[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Diverting packets like IPFW DIVERT

# Look through the archives.  You can either use a tun0 device like
# fragraoute or block+log the packets in PF and use bpf to read them off
# of the pflog0 interface.
# .mike
What's the deal behind this tun0 / fragroute? Sorry, I couldn't understand.
Well... certainly I could do something with the blocked+logged packets in
pflog0. The problem is the "reinjection" process.
Like in snort_inline, as it handles the packets through ipq or divert, you
actually have an easy way to reinject the packets if they are to be accepted.
If they must be blocked / rejected / replaced, you must fall into the LibNet
routines... (RST for TCPs and ICMP UNREACH for UDPs)
So, my idea is to reinject even the "good" packets using LibNet. But, would
that be too slow?!? That's what I'm afraid of... :-(
And, just another question : what about PF support over bridged interfaces? Is
it ok?
Thank you again!
-- marcelo
	ACME! Computer Security Research