122514SdarrenrIP Filter - What's this about ?
222514Sdarrenr============================
3145510SdarrenrWeb site: http://coombs.anu.edu.au/~avalon/ip-filter.html
4145510SdarrenrHow-to: http://www.obfuscation.org/ipf/ipf-howto.txt
522514Sdarrenr
622514Sdarrenr  The idea behind this package is allow those who use Unix workstations as
722514Sdarrenrrouters (a common occurance in Universities it appears) to apply packet
822514Sdarrenrfiltering to packets going in and out of them.  This package has been
922514Sdarrenrtested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs.
1022514SdarrenrIt is also quite possible for this small kernel extension to be installed
1122514Sdarrenrand used effectively on Sun workstations which don't route IP, just for
1222514Sdarrenradded security.  It can also be integrated with the multicast patches.
1322514SdarrenrIt has also been tested successfully on all of the modern free BSDs as
1431183Speterwell as BSDI, and SGI's IRIX 6.2.
1522514Sdarrenr
1622514Sdarrenr   The filter keeps a rule list for both inbound and outbound sides of
1722514Sdarrenrthe IP packet queue and a check is made as early as possible, aiming to
1822514Sdarrenrstop the packet before it even gets as far as being checked for source
1922514Sdarrenrroute options.  In the file "BNF", a set of rules for constructing filter
2022514Sdarrenrrules understood by this package is given.  The files in the directory
2122514Sdarrenr"rules", "example.1" ... "example.sr" show example rules you might apply.
2222514Sdarrenr
2322514Sdarrenr   In practise, I've successfully isolated a workstation from all
2422514Sdarrenrmachines except the NFS file servers on its local subnets (yeah, ok, so
2522514Sdarrenrthis doesn't really increase security, because of NFS, but you get the
2622514Sdarrenrdrift on how it can be applied and used).  I've also successfully
2722514Sdarrenrsetup and maintained my own firewalls using it with TIS's Firewall Toolkit,
2822514Sdarrenrincluding using it on an mbone router.
2922514Sdarrenr
3022514Sdarrenr   When using it with multicast IP, the calls to fr_check() should be
3122514Sdarrenrbefore the packet is unwrapped and after it is encapsulated.  So the
3222514Sdarrenrfilter routines will see the packet as a UDP packet, protocol XYZ.
3322514SdarrenrWhether this is better or worse than having it filter on class D addresses
3422514Sdarrenris debateable, but the idea behind this package is to be able to
3522514Sdarrenrdiscriminate between packets as they are on the 'wire', before they
3622514Sdarrenrget routed anywhere, etc.
3722514Sdarrenr
3822514Sdarrenr   It is worth noting, that it is possible, using a small MTU and
3922514Sdarrenrgenerating tiny fragmented IP packets to generate a TCP packet which
4022514Sdarrenrdoesn't contain enough information to filter on the "flags".  Filtering
4122514Sdarrenron these types of packets is possible, but under the more general case
4222514Sdarrenrof the packets being "short".  ICMP and UDP packets which are too small
4322514Sdarrenr(they don't contain a complete header) are dropped and logged, no questions
4422514Sdarrenrasked.  When filtering on fragmented packets, the last fragment will get
4522514Sdarrenrthrough for TCP/UDP/ICMP packets.
4622514Sdarrenr
4731183SpeterBugs/Problems
4831183Speter-------------
4931183SpeterIf you have a problem with IP Filter on your operating system, please email
5031183Spetera copy of the file "BugReport" with the details of your setup as required
5137074Speterand email to darrenr@pobox.com.
5222514Sdarrenr
5322514SdarrenrSome general notes.
5422514Sdarrenr-------------------
5522514Sdarrenr   To add/delete a rule from memory, access to the device in /dev is needed,
5622514Sdarrenrallowing non-root maintenaince.  The filter list in kernel memory is built
5722514Sdarrenrfrom the kernel's heap.  Each packet coming *in* or *out* is checked against
5822514Sdarrenrthe appropriate list, rejects dropped, others passed through.  Thus this will
5922514Sdarrenrwork on an individual host, not just gateways.  Presently there is only one
6022514Sdarrenrlist for all interfaces, the changes required to make it a per-interface list
6122514Sdarrenrrequire more .o replacements for the kernel.  When checking a packet, the
6222514Sdarrenrpacket is compared to the entire list from top to bottom, the last matching
6322514Sdarrenrline being effective.
6422514Sdarrenr
6522514Sdarrenr
6622514SdarrenrWhat does what ?
6722514Sdarrenr----------------
6822514Sdarrenrif_fil.o  (Loadable kernel module)
6922514Sdarrenr	- additional kernel routines to check an access list as to whether
7022514Sdarrenr	  or not to drop or pass a packet.  It currently defaults to pass
7122514Sdarrenr	  on all packets.
7222514Sdarrenr
7322514Sdarrenripfstat
7422514Sdarrenr	- digs through your kernel (need to check #define VMUNIX in fils.c)
7522514Sdarrenr	  and /dev/kmem for the access filter list and mini stats table.
7622514Sdarrenr	  Obviously needs to be run priviledged if required.
7722514Sdarrenr
7822514Sdarrenripf
7922514Sdarrenr	- reads the files passed as parameters as input files containing new
8022514Sdarrenr	  filter rules to add/delete to the kernel list.  The lines are
8122514Sdarrenr	  inserted in order; the first line is inserted first, and ends up
8222514Sdarrenr	  first on the list.  Subsequent invocations append to the list
8322514Sdarrenr	  unless specified otherwise.
8422514Sdarrenr
8522514Sdarrenripftest
8622514Sdarrenr	- test the ruleset given by filename.  Reads in the ruleset and then
8722514Sdarrenr	  waits for stdin.
8822514Sdarrenr
8922514Sdarrenr	  See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed
9022514Sdarrenr	  information on what the above do.
9122514Sdarrenr
9222514Sdarrenrmkfilters
9322514Sdarrenr	- suggests a set of filter rules to employ and suggests how to add
9422514Sdarrenr	  routes to back these up.
9522514Sdarrenr
9622514SdarrenrBNF
9722514Sdarrenr	- BNF rule set for the filter rules
9822514Sdarrenr
9922514SdarrenrDarren Reed
10037074Speterdarrenr@pobox.com
101145510Sdarrenrhttp://coombs.anu.edu.au/~avalon/ip-filter.html
102