freebsd security - Jan 2005 - Listening outside ipfw / program interface to ipfw

Hi,
    Two quick questions that I can't seem to find answers for using google.

1) is is possible to listen outside an ipfw firewall - that is have 
ethereal record the packets before ipfw starts dropping them? If so how?

2) Is there an api to ipfw that will let me manipulate rules, query 
stats etc?  I need something faster than running the command line binary?

Thanks

John

> Hi,
>    Two quick questions that I can't seem to find answers for using
google.
> 
> 1) is is possible to listen outside an ipfw firewall - that is have 
> ethereal record the packets before ipfw starts dropping them? If so how?
tcpdump(8) uses the bpf(4) device and the latter will always see a
packet reaching the box whether a packet filter will drop it or not.
> 2) Is there an api to ipfw that will let me manipulate rules, query 
> stats etc?  I need something faster than running the command line binary?
Yes, you should look at the ``SEE ALSO'' section in ipfw(8) manual page.
ipfirewall(4) is what you are looking for, but looking at ipfw(8)
source code might help too.

Regards,
-- 
Jeremie Le Hen
jeremie@le-hen.org