Diverting sockets and streams

Hi list,

I have a newbie question about divert sockets but I can't find a direct
answer.

I have a rule like this:

ipfw add divert 5555 tcp from me to any 80 keep-state

If I understand it correctly, in order to check the data stream properly
I have to deal with:

1. packet reordering
2. packet duplication

so basically I have to implement part of the TCP stack in my app.

I don't have to bother with fragmentation (according to man pages).
I won't be able to understand IPSec packets as I will get encrypted IP
frames.

Am I correct?  Or can you please tell me how it really works?

Thanks a lot,

Jakub

_______________________________________________
freebsd-ipfw@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."

jakub wrote:
yes, divert treats each packet individually
with the exception of frags which it reassembles.

>
> so basically I have to implement part of the TCP stack in my app.

yes,
though there may be other ways to do what you want..
what DO you want to do?


>
> I don't have to bother with fragmentation (according to man pages).
> I won't be able to understand IPSec packets as I will get encrypted IP
> frames.

yes

>
> Am I correct?  Or can you please tell me how it really works?

packets enter the system and are run through the IP stack where the
first thing they hit is ipfw. in ipfw the divert rule forces them
to the divert code (which does reassembly but that's all) and
passes the result to a divert socket.

there is apossibilty that done correctly with ESP one migh tb eab;e to
get to the unencrypted packet but you'd have to read the code starting
at ip_input() in ip_input.c to check for sure.

>
> Thanks a lot,
>
> Jakub
>
> _______________________________________________
> freebsd-ipfw@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."

_______________________________________________
freebsd-ipfw@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."

Hi Julian,

                   thanks for making this clear to me.

>
>>
>> so basically I have to implement part of the TCP stack in my app.
>
> yes,
> though there may be other ways to do what you want..
> what DO you want to do?
>

I need to make a transparent proxy e.g. HTTP proxy, that will be able  
to scan the data stream for some security problems (exploits or  
whatever).

I had a solution based on packet forwarding and packet UID matching  
rather then divert sockets. This solution works fine on FreeBSD, Linux  
and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard,  
forwarding outgoing packets to local port does not work. So I'm  
looking for another solution.

Jakub
_______________________________________________
freebsd-ipfw@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."

Jakub Bednar wrote:
sounds like the broke it..

maybe they inherited a change from FreeBSD that was reverted out but
existed for one release, that broke exactly that :-)

ipfw fwd
along with fwd uid
is the way to do this on FreeBSD but snow leopard IS a problem.

doing it with divert is going to be a real pain.


you can also do this with nat in some cases I think..


>
> Jakub

_______________________________________________
freebsd-ipfw@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."