Hello, I've found myself in a situation where a simple data inspection capability added to ipfw would be very useful. I'm not thinking about anything especially sophisticated, but what about adding an option to check byte values (or flags, similar to tcpdump)? An example rule could be: add deny udp from any to me 12345 udp[4]&234 being the rule true if byte 4 in the UDP packet AND the number 234 is not zero. P.S: I'm thinking about controlling some types of UDP packets than can be identified by simple flags present in the packet data. Opinions? Borja.
> -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Borja Marcos > Sent: Tuesday, December 13, 2005 11:00 AM > To: freebsd-security@freebsd.org > Subject: Useful addition to ipfw > > > Hello, > > I've found myself in a situation where a simple data > inspection capability added to ipfw would be very useful. >Use divert option and reinject it back in?
In some mail from Borja Marcos, sie said:> > > Hello, > > I've found myself in a situation where a simple data inspection > capability added to ipfw would be very useful. > > I'm not thinking about anything especially sophisticated, but what > about adding an option to check byte values (or flags, similar to > tcpdump)? > > An example rule could be: add deny udp from any to me 12345 udp[4]&234 > > being the rule true if byte 4 in the UDP packet AND the number 234 is > not zero.I believe you could do that today, with IPFilter, if you expressed the entire packet-matching part of the rule with BPF. Darren