Re: ipchains blocks from SOCK_RAW?

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Tue, 15 Sep 1998 11:55:33 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Whysong: "Re: Lots of kernel oopses in pre-2.1.122-2 (CPU not overclocked)"
Previous message: Jeremy Fitzhardinge: "Re: Minor PTRACE security bug"
Maybe in reply to: tack@sault.org: "ipchains blocks from SOCK_RAW?"
Next in thread: Chris Evans: "Re: Minor PTRACE security bug"

In message <19980914204554.A26523@sault.org> you write:
> I've noticed that, using ipchains (kernel 2.1.115), packet sniffers
> are unable to see packets which are blocked by the firewall. As I
> recall, ipfwadm didn't behave in this way.

I think this is probably due to the SOCK_PACKET changes more than
firewall changes, actually.

> What I want to do is this: I have the firewall block certain
> packets, but I would like to analyse these packets to see if they
> are in fact malicious in nature. Is this possible?

Sure. You can have ipchains copy a given number of bytes to a NETLINK
device; in this case instead of `ipchains -A input -s foobar.com -j
REJECT' do `ipchains -A input -s foobar.com -j REJECT -o 128' and then
read the packets off a device (36,3). Download libfw from the
ipchains homepage for an example.

Rusty.

-- .sig lost in the mail.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: David Whysong: "Re: Lots of kernel oopses in pre-2.1.122-2 (CPU not overclocked)"
Previous message: Jeremy Fitzhardinge: "Re: Minor PTRACE security bug"
Maybe in reply to: tack@sault.org: "ipchains blocks from SOCK_RAW?"
Next in thread: Chris Evans: "Re: Minor PTRACE security bug"