IPFW disconnect connection of an ip address in ipfw

E

e_seif

Hi guys

I'm new in ipfw and have a question:

I am using
ipfw for firewalling
captive portal for control of usage
and squid for use its cache and filtering

Now, when I use standard proxy and user is logged in, it works without any problem but when limitation of this user is finished, the user disconnect from captive portal and user can not use internet but active connections in IDM (internet download manager) resume to download.

and Question:
How can I disconnect active session from a certain IP address in IPFW?

Thanks for your help!
 
For example in 'pfctl' this command kill all connection between 192.168.1.1(source ip) and 192.168.1.100(destination ip):

pfctl -K 192.168.1.1 -K 192.168.1.100

Do not exist a similar command in ipfw?
 
That's an interesting question though:

As you probably know, ipfw() can drop/block the traffic so you could do somethink like:
ipfw add 100 deny ip from 192.168.1.1 to 192.168.1.100; sleep 5; ipfw delete 100

However, your question intrigued me and I was thinking that you could actually inject a RST TCP packet to poison a TCP connection and convince the other party to disconnect.
For this, you will need net/hping
So if you're in the mood for a nerdy experience, follow along:

pkg install net/hping

open a screen where you would listen to traffic using tcpdump()
tcpdump -n -i em0 -S
I'll explain what this does:
-n is to not bother with name resolution
-i em0 listen to traffic on interface em0
-S show full tcp sequence numbers

pick a TCP session, you can for example listen to a telnet or POP3 etc...

you will see traffic such as this:
Code: 
22:08:26.390928 IP 192.168.0.131.22450 > 192.168.10.146.23: Flags [P.], seq 351918028:351918029, ack 3250659308, win 1043, options [nop,nop,TS val 2708099912 ecr 2749914697], length 1

Notice that tcpdump() is showing the current and next TCP sequence number.
In our case the next TCP sequence number is 351918029

So now, you can fabricate a TCP packet with the RST flag:
hping 192.168.10.146 -R -V --setseq 351918029 --spoof 192.168.0.131 -p 23 -s 22450
explanation:
send a spoofed TCP packet with flag RST from 192.168.0.131:22450 to 192.168.10.146:23 using TCP sequence 351918029

Try it, it tickles.
 
You must log in or register to reply here.
Back
Top