IPTABLES to IPFW for Packet Inspection Filtering
Kelly Yancey
kbyanc at posi.net
Tue May 2 19:52:01 UTC 2006
On Thu, 27 Apr 2006, Daniel Walker wrote:
> hey all,
>
> here's what I'm looking to do. I know it could be done with IPTABLES, but
> as it's not available for the Mac OS X I'm trying to figure out how it
> would be done in IPFW ...
>
> RELAY is a workstation forwarding packets from a SOURCE workstation to all
> DESTINATION end points. RELAY is able to receive all packets from SOURCE
> bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE
> that are name resolution attempts to DESTINATION DNS server specifically
> for host WWW.YAHOO.COM (for example). To do this I need to create a rule
> that will look into the Data field of an DNS packet and match the query.
> The Data field of a DNS query packet would be written in hex.
>
> With IPTABLES I would write something like this:
>
> RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string
> "|01 00 00 01 00 00 00 00 00 00 03 77 77 77 05 79 61 68 6f ff 03 63 6f 6d
> 00 00 01 00 01|" -j DROP
>
> How would I write this in IPFW? I can not see how to apply a rule based
> on the data of a packet. I've reviewed the man page of ipfw, but don't
> see anything there. What am I miss?
>
> Thanks.
>
> Dan
This is truly evil, but I have old patches (against FreeBSD 4.10)
which allow Henry Spencer's regex library to be used in the kernel:
http://people.freebsd.org/~kbyanc/kernel-regex.diff
However, this is only a proof-of-concept, you would need to modify
ipfw (both userland and kernel) to actually invoke the regex routines in
response to an ipfw rule. As others have pointed out, though, you
should probably just write a userland utility using the divert(4)
interface and do your matching there.
Kelly
--
Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly at nttmcl.com
More information about the freebsd-ipfw
mailing list