IPFWREWRITE(8) BSD System Manager's Manual IPFWREWRITE(8)NAME
ipfwrewrite - Rewrite or Reassemble IP packet
SYNOPSIS
ipfwrewrite [-T tag]
DESCRIPTION
The ipfwrewrite utility is used to cause packet reassembly (only from
pre-input chain) or re-write TCP/IP packets for rejection. If the IPFW
filter specific value is set to 1 reassembly will be done, if not, any
TCP packet sent to this filter will be re-written as a reset packet and
sent pack to the source address.
The following options are available:
-T tag Specify the tag to be used. If this is not specified then the
tag "rewrite" will be used.
HOW TO USE
Typically only a single rewrite filter is installed on a system, there is
little advantage in installing more than one. It is always installed on
the CALL filter chain. A pre-input -output filter is then installed.
The pre-input filter should determine what session request should be re-
set and then write:
tcp && determine_this_is_a_bad_request {
call("rewrite");
accept;
}
It is important to accept the re-written packet so it is actually sent!
You can also use this to do packet reassembly at pre-input time on all
packets (normally forwarded packets are not reassembled). This should
not be done lightly, it can have a significant performance hit on a ma-
chine forwarding packets as well as consume resources from the forwarding
machine. The packet will be "rejected" if it was not the final fragment
of a packet. It will return "accepted" if it is the final fragment (or
the packet was not fragmented). Since BPF filters do not currently cope
very well with packets changing out from under them, it is best to have
packet reassembly be the only element of the filter. Other filters
should be later in the chain. The filter can then be called as:
ipfrag {
call("rewrite" : 1);
}
next;
SEE ALSO
ipfw(8,) ipfwcmp(8)
Feb 1, 2000 1