Date: Wed, 7 Nov 2001 15:46:01 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Luigi Rizzo <rizzo@aciri.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Fixing ipfw(8)'s 'tee' Message-ID: <20011107154601.A301@blossom.cjclark.org> In-Reply-To: <20011107093404.B96033@iguana.aciri.org>; from rizzo@aciri.org on Wed, Nov 07, 2001 at 09:34:04AM -0800 References: <20011107021241.D307@blossom.cjclark.org> <20011107093404.B96033@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 07, 2001 at 09:34:04AM -0800, Luigi Rizzo wrote:
> On Wed, Nov 07, 2001 at 02:12:41AM -0800, Crist J. Clark wrote:
> ...
> > About 'accepted,' but I don't believe this is the intended
> > behavior. For outgoing packets, one copy is sent to the divert port
> > and the other is routed to the destination on the packet.
> ...
> > I'm not really sure if I understand what 'tee' is needed for. Why
> > not just have whatever is listening on the 'tee' divert socket write
> > packets back in? This also works around the issue that 'tee' packets
> > are immediately accepted by the firewall. But if we want to keep
> > 'tee,' it probably should work.
>
> for sure we can replace tee with divert as you say, but then
> you would depend on the userland app to do its work (and you
> could have drops on the divert socket, whereas forwarding within
> the kernel is much faster).
>
> There is not an issue of accept vs. deny a "tee" packet, if
> you want to deny it you just use a "divert" rule instead.
The issue may be that you wish to make a decision on the packet in
later rules. For example, someone might wish to 'tee' all traffic to
and from a certain machine to some unspecified traffic monitoring
program listening on the divert socket. However, all of the traffic
too and from that IP address may or may not be allowed by the security
policy. With 'tee' as it exists, one cannot catch _all_ of the traffic
(whether or not allowed by policy) and still apply policy.
But does everyone agree the current behavior of 'tee' is broken? The
firewall should not be passing packets not destined for itself up the
stack; it should be forwarding them, right?
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011107154601.A301>