Re: [fw-wiz] dirty packet tricks?
From: Stephen D. B. Wolthusen (wolt@igd.fhg.de)
Date: 07/10/02
- Next message: Paul Robertson: "Re: [fw-wiz] Rationale of the great DMZ"
- Previous message: Scott, Richard: "[fw-wiz] Rationale of the great DMZ"
- In reply to: Marcus J. Ranum: "[fw-wiz] dirty packet tricks?"
- Next in thread: Barney Wolff: "Re: [fw-wiz] dirty packet tricks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Marcus J. Ranum" <mjr@ranum.com> From: wolt@igd.fhg.de (Stephen D. B. Wolthusen) Date: Wed Jul 10 13:40:01 2002
Hi,
"Marcus J. Ranum" <mjr@ranum.com> writes:
> Hi, I'm a bit out of date on the latest/greatest dirty packet-flogging
> tricks; perhaps someone can point me in the right direction...
>
> Back a zillion years ago we implemented "proxy transparency" type
> things in BSD firewalls by whacking the code in the IP stack so that
> the firewall would ARP for (basically) anything that was not internal,
> then convince its IP stack that it was the destination, allow a
> connection to occur in user-space, then connect out and relay traffic.
> It was gross but it worked. Are there better ways of doing that
> nowadays?
Platform-dependent, but yes. Under Solaris one possible approach is to put
a filter module onto the STREAMS stack. Attaching yourself to the location
of your choice you can get down to raw frames. This has the nice benefit of
not having to go into user mode (a userland process can communicate
e.g. through a kernel memory block mapped in; there are other, more
efficient ways of doing this but then it doesn't really port to other SVR4
Unices[1] anymore). Unless you want to modify data streams, this is
relatively benign. We've done that, but I'm not at liberty to release
material on it, unfortunately.
Current (Free|Open, don't know about Net) BSDs have NetGraph, which is in
many ways similar and arguably a bit more flexible than STREAMS, but the
basic concepts are the same. It's also been around for 5+ years.
[1] STREAMS has been around for a *long* time, and stable since SVR3.2
days, but straight ports to other SVR4s don't happen. IRIX is a rather
pathological case in this regard.
-- later, Stephen Fraunhofer-IGD | mailto: Stephen Wolthusen | wolt@igd.fhg.de Fraunhoferstr. 5 | swolthusen@acm.org 64283 Darmstadt | swolthusen@ieee.org GERMANY | stephen@wolthusen.com | Tel +49 (0) 6151 155 539 | Fax: +49 (0) 6151 155 499 +49 (0) 172 916 9883 | +49 (0) 6245 905 366
- Next message: Paul Robertson: "Re: [fw-wiz] Rationale of the great DMZ"
- Previous message: Scott, Richard: "[fw-wiz] Rationale of the great DMZ"
- In reply to: Marcus J. Ranum: "[fw-wiz] dirty packet tricks?"
- Next in thread: Barney Wolff: "Re: [fw-wiz] dirty packet tricks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
