Firewall Wizards mailing list archives

Re: dirty packet tricks?

From: wolt () igd fhg de (Stephen D. B. Wolthusen)
Date: 10 Jul 2002 19:24:53 +0200


Hi,

"Marcus J. Ranum" <mjr () ranum com> writes:

Hi, I'm a bit out of date on the latest/greatest dirty packet-flogging
tricks; perhaps someone can point me in the right direction...

Back a zillion years ago we implemented "proxy transparency" type
things in BSD firewalls by whacking the code in the IP stack so that
the firewall would ARP for (basically) anything that was not internal,
then convince its IP stack that it was the destination, allow a
connection to occur in user-space, then connect out and relay traffic.
It was gross but it worked. Are there better ways of doing that
nowadays?


Platform-dependent, but yes. Under Solaris one possible approach is to put
a filter module onto the STREAMS stack. Attaching yourself to the location
of your choice you can get down to raw frames. This has the nice benefit of
not having to go into user mode (a userland process can communicate
e.g. through a kernel memory block mapped in; there are other, more
efficient ways of doing this but then it doesn't really port to other SVR4
Unices[1] anymore). Unless you want to modify data streams, this is
relatively benign. We've done that, but I'm not at liberty to release
material on it, unfortunately.

Current (Free|Open, don't know about Net) BSDs have NetGraph, which is in
many ways similar and arguably a bit more flexible than STREAMS, but the
basic concepts are the same. It's also been around for 5+ years. 

[1] STREAMS has been around for a *long* time, and stable since SVR3.2
    days, but straight ports to other SVR4s don't happen. IRIX is a rather
    pathological case in this regard. 

-- 
        later,
        Stephen

Fraunhofer-IGD                 | mailto:
Stephen Wolthusen              | wolt () igd fhg de
Fraunhoferstr. 5               | swolthusen () acm org
64283 Darmstadt                | swolthusen () ieee org
GERMANY                        | stephen () wolthusen com
                               | 
Tel +49 (0) 6151 155 539       | Fax: +49 (0) 6151 155 499 
    +49 (0) 172 916 9883       |      +49 (0) 6245 905 366 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
  - Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
    - Re: dirty packet tricks? Ryan Russell (Jul 11)
    - Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
    - Re: dirty packet tricks? Ryan Russell (Jul 11)
    - Re: dirty packet tricks? Nate Campi (Jul 11)
    - Re: dirty packet tricks? Charles Swiger (Jul 11)
    - Re: dirty packet tricks? Frank Knobbe (Jul 12)
    - Re: dirty packet tricks? John McDermott (Jul 11)
    - Re: dirty packet tricks? Ryan Russell (Jul 11)

(Thread continues...)