
SOURCE
> that are name resolution attempts to DESTINATION DNS server specifically
> for host WWW.YAHOO.COM (for example). To do this I need to create a
rule
> that will look into the Data field of an DNS packet and match the query.
> The Data field of a DNS query packet would be written in hex.
> With IPTABLES I would write something like this:
> RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string
U have in man ipfw explanation for this.
src and dst: {addr | { addr or ... }} [[not] ports]
An address (or a list, see below) optionally followed by
ports
specifiers.
The second format ( or-block with multiple addresses) is
provided
for convenience only and its use is discouraged.
addr: [not] {any | me | addr-list | addr-set}
any matches any IP address.
me matches any IP address configured on an interface in the
system.
The address list is evaluated at the time the packet is
analysed.
addr-list: ip-addr[,addr-list]
ip-addr:
A host or subnet address specified in one of the following
ways:
numeric-ip | hostname
Matches a single IPv4 address, specified as
dotted-quad
or a hostname. Hostnames are resolved at the time
the
rule is added to the firewall list.
So if u want to deny packets from some hostname u have an rule like:
ipfw add 100 deny ip from me to www.hahoo.com
--
Best regards,
vladone mailto:vladone@spaingsm.com
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E>