# Drop packet by content



## arabesc (Feb 1, 2016)

I'm wondering if there is a feature that allows to drop an inbound packet on an external interface by content of the packet.
E.g., iptables has such functionality but it's Linux software. I'm on FreeBSD 10.2 and I use PF as a firewall; PF doesn't have such feature.
It seems security/suricata might do it in the IPS mode but it requires switching from PF to IPFW in order to operate.
Could someone give me advice?


----------



## da1 (Feb 1, 2016)

Last I checked, this was true about pf. You might be better off with IPFW or iptables.


----------



## leebrown66 (Feb 5, 2016)

security/snort is the alternative, but I believe IPFW is required for that also.


----------



## kpa (Feb 5, 2016)

IPFW has no capability to filter by the payload contents, there has to be something else that first inspects the packets on "layer 7" level (such as the mentioned Snort) and then decides to pull the plug using the packet filter backend (can be IPFW or PF).


----------



## arabesc (Feb 6, 2016)

kpa said:


> there has to be something else that first inspects the packets on "layer 7" level (such as the mentioned Snort) and then decides to pull the plug using the packet filter backend (can be IPFW or PF).


Can you confirm that security/suricata or security/snort works with PF on FreeBSD in the IPS mode? I can't find any guides how to configure it in the IPS mode with PF.
From the other hand, security/suricata and security/snort are too heavy apps for my task. I don't need a full featured IPS system, I need a simple packet drop just like this:

```
iptables -A INPUT -p tcp --sport 80 -m string --algo bm --string "..." -j DROP
```
net/relayd is more lightweight but it can't simply drop a packet, instead it closes the whole connection.


----------



## kpa (Feb 6, 2016)

None of them have an ability to drop individual packets immediately, instead they drop connections by flushing the states related to the offending IP address and adding the address to a blacklist.


----------



## arabesc (Feb 6, 2016)

Similar Thread how-to-write-a-rule-to-drop-malicious-packets.27762
Unfortunately there is no solution.


----------



## leebrown66 (Feb 7, 2016)

You _might_ be able to do it with a divert socket, writing some code to inspect the packet and conditionally reintroduce it to the firewall in a manner that bypasses the divert.  I'm sure if it was that easy, it would already have been done though.

bpf(4) could probably do something similar, but I'm in way over my head with that suggestion.

Either way you are going to be writing code.


----------



## justwantask (Feb 10, 2016)

It is possible to filter by content of the packet using ng_ipfw(4) + ng_bpf(4), but it's not so easy as in iptables. Here is the link http://citrin.ru/freebsd:ng_ipfw_ng_bpf, use google translate.


----------



## leebrown66 (Feb 10, 2016)

Awesome, thanks justwantask, learning more about bpf and ng has been on my list for a long time, this is a nice concise example.


----------



## arabesc (Feb 14, 2016)

leebrown66 said:


> You _might_ be able to do it with a divert socket


I'm trying to configure divert-to option in the pf. I've found Thread how-to-use-pfs-divert-to-in-freebsd9.25783.
divert-to requires loading of the ipdivert.ko module, ipdivert.ko loads ipfw.ko and ipfw.ko blocks all my traffic by default.
Is it ok to have ipfw alongside with pf? How do they work together? Which one is processing packets first and which one is the next?


----------



## da1 (Feb 14, 2016)

You should use only 1 firewall.


----------



## arabesc (Feb 14, 2016)

da1 said:


> You should use only 1 firewall.


Then it's impossible to use divert-to in pf because it requires ipdivert.ko that in turn loads ipfw.ko. So, is divert-to unavailable in pf?


----------



## leebrown66 (Feb 15, 2016)

pf.conf(5) states it has divert capability.  Maybe it's baked into pf?

```
# man pf.conf | col -b | grep divert
  divert-to <host> port <port>
  divert-reply
```


----------



## arabesc (Feb 15, 2016)

leebrown66 said:


> pf.conf(5) states it has divert capability.  Maybe it's baked into pf?


As I said, it seems that divert-to doesn't work without ipdivert.ko.
pf just ignores the divert-to option if ipdivert.ko isn't loaded.


----------



## leebrown66 (Feb 15, 2016)

You did indeed, my bad for not paying enough attention.  I found this (2010), which implies as you've stated that both ipfw and pf are hooked in, so it looks like while it may be a bad idea to use both, you certainly (and obviously) can.  That could be very confusing, hence the mantra 'only use one firewall'.

What does `ipfw show` display?  If it's deny default, there will be one rule:
65535  0  0 deny ip from any to any

You'll want to add a rule before that like:
ipfw add 65534 allow ip from any to any

The thread you referenced certainly seemed like divert-to worked.


----------



## Lars Wittebrood (Feb 22, 2016)

Hi there,

to answer the initial question: the following URL shows you how you can do this with IPFW and Snort http://www.unixmen.com/freebsd-snort-ips/

This was mentioned on BSD Now a couple of weeks ago.

If you want to use PF, then you can do this using PFSense.

Regards,
Lars


----------



## arabesc (Jul 9, 2017)

arabesc said:


> divert-to requires loading of the ipdivert.ko module, ipdivert.ko loads ipfw.ko and ipfw.ko blocks all my traffic by default.


I've managed to solve this by putting net.inet.ip.fw.default_to_accept=1 in the /boot/loader.conf


----------

