Re: dirty packet tricks?

["Marcus J. Ranum" <mjr () ranum com>]

Barney Wolff wrote:
> Maybe I'm not understanding the problem correctly, but why can't a
> box with the standard (for FreeBSD) ipfw/natd combo do what you
> want?

Hmm... if I am able to put myself in the routing path then
it's a straightforward problem to solve using the ancient
techniques of the firewall transparency masters. ;) What
I was thinking of doing was basically implementing the same
thing as proxy transparency _without_ having to alter the
routing topology of the network or place myself in the
routing path as a bridge or whatever. It occurred to me
the other day that this might be possible, which is why
I am pursuing it at this moment. It'd be kind of cool: you
could just tell your firewall "block all packets to XXX"
and have this mystery box pick the traffic up, and then
application-level proxy it without the end user being
able to notice a thing. There are many fun applications
for such a capability. ;)

One correspondant pointed out to me that the firewall
would have to be told not to send reset or unreachables
to client machines or my scheme falls over right away.
I'd forgotten about that. :(

> If you can't control the inside routing,
> how could you ever force packets to come to your box in the first
> place?

That's really the meat of my question. I was thinking that I
could suck 'em up promiscuously!! :)

(Thanks to all who have responded directly to me on this thread.
I'm having a blast trying to solve this problem and, while nobody
has yet handed me an answer on a plate, I'm getting lots of good
ideas for how to proceed!)

mjr.
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards