[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How can pf intercept packet?

On Wed, 9 Apr 2003 21:21:29 +0200, Daniel Hartmeier wrote
> On Thu, Apr 10, 2003 at 12:38:47AM +0900, dreamer wrote:
> > I think bpf is receive only copy. original is transfer!
> >
> > Is this think is wrong?
> bpf and pf are basically unrelated, only the name is similar. The packet
> filter (pf) intercepts all (original) packets and decides whether to
> pass or block them according to a ruleset.
How can pf intercept all original packet? I saw the /usr/src/sys/net/pf.c 
and related file. But I have not experience kernel programming. I can't
understand pf.c ....... . It is difficult to me. 
 I have another question!. 
Where is the position of pf? 
---------   -----------   ----------   ----------   -------------
| DEVICE |--| DATA LINK|--|   IP   |--|  tcp/UDP |--| application|---------   -----------   ----------   ----------   -------------
> There is some interaction between bpf and pf. For instance, incoming
> packets will be dispatched through bpf before they are filtered by 
> pf, so you'll see all incoming packets on a pcap listener (like 
> snort), even if they are later blocked by pf.
Thank you. I can understand relation about bpf and pf.
> A consequence is that pf can't protect pcap listeners from any traffic.
> If you run snort listening on your external interface on the firewall
> itself, it will see all packets. Some people prefer to run snort on 
> an internal interface (or even a different local machine), so it 
> only sees packets that actually pass the filter and make it into the 
> local network, so it only reports _successful_ (not just attempted) intrusion.
> Daniel
Thank you all pf developer! I configure firewall with OpenBSD3.2(stable)
and PF for my company(Bridge and NAT). It is very sucessfully.