[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: dup-to not changing destination address ver 4.1.13
From: Steve Clark <sclark () netwolves ! com>
Date: 2008-01-23 12:46:56
Message-ID: 47973740.6040904 () netwolves ! com
[Download RAW message or body]
Darren Reed wrote:
> Steve Clark wrote:
>
>>Hello,
>>
>>I have the following rule:
>>
>>pass out on rl1 dup-to rl0:10.0.129.101 proto udp from any to any port
>>= 14050
>>
>>I see the packets using tcpdump on 10.0.129.101 but the destination
>>address
>>is not rewritten.
>>
>>
>>13:16:03.811279 IP 10.0.129.2.2290 > 10.0.129.101.14050: UDP, length 1184
>>13:16:04.062139 IP 10.0.129.2.2290 > 10.0.129.101.14050: UDP, length 788
>>13:16:19.114416 IP 65.162.182.42.60698 > 65.162.182.101.14050: UDP,
>>length 416
>>13:16:19.370000 IP 65.162.182.42.60698 > 65.162.182.101.14050: UDP,
>>length 32
>>13:17:02.257295 IP 10.0.129.2.2295 > 10.0.129.101.14050: UDP, length 327
>>
>>
>>Does this even work?
>
>
> dup-to does not change the destination address in the packet.
>
> Darren
>
>
Thanks for the response Darren - I guess I am not understanding the
following section
in the ipfilter howto document then.
9.3.1. The dup-to Method
If, for example, we wanted to send a copy of everything
going out the xl3 interface off to our drop-safe network on
ed0, we would use this rule in our filter list:
pass out on xl3 dup-to ed0 from any to any
-46-
You might also have a need to send the packet directly to a
specific IP address on your drop-safe network instead of
just making a copy of the packet out there and hoping for
the best. To do this, we modify our rule slightly:
pass out on xl3 dup-to ed0:192.168.254.2 from any to any
But be warned that this method will alter the copied
packet's destination address, and may thus destroy the use-
^^^^^^^^^^^^^^^^^
fulness of the log. For this reason, we recommend only
using the known address method of logging when you can be
certain that the address that you're logging to corresponds
in some way to what you're logging for (e.g.: don't use
"192.168.254.2" for logging for both your web server and
your mail server, since you'll have a hard time later trying
to figure out which system was the target of a specific set
of packets.)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic