Firewall Wizards mailing list archives
Re: dirty packet tricks?
From: wolt () igd fhg de (Stephen D. B. Wolthusen)
Date: 10 Jul 2002 19:24:53 +0200
Hi, "Marcus J. Ranum" <mjr () ranum com> writes:
Hi, I'm a bit out of date on the latest/greatest dirty packet-flogging tricks; perhaps someone can point me in the right direction... Back a zillion years ago we implemented "proxy transparency" type things in BSD firewalls by whacking the code in the IP stack so that the firewall would ARP for (basically) anything that was not internal, then convince its IP stack that it was the destination, allow a connection to occur in user-space, then connect out and relay traffic. It was gross but it worked. Are there better ways of doing that nowadays?
Platform-dependent, but yes. Under Solaris one possible approach is to put a filter module onto the STREAMS stack. Attaching yourself to the location of your choice you can get down to raw frames. This has the nice benefit of not having to go into user mode (a userland process can communicate e.g. through a kernel memory block mapped in; there are other, more efficient ways of doing this but then it doesn't really port to other SVR4 Unices[1] anymore). Unless you want to modify data streams, this is relatively benign. We've done that, but I'm not at liberty to release material on it, unfortunately. Current (Free|Open, don't know about Net) BSDs have NetGraph, which is in many ways similar and arguably a bit more flexible than STREAMS, but the basic concepts are the same. It's also been around for 5+ years. [1] STREAMS has been around for a *long* time, and stable since SVR3.2 days, but straight ports to other SVR4s don't happen. IRIX is a rather pathological case in this regard. -- later, Stephen Fraunhofer-IGD | mailto: Stephen Wolthusen | wolt () igd fhg de Fraunhoferstr. 5 | swolthusen () acm org 64283 Darmstadt | swolthusen () ieee org GERMANY | stephen () wolthusen com | Tel +49 (0) 6151 155 539 | Fax: +49 (0) 6151 155 499 +49 (0) 172 916 9883 | +49 (0) 6245 905 366 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Nate Campi (Jul 11)
- Re: dirty packet tricks? Charles Swiger (Jul 11)
- Re: dirty packet tricks? Frank Knobbe (Jul 12)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? John McDermott (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)