|
Cheap Packet Filtering
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Cheap Packet Filtering
I have added a packet filtering implementation to Phil Karn's KA9Q
software (930104 version) based on many of the ideas in Brent
Chapman's paper, "Network (In)Security Through IP Packet Filtering".
I want to make this software generally available both because I think
it is useful and because I want beta testers and/or better ideas. I
will place no restrictions on the code, but the copyrights of Phil
Karn and other authors of the KA9Q software may not be infringed. The
last time I looked the shareware fee for commercial sites was $50 for
the KA9Q package (it is free to schools and ham radio operators, or
for evaluation purposes).
I would like an anonymous FTP site on which to put the source and
executables, as well as some feedback from testers.
I use this software to provide a demand-dial router between an
extended LAN and an Internet service provider on a SLIP link with a
V.32bis/V.42bis modem at a DTE speed of 57600 Kbps. My target
hardware is a PC clone with a 16 MHz 286 CPU, a serial card with
NS16550As, and an ethernet card. I compiled the software with Borland
C++ V3.1.
I have tested the code and it seems to behave. I am using it for my
Internet connection right now. There may be bugs, and it may be
possible to improve the performance by coding changes. I WILL NOT BE
RESPONSIBLE FOR ANY PROBLEMS YOU MAY HAVE WITH THIS SOFTWARE, OR AS A
CONSEQUENCE OF USING THIS SOFTWARE, NOR WILL I BE RESPONSIBLE FOR
FIXING OR IMPROVING THE SOFTWARE.
The forms of the IP filter command are
ip filter <interface> delete
ip filter <interface> list
ip filter <interface> deny <in/out> <type> <source> <destination>
ip filter <interface> permit <in/out> <type> <source> <destination>
The <interface> is the name of the interface that was assigned when it
was attached.
The "delete" command will delete the entire filter set for an
interface.
The "list" command will display the entire filter set for an
interface.
The "deny" command will append a filter entry to the filter set for an
interface. The direction of the packet to be disallowed is from the
perspective of the router running the filtering process (i.e. "in"
implies that the packet arrived on the specified interface). The type
field specifies the packet category to be disallowed. The source and
destination allow IP addresses, address masks, and ports to be
specified.
The "permit" command is identical to the "deny" command except that it
causes packets that meet the specified criteria to be allowed.
The legal packet types are shown in the following table.
TYPE MEANING
* Any IP packet.
icmp Any ICMP packet.
icmprd An ICMP REDIRECT packet.
icmpxrd Any ICMP packet except a REDIRECT.
tcp Any TCP packet.
tcpsyn A TCP packet with the SYN bit set and the ACK bit
clear. This implies an attempt to open a new TCP
connection.
tcpxsyn Any TCP packet that has the SYN bit clear or the
ACK bit set. This implies a packet on an existing
connection.
udp Any UDP packet.
A source or destination specification takes the form
[!]address[/bits][:port], where address is an IP address in dotted
octet form, or a resolvable domain name, or "*". The use of "*" for
the address implies both an address and address mask of all zeroes.
If you specify "/bits" on an address you are specifying how many of
the high order bits of the address are significant. For example, to
compare only the network part of a class B address one could use /16.
The use of "!" before an address means that all addresses except those
specified by the address and mask match the specification. Finally, if
a port number is specified then the filter entry will only match
packets with the appropriate port numbers (this is only meaningful if
one of the tcp, tcpsyn, tcpxsyn or udp packet types is specified).
The list of filter entries is scanned in the order they were entered
until a match is reached, then the action specified in the filter
entry (i.e. deny or permit) will be taken. If a packet does not match
any filter entries then it will be denied by default. Note that the
input and output filter sets are independent and that, for example, if
no output entries exist, then all outgoing packets would be permitted.
If an IP datagram is fragmented then filters only apply to the first
fragment (all subsequent fragments are permitted). Incoming and
outgoing filters are checked even if source routing is specified.
Here is a filter set that I made up for a SLIP link to the Internet
from my company's class B network. The line numbers are only for
reference purposes.
1 ip filter sl0 permit in tcpxsyn !cubic.com/16 cubic.com/16
2 ip filter sl0 permit in tcpsyn !cubic.com/16 cubic.com/16:25
3 ip filter sl0 permit in tcpsyn ns2.psi.net ns.cubic.com:53
4 ip filter sl0 permit in tcpsyn !cubic.com/16 cubic.com:79
5 ip filter sl0 permit in udp !cubic.com/16:53 cubic.com/16:53
6 ip filter sl0 permit in udp !cubic.com/16:123 cubic.com/16:123
7 ip filter sl0 permit in icmpxrd !cubic.com/16 cubic.com/16
8 ip filter sl0 permit out * cubic.com/16 !cubic.com/16
Line 1 permits TCP packets for established connections. It disallows
attempts to spoof internal addresses from outside (the other filter
entries that allow arbitrary hosts also do this). There is probably
a performance benefit from putting this rule first.
Line 2 permits new SMTP connections to be opened on any internal
machine.
Line 3 permits ns2.psi.net to perform DNS zone transfers from
ns.cubic.com.
Line 4 permits new FINGER connections to cubic.com.
Line 5 permits UDP packets for DNS.
Line 6 permits UDP packets for NTP.
Line 7 permits ICMP packets except redirects.
Line 8 prevents packets destined to subnets for which there are no
routes from cycling between our router and the Internet provider's
until the time-to-live expires.
Thanks to Jim Stine, my packet filtering modifications to KA9Q are
available for anonymous FTP from stealth.logiconultra.com in
/pub/dm930118.*. An updated description, an executable, and a zip
file with all needed sources are included. I would love to receive
bug reports, success stories, questions and constructive criticism.
Dave Mischler
[email protected]
|
|
