[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-ipfw
Subject: Re: How to do tcp payload validation
From: Nick Rogness <nick () rogness ! net>
Date: 2003-01-21 2:10:34
[Download RAW message or body]
On Mon, 20 Jan 2003, Crist J. Clark wrote:
> On Fri, Jan 17, 2003 at 01:39:02PM +0000, Jian Song wrote:
> > Hi:
> >
> > I need to do tcp payload validation. Specifically, the tcp stream I am
> > looking at contains multiple messages. Each message has a two byte
> > length header and immediately follow by the body. I would like to
> > monitor the tcp traffic and intercept each message. If there is an
> > error, I will send RSTs to both ends of the connection. While I can do
> > a BPF tap and do ip reassembly and tcp processing myself, I was
> > wondering whether this can be achieved through ipfw or ipfilter. I
> > would like a TCP tap which pass tcp payload data to a user process for
> > further validation. This way, I don't have to worry about matching ACKs
> > and do TCP stream reassembly.
>
> It sounds like what you really want is to just have a proxy running on
> the firewall. Write a userland app that just handles the TCP connection
> like any other daemon would. I don't see where a kernel-level firewall
> would ever have to enter into it, unless for some reason you cannot
> change the addresses used by the applications at either end of the
> proxied connection. In that case, you can use transparent proxying via
> 'fwd' or using natd(8) with ipfw(8), or ipnat(8) with ipf(8).
Or if that doesn't tickle your tube, you can write a something
using divert(4) sockets and interface it with ipfw.
Nick Rogness <nick@rogness.net>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic