[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: help tcp packet filetering



On Thu, Apr 06, 2000 at 12:53:07PM +0530, Pramodh B N wrote:

Promod,

> hey everybody,,
> 
> i am working on a project which involves me to capture ip packet and check
> the address and again send that packet.. (firewall implementation)
> 
> 
> can anybody help me out in this thing..
> 
> i have downloaded a program called sniffit.. now i can see the packets but
> i want a program which can get the packet and then check it and send that
> packet..

Linux already provides such functionality. But if you'd like to reimplement
it for an academic project, you'll have to write a kernel module, that
implements this algorithm.

The rules themseleves can be fed to the kernel module using a user level
program.

You may also want to try divert(4) sockets on FreeBSD.

http://www.freebsd.org/cgi/man.cgi?query=divert&apropos=0&sektion=0&manpath=FreeBSD+4.0-RELEASE&format=html

The above API allows you to implement your firewall as a user level process.
Yes, it's a little bit slower than the kernel mechanism, but is easier to
maintain, debug and port.

Both ipfw and natd on *BSD use the above mechanism. 

	-Arun

PS: If access to BSD cdroms is an issue, it is very easily solvable :)