[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Writing a firewall
From:       david () yertle ! fp ! trw ! com (David Anderson)
Date:       1997-09-03 21:49:31
[Download RAW message or body]

I have an application gateway that needs to inspect every single packet passing 
between its two interfaces (i.e. a firewall).  I intend to use IP Filter, with 
some modifications.  Before IP routing takes place I want to replace the real 
destination address in the IP header with the gateway's address, meaning that it 
should get up to the application layer rather than being routed.  But, I also 
want to get the real destination address to the application in such a way that 
the application can match it up with the correct socket connection.

What's the best way to do this?

I've gotten one suggestion to use an ioctl() to send the address to the 
application, ala IP Filter.  I don't know how to match this message up with a 
(TCP) socket connection though.

Another suggestion was to insert a special IP packet just to transmit the 
address.  If I spoof the IP and TCP header fields correctly, my application 
could just read the real destination address off the front of every socket 
connection data stream.  But I'm concerned that spoofing certain fields (like 
TCP sequence numbers) may not be possible.

Bear in mind that this application gateway supports multiple instances each of 
multiple protocol proxies, so I can't make many assumptions about the nature of 
the data arriving on a particular socket connection.

Thanks for any help.

-David Anderson

[prev in list] [next in list] [prev in thread] [next in thread]