divert , ipfw question
Nickolay A. Kritsky
nkritsky at star-sw.com
Tue Sep 28 03:36:25 PDT 2004
Hello Zrelli,
the rule 65000 allow ip from any to any stops processing of a packet,
so it will never reach diverting rule 65100.
see man ipfw about rule-processing
Tuesday, September 28, 2004, 2:08:36 PM, Zrelli Saber Ben Mohamed wrote:
ZSBM> Hi ,
ZSBM> I'm interesed in the "divert" mechanism and want to try it out ,
ZSBM> so I recompiled the kernel ( FreeBSD 5.2.1-RELEASE #0 ) after adding the
ZSBM> IPDIVERT option and then added the needed lines in the rc.conf file,
ZSBM> after that , I set up ipfw to divert packets to some port
ZSBM> here is my ipfw rule set .
ZSBM> 00100 allow ip from any to any via lo0
ZSBM> 00200 deny ip from any to 127.0.0.0/8
ZSBM> 00300 deny ip from 127.0.0.0/8 to any
ZSBM> 65000 allow ip from any to any
ZSBM> 65100 divert 5000 ip from any 22 to me <---- the divert rule
ZSBM> 65535 deny ip from any to any
ZSBM> then, I wanted to monitor the diverted traffic using tcpdump :
ZSBM> $ tcpdump port 5000
ZSBM> when I do a telnet connection to the port 22 from a remote host , I was
ZSBM> expecting that tcpdump will display packets diverted to the port 5000 by
ZSBM> ipfw.
ZSBM> The remote host I use shows that it connects to port 22 and the ipfw
ZSBM> divert rule seems not to work.
ZSBM> I can set another rule to block the traffic in the port 22 , and it works.
ZSBM> only the divert rule seems to fail.
ZSBM> I wrote some piece of code using divert socket to read packets from the
ZSBM> divert port , but no result ...
ZSBM> I think I'm missing something ,
ZSBM> so please enlighten my mind ...
ZSBM> Many Thanks
ZSBM> --
ZSBM> Saber
--
Best regards,
; Nickolay A. Kritsky
; SysAdmin STAR Software LLC
; mailto:nkritsky at star-sw.com
More information about the freebsd-hackers
mailing list