122514SdarrenrIP Filter - What's this about ? 222514Sdarrenr============================ 3145510SdarrenrWeb site: http://coombs.anu.edu.au/~avalon/ip-filter.html 4145510SdarrenrHow-to: http://www.obfuscation.org/ipf/ipf-howto.txt 522514Sdarrenr 622514Sdarrenr The idea behind this package is allow those who use Unix workstations as 722514Sdarrenrrouters (a common occurance in Universities it appears) to apply packet 822514Sdarrenrfiltering to packets going in and out of them. This package has been 922514Sdarrenrtested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs. 1022514SdarrenrIt is also quite possible for this small kernel extension to be installed 1122514Sdarrenrand used effectively on Sun workstations which don't route IP, just for 1222514Sdarrenradded security. It can also be integrated with the multicast patches. 1322514SdarrenrIt has also been tested successfully on all of the modern free BSDs as 1431183Speterwell as BSDI, and SGI's IRIX 6.2. 1522514Sdarrenr 1622514Sdarrenr The filter keeps a rule list for both inbound and outbound sides of 1722514Sdarrenrthe IP packet queue and a check is made as early as possible, aiming to 1822514Sdarrenrstop the packet before it even gets as far as being checked for source 1922514Sdarrenrroute options. In the file "BNF", a set of rules for constructing filter 2022514Sdarrenrrules understood by this package is given. The files in the directory 2122514Sdarrenr"rules", "example.1" ... "example.sr" show example rules you might apply. 2222514Sdarrenr 2322514Sdarrenr In practise, I've successfully isolated a workstation from all 2422514Sdarrenrmachines except the NFS file servers on its local subnets (yeah, ok, so 2522514Sdarrenrthis doesn't really increase security, because of NFS, but you get the 2622514Sdarrenrdrift on how it can be applied and used). I've also successfully 2722514Sdarrenrsetup and maintained my own firewalls using it with TIS's Firewall Toolkit, 2822514Sdarrenrincluding using it on an mbone router. 2922514Sdarrenr 3022514Sdarrenr When using it with multicast IP, the calls to fr_check() should be 3122514Sdarrenrbefore the packet is unwrapped and after it is encapsulated. So the 3222514Sdarrenrfilter routines will see the packet as a UDP packet, protocol XYZ. 3322514SdarrenrWhether this is better or worse than having it filter on class D addresses 3422514Sdarrenris debateable, but the idea behind this package is to be able to 3522514Sdarrenrdiscriminate between packets as they are on the 'wire', before they 3622514Sdarrenrget routed anywhere, etc. 3722514Sdarrenr 3822514Sdarrenr It is worth noting, that it is possible, using a small MTU and 3922514Sdarrenrgenerating tiny fragmented IP packets to generate a TCP packet which 4022514Sdarrenrdoesn't contain enough information to filter on the "flags". Filtering 4122514Sdarrenron these types of packets is possible, but under the more general case 4222514Sdarrenrof the packets being "short". ICMP and UDP packets which are too small 4322514Sdarrenr(they don't contain a complete header) are dropped and logged, no questions 4422514Sdarrenrasked. When filtering on fragmented packets, the last fragment will get 4522514Sdarrenrthrough for TCP/UDP/ICMP packets. 4622514Sdarrenr 4731183SpeterBugs/Problems 4831183Speter------------- 4931183SpeterIf you have a problem with IP Filter on your operating system, please email 5031183Spetera copy of the file "BugReport" with the details of your setup as required 5137074Speterand email to darrenr@pobox.com. 5222514Sdarrenr 5322514SdarrenrSome general notes. 5422514Sdarrenr------------------- 5522514Sdarrenr To add/delete a rule from memory, access to the device in /dev is needed, 5622514Sdarrenrallowing non-root maintenaince. The filter list in kernel memory is built 5722514Sdarrenrfrom the kernel's heap. Each packet coming *in* or *out* is checked against 5822514Sdarrenrthe appropriate list, rejects dropped, others passed through. Thus this will 5922514Sdarrenrwork on an individual host, not just gateways. Presently there is only one 6022514Sdarrenrlist for all interfaces, the changes required to make it a per-interface list 6122514Sdarrenrrequire more .o replacements for the kernel. When checking a packet, the 6222514Sdarrenrpacket is compared to the entire list from top to bottom, the last matching 6322514Sdarrenrline being effective. 6422514Sdarrenr 6522514Sdarrenr 6622514SdarrenrWhat does what ? 6722514Sdarrenr---------------- 6822514Sdarrenrif_fil.o (Loadable kernel module) 6922514Sdarrenr - additional kernel routines to check an access list as to whether 7022514Sdarrenr or not to drop or pass a packet. It currently defaults to pass 7122514Sdarrenr on all packets. 7222514Sdarrenr 7322514Sdarrenripfstat 7422514Sdarrenr - digs through your kernel (need to check #define VMUNIX in fils.c) 7522514Sdarrenr and /dev/kmem for the access filter list and mini stats table. 7622514Sdarrenr Obviously needs to be run priviledged if required. 7722514Sdarrenr 7822514Sdarrenripf 7922514Sdarrenr - reads the files passed as parameters as input files containing new 8022514Sdarrenr filter rules to add/delete to the kernel list. The lines are 8122514Sdarrenr inserted in order; the first line is inserted first, and ends up 8222514Sdarrenr first on the list. Subsequent invocations append to the list 8322514Sdarrenr unless specified otherwise. 8422514Sdarrenr 8522514Sdarrenripftest 8622514Sdarrenr - test the ruleset given by filename. Reads in the ruleset and then 8722514Sdarrenr waits for stdin. 8822514Sdarrenr 8922514Sdarrenr See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed 9022514Sdarrenr information on what the above do. 9122514Sdarrenr 9222514Sdarrenrmkfilters 9322514Sdarrenr - suggests a set of filter rules to employ and suggests how to add 9422514Sdarrenr routes to back these up. 9522514Sdarrenr 9622514SdarrenrBNF 9722514Sdarrenr - BNF rule set for the filter rules 9822514Sdarrenr 9922514SdarrenrDarren Reed 10037074Speterdarrenr@pobox.com 101145510Sdarrenrhttp://coombs.anu.edu.au/~avalon/ip-filter.html 102