1*bc4097aaSchristosIP Filter - What's this about ? 2*bc4097aaSchristos============================ 3*bc4097aaSchristosWeb site: http://coombs.anu.edu.au/~avalon/ip-filter.html 4*bc4097aaSchristosHow-to: http://www.obfuscation.org/ipf/ipf-howto.txt 5*bc4097aaSchristos 6*bc4097aaSchristos The idea behind this package is allow those who use Unix workstations as 7*bc4097aaSchristosrouters (a common occurance in Universities it appears) to apply packet 8*bc4097aaSchristosfiltering to packets going in and out of them. This package has been 9*bc4097aaSchristostested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs. 10*bc4097aaSchristosIt is also quite possible for this small kernel extension to be installed 11*bc4097aaSchristosand used effectively on Sun workstations which don't route IP, just for 12*bc4097aaSchristosadded security. It can also be integrated with the multicast patches. 13*bc4097aaSchristosIt has also been tested successfully on all of the modern free BSDs as 14*bc4097aaSchristoswell as BSDI, and SGI's IRIX 6.2. 15*bc4097aaSchristos 16*bc4097aaSchristos The filter keeps a rule list for both inbound and outbound sides of 17*bc4097aaSchristosthe IP packet queue and a check is made as early as possible, aiming to 18*bc4097aaSchristosstop the packet before it even gets as far as being checked for source 19*bc4097aaSchristosroute options. In the file "BNF", a set of rules for constructing filter 20*bc4097aaSchristosrules understood by this package is given. The files in the directory 21*bc4097aaSchristos"rules", "example.1" ... "example.sr" show example rules you might apply. 22*bc4097aaSchristos 23*bc4097aaSchristos In practise, I've successfully isolated a workstation from all 24*bc4097aaSchristosmachines except the NFS file servers on its local subnets (yeah, ok, so 25*bc4097aaSchristosthis doesn't really increase security, because of NFS, but you get the 26*bc4097aaSchristosdrift on how it can be applied and used). I've also successfully 27*bc4097aaSchristossetup and maintained my own firewalls using it with TIS's Firewall Toolkit, 28*bc4097aaSchristosincluding using it on an mbone router. 29*bc4097aaSchristos 30*bc4097aaSchristos When using it with multicast IP, the calls to fr_check() should be 31*bc4097aaSchristosbefore the packet is unwrapped and after it is encapsulated. So the 32*bc4097aaSchristosfilter routines will see the packet as a UDP packet, protocol XYZ. 33*bc4097aaSchristosWhether this is better or worse than having it filter on class D addresses 34*bc4097aaSchristosis debateable, but the idea behind this package is to be able to 35*bc4097aaSchristosdiscriminate between packets as they are on the 'wire', before they 36*bc4097aaSchristosget routed anywhere, etc. 37*bc4097aaSchristos 38*bc4097aaSchristos It is worth noting, that it is possible, using a small MTU and 39*bc4097aaSchristosgenerating tiny fragmented IP packets to generate a TCP packet which 40*bc4097aaSchristosdoesn't contain enough information to filter on the "flags". Filtering 41*bc4097aaSchristoson these types of packets is possible, but under the more general case 42*bc4097aaSchristosof the packets being "short". ICMP and UDP packets which are too small 43*bc4097aaSchristos(they don't contain a complete header) are dropped and logged, no questions 44*bc4097aaSchristosasked. When filtering on fragmented packets, the last fragment will get 45*bc4097aaSchristosthrough for TCP/UDP/ICMP packets. 46*bc4097aaSchristos 47*bc4097aaSchristosBugs/Problems 48*bc4097aaSchristos------------- 49*bc4097aaSchristosIf you have a problem with IP Filter on your operating system, please email 50*bc4097aaSchristosa copy of the file "BugReport" with the details of your setup as required 51*bc4097aaSchristosand email to darrenr@pobox.com. 52*bc4097aaSchristos 53*bc4097aaSchristosSome general notes. 54*bc4097aaSchristos------------------- 55*bc4097aaSchristos To add/delete a rule from memory, access to the device in /dev is needed, 56*bc4097aaSchristosallowing non-root maintenaince. The filter list in kernel memory is built 57*bc4097aaSchristosfrom the kernel's heap. Each packet coming *in* or *out* is checked against 58*bc4097aaSchristosthe appropriate list, rejects dropped, others passed through. Thus this will 59*bc4097aaSchristoswork on an individual host, not just gateways. Presently there is only one 60*bc4097aaSchristoslist for all interfaces, the changes required to make it a per-interface list 61*bc4097aaSchristosrequire more .o replacements for the kernel. When checking a packet, the 62*bc4097aaSchristospacket is compared to the entire list from top to bottom, the last matching 63*bc4097aaSchristosline being effective. 64*bc4097aaSchristos 65*bc4097aaSchristos 66*bc4097aaSchristosWhat does what ? 67*bc4097aaSchristos---------------- 68*bc4097aaSchristosif_fil.o (Loadable kernel module) 69*bc4097aaSchristos - additional kernel routines to check an access list as to whether 70*bc4097aaSchristos or not to drop or pass a packet. It currently defaults to pass 71*bc4097aaSchristos on all packets. 72*bc4097aaSchristos 73*bc4097aaSchristosipfstat 74*bc4097aaSchristos - digs through your kernel (need to check #define VMUNIX in fils.c) 75*bc4097aaSchristos and /dev/kmem for the access filter list and mini stats table. 76*bc4097aaSchristos Obviously needs to be run priviledged if required. 77*bc4097aaSchristos 78*bc4097aaSchristosipf 79*bc4097aaSchristos - reads the files passed as parameters as input files containing new 80*bc4097aaSchristos filter rules to add/delete to the kernel list. The lines are 81*bc4097aaSchristos inserted in order; the first line is inserted first, and ends up 82*bc4097aaSchristos first on the list. Subsequent invocations append to the list 83*bc4097aaSchristos unless specified otherwise. 84*bc4097aaSchristos 85*bc4097aaSchristosipftest 86*bc4097aaSchristos - test the ruleset given by filename. Reads in the ruleset and then 87*bc4097aaSchristos waits for stdin. 88*bc4097aaSchristos 89*bc4097aaSchristos See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed 90*bc4097aaSchristos information on what the above do. 91*bc4097aaSchristos 92*bc4097aaSchristosmkfilters 93*bc4097aaSchristos - suggests a set of filter rules to employ and suggests how to add 94*bc4097aaSchristos routes to back these up. 95*bc4097aaSchristos 96*bc4097aaSchristosBNF 97*bc4097aaSchristos - BNF rule set for the filter rules 98*bc4097aaSchristos 99*bc4097aaSchristosDarren Reed 100*bc4097aaSchristosdarrenr@pobox.com 101*bc4097aaSchristoshttp://coombs.anu.edu.au/~avalon/ip-filter.html 102