Firewall Wizards mailing list archives
dirty packet tricks?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 10 Jul 2002 10:59:17 -0400
Hi, I'm a bit out of date on the latest/greatest dirty packet-flogging tricks; perhaps someone can point me in the right direction... Back a zillion years ago we implemented "proxy transparency" type things in BSD firewalls by whacking the code in the IP stack so that the firewall would ARP for (basically) anything that was not internal, then convince its IP stack that it was the destination, allow a connection to occur in user-space, then connect out and relay traffic. It was gross but it worked. Are there better ways of doing that nowadays? I'm somewhat restricted from using stuff like arpd and arp spoofing, because the application in question will be in a location where I want to grab the traffic when it won't ever be on the destination subnet. For example - consider: 1) our network is 10.10.10.0/24 2) our "target" machine is 16.67.32.1/32 port 23 3) there is a router/firewall on the edge of 10.10.10.0 that blocks all traffic to 16.67.32.1 4) the router/firewall _allows_ traffic from one machine (our mystery box) to the target 16.67.32.1 port 23 5) all machines on network 10 that try to talk to 16.67.32.1 port 23 should get the connection "stolen" from our machine, which should connect to the _real_ 16.67.32.1 and get packets back and forth I was thinking of using bpf to vacuum up packets into user space then push them down into the stack using /dev/tun driver. Once it was in the stack, I could probably get most of the dirty work done with NATting that traffic to an internal process on the machine based on whether it came in or out of /dev/tun. Getting traffic back out would follow (presumably) the reverse path. Fortunately, the traffic I want to grab is relatively low bandwidth. The other alternative appears to be to just do user-mode TCP by sucking the packets up using bpf, passing them to a process that connects to the target, and simulates tcp on the other side. Kind of like honeyd does. Or is there a better way? I figured I'd better ask because if I just start whaling away at solving the problem I could work for months and have someone hand me a manpage and say "DUH!" ;) mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Nate Campi (Jul 11)
- Re: dirty packet tricks? Charles Swiger (Jul 11)
- Re: dirty packet tricks? Frank Knobbe (Jul 12)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? John McDermott (Jul 11)