Drop packet by content

I'm wondering if there is a feature that allows to drop an inbound packet on an external interface by content of the packet.
E.g., iptables has such functionality but it's Linux software. I'm on FreeBSD 10.2 and I use PF as a firewall; PF doesn't have such feature.
It seems security/suricata might do it in the IPS mode but it requires switching from PF to IPFW in order to operate.
Could someone give me advice?
 
IPFW has no capability to filter by the payload contents, there has to be something else that first inspects the packets on "layer 7" level (such as the mentioned Snort) and then decides to pull the plug using the packet filter backend (can be IPFW or PF).
 
there has to be something else that first inspects the packets on "layer 7" level (such as the mentioned Snort) and then decides to pull the plug using the packet filter backend (can be IPFW or PF).
Can you confirm that security/suricata or security/snort works with PF on FreeBSD in the IPS mode? I can't find any guides how to configure it in the IPS mode with PF.
From the other hand, security/suricata and security/snort are too heavy apps for my task. I don't need a full featured IPS system, I need a simple packet drop just like this:
Code:
iptables -A INPUT -p tcp --sport 80 -m string --algo bm --string "..." -j DROP
net/relayd is more lightweight but it can't simply drop a packet, instead it closes the whole connection.
 
None of them have an ability to drop individual packets immediately, instead they drop connections by flushing the states related to the offending IP address and adding the address to a blacklist.
 
You might be able to do it with a divert socket, writing some code to inspect the packet and conditionally reintroduce it to the firewall in a manner that bypasses the divert. I'm sure if it was that easy, it would already have been done though.

bpf(4) could probably do something similar, but I'm in way over my head with that suggestion.

Either way you are going to be writing code.
 
You might be able to do it with a divert socket
I'm trying to configure divert-to option in the pf. I've found Thread how-to-use-pfs-divert-to-in-freebsd9.25783.
divert-to requires loading of the ipdivert.ko module, ipdivert.ko loads ipfw.ko and ipfw.ko blocks all my traffic by default.
Is it ok to have ipfw alongside with pf? How do they work together? Which one is processing packets first and which one is the next?
 
You did indeed, my bad for not paying enough attention. I found this (2010), which implies as you've stated that both ipfw and pf are hooked in, so it looks like while it may be a bad idea to use both, you certainly (and obviously) can. That could be very confusing, hence the mantra 'only use one firewall'.

What does ipfw show display? If it's deny default, there will be one rule:
65535 0 0 deny ip from any to any

You'll want to add a rule before that like:
ipfw add 65534 allow ip from any to any

The thread you referenced certainly seemed like divert-to worked.
 
divert-to requires loading of the ipdivert.ko module, ipdivert.ko loads ipfw.ko and ipfw.ko blocks all my traffic by default.
I've managed to solve this by putting net.inet.ip.fw.default_to_accept=1 in the /boot/loader.conf
 
Back
Top