'Re: dup-to not changing destination address ver 4.1.13'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: dup-to not changing destination address ver 4.1.13
From:       Steve Clark <sclark () netwolves ! com>
Date:       2008-01-23 12:46:56
Message-ID: 47973740.6040904 () netwolves ! com
[Download RAW message or body]

Darren Reed wrote:
> Steve Clark wrote:
> 
>>Hello,
>>
>>I have the following rule:
>>
>>pass out on rl1 dup-to rl0:10.0.129.101 proto udp from any to any port 
>>= 14050
>>
>>I see the packets using tcpdump on 10.0.129.101 but the destination 
>>address
>>is not rewritten.
>>
>>
>>13:16:03.811279 IP 10.0.129.2.2290 > 10.0.129.101.14050: UDP, length 1184
>>13:16:04.062139 IP 10.0.129.2.2290 > 10.0.129.101.14050: UDP, length 788
>>13:16:19.114416 IP 65.162.182.42.60698 > 65.162.182.101.14050: UDP, 
>>length 416
>>13:16:19.370000 IP 65.162.182.42.60698 > 65.162.182.101.14050: UDP, 
>>length 32
>>13:17:02.257295 IP 10.0.129.2.2295 > 10.0.129.101.14050: UDP, length 327
>>
>>
>>Does this even work?
> 
> 
> dup-to does not change the destination address in the packet.
> 
> Darren
> 
> 

Thanks for the response Darren - I guess I am not understanding the 
following section
in the ipfilter howto document then.

9.3.1.  The dup-to Method

      If, for example, we wanted to send a copy of everything
going out the xl3 interface off to our drop-safe network  on
ed0, we would use this rule in our filter list:

      pass out on xl3 dup-to ed0 from any to any










                             -46-


You  might also have a need to send the packet directly to a
specific IP address on your  drop-safe  network  instead  of
just  making  a  copy of the packet out there and hoping for
the best.  To do this, we modify our rule slightly:

      pass out on xl3 dup-to ed0:192.168.254.2 from any to any

But be  warned  that  this  method  will  alter  the  copied
packet's  destination address, and may thus destroy the use-
^^^^^^^^^^^^^^^^^
fulness of the log.  For  this  reason,  we  recommend  only
using  the  known  address method of logging when you can be
certain that the address that you're logging to  corresponds
in  some  way  to  what  you're logging for (e.g.: don't use
"192.168.254.2" for logging for both  your  web  server  and
your mail server, since you'll have a hard time later trying
to figure out which system was the target of a specific  set
of packets.)

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic