Useful addition to ipfw
Darren Reed
avalon at caligula.anu.edu.au
Tue Dec 13 16:16:06 PST 2005
In some mail from Borja Marcos, sie said:
>
>
> Hello,
>
> I've found myself in a situation where a simple data inspection
> capability added to ipfw would be very useful.
>
> I'm not thinking about anything especially sophisticated, but what
> about adding an option to check byte values (or flags, similar to
> tcpdump)?
>
> An example rule could be: add deny udp from any to me 12345 udp[4]&234
>
> being the rule true if byte 4 in the UDP packet AND the number 234 is
> not zero.
I believe you could do that today, with IPFilter, if you expressed
the entire packet-matching part of the rule with BPF.
Darren
More information about the freebsd-security
mailing list