README (22514) | README (31183) |
---|---|
1IP Filter - What's this about ? 2============================ 3 4 The idea behind this package is allow those who use Unix workstations as 5routers (a common occurance in Universities it appears) to apply packet 6filtering to packets going in and out of them. This package has been 7tested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs. 8It is also quite possible for this small kernel extension to be installed 9and used effectively on Sun workstations which don't route IP, just for 10added security. It can also be integrated with the multicast patches. 11It has also been tested successfully on all of the modern free BSDs as | 1IP Filter - What's this about ? 2============================ 3 4 The idea behind this package is allow those who use Unix workstations as 5routers (a common occurance in Universities it appears) to apply packet 6filtering to packets going in and out of them. This package has been 7tested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs. 8It is also quite possible for this small kernel extension to be installed 9and used effectively on Sun workstations which don't route IP, just for 10added security. It can also be integrated with the multicast patches. 11It has also been tested successfully on all of the modern free BSDs as |
12well as BSDI. | 12well as BSDI, and SGI's IRIX 6.2. |
13 14 The filter keeps a rule list for both inbound and outbound sides of 15the IP packet queue and a check is made as early as possible, aiming to 16stop the packet before it even gets as far as being checked for source 17route options. In the file "BNF", a set of rules for constructing filter 18rules understood by this package is given. The files in the directory 19"rules", "example.1" ... "example.sr" show example rules you might apply. 20 --- 16 unchanged lines hidden (view full) --- 37generating tiny fragmented IP packets to generate a TCP packet which 38doesn't contain enough information to filter on the "flags". Filtering 39on these types of packets is possible, but under the more general case 40of the packets being "short". ICMP and UDP packets which are too small 41(they don't contain a complete header) are dropped and logged, no questions 42asked. When filtering on fragmented packets, the last fragment will get 43through for TCP/UDP/ICMP packets. 44 | 13 14 The filter keeps a rule list for both inbound and outbound sides of 15the IP packet queue and a check is made as early as possible, aiming to 16stop the packet before it even gets as far as being checked for source 17route options. In the file "BNF", a set of rules for constructing filter 18rules understood by this package is given. The files in the directory 19"rules", "example.1" ... "example.sr" show example rules you might apply. 20 --- 16 unchanged lines hidden (view full) --- 37generating tiny fragmented IP packets to generate a TCP packet which 38doesn't contain enough information to filter on the "flags". Filtering 39on these types of packets is possible, but under the more general case 40of the packets being "short". ICMP and UDP packets which are too small 41(they don't contain a complete header) are dropped and logged, no questions 42asked. When filtering on fragmented packets, the last fragment will get 43through for TCP/UDP/ICMP packets. 44 |
45Bugs/Problems 46------------- 47If you have a problem with IP Filter on your operating system, please email 48a copy of the file "BugReport" with the details of your setup as required 49and email to darrenr@cyber.com.au. |
|
45 46Some general notes. 47------------------- 48 To add/delete a rule from memory, access to the device in /dev is needed, 49allowing non-root maintenaince. The filter list in kernel memory is built 50from the kernel's heap. Each packet coming *in* or *out* is checked against 51the appropriate list, rejects dropped, others passed through. Thus this will 52work on an individual host, not just gateways. Presently there is only one --- 41 unchanged lines hidden --- | 50 51Some general notes. 52------------------- 53 To add/delete a rule from memory, access to the device in /dev is needed, 54allowing non-root maintenaince. The filter list in kernel memory is built 55from the kernel's heap. Each packet coming *in* or *out* is checked against 56the appropriate list, rejects dropped, others passed through. Thus this will 57work on an individual host, not just gateways. Presently there is only one --- 41 unchanged lines hidden --- |