IPTABLES to IPFW for Packet Inspection Filtering

Daniel Walker dwalker at zbi.com
Fri Apr 28 15:39:43 UTC 2006 

vladone,

I appreciate the response, but after doing a little more research on the 
issue I've discovered it is not possible to do what I want with IPFW. what 
I'm trying to do is block DNS queries for a specific domain name (the 
domain name is not the DESTINATION but an value to be handled by the any 
DNS server).  to do this I need to be able to match a string within the 
body of the data field with a string I provide and have the firewall drop 
packets that match.  with IPTABLES I'm able to do this by predicting the 
hex value of the data field containing a query for the domain name 
www.yahoo.com.  IPTABLES allows for string matching.  IPFW does not.  I'll 
have to fire up my Ubuntu to do this.

thanks.

dan




vladone <vladone at spaingsm.com> 
Sent by: owner-freebsd-ipfw at freebsd.org
04/28/06 10:52 AM
Please respond to
vladone <vladone at spaingsm.com>


To
ipfw at freebsd.org
cc

Subject
Re: IPTABLES to IPFW for Packet Inspection Filtering






Hello Daniel,

Thursday, April 27, 2006, 9:13:02 PM, you wrote:

> hey all,

> here's what I'm looking to do.  I know it could be done with IPTABLES, 
but
> as it's not available for the Mac OS X I'm trying to figure out how it
> would be done in IPFW ...

> RELAY is a workstation forwarding packets from a SOURCE workstation to 
all
> DESTINATION end points.  RELAY is able to receive all packets from 
SOURCE
> bound to DESTINATION.  I want RELAY to deny packets forwarding from 
SOURCE
> that are name resolution attempts to DESTINATION DNS server specifically
> for host WWW.YAHOO.COM (for example).  To do this I need to create a 
rule
> that will look into the Data field of an DNS packet and match the query.
> The Data field of a DNS query packet would be written in hex. 

> With IPTABLES I would write something like this:

> RELAY #  iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string
U have in man ipfw explanation for this.

src and dst: {addr | { addr or ... }} [[not] ports]
             An address (or a list, see below) optionally followed by 
ports
             specifiers.

             The second format ( or-block with multiple addresses) is 
provided
             for convenience only and its use is discouraged.

     addr: [not] {any | me | addr-list | addr-set}

     any     matches any IP address.

     me      matches any IP address configured on an interface in the 
system.
             The address list is evaluated at the time the packet is 
analysed.

     addr-list: ip-addr[,addr-list]

     ip-addr:
             A host or subnet address specified in one of the following 
ways:

             numeric-ip | hostname
                     Matches a single IPv4 address, specified as 
dotted-quad
                     or a hostname.  Hostnames are resolved at the time 
the
                     rule is added to the firewall list.

So if u want to deny packets from some hostname u have an rule like:
ipfw add 100 deny ip from me to www.hahoo.com


-- 
Best regards,
 vladone                            mailto:vladone at spaingsm.com

_______________________________________________
freebsd-ipfw at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list