. . . FILTER.TXT . F/X Packet Filter Plugin Release 1.2 . October 1, 1999 . . . . . . . ____ _ ____ _ _______ _____ . | _ \ / \ / ___| |/ / ____|_ _| . | |_) / _ \| | | ' /| _| | | . | __/ ___ \ |___| . \| |___ | | . |_| /_/ \_\____|_|\_\_____| |_| . . . _____ ___ _ _____ _____ ____ . | ___|_ _| | |_ _| ____| _ \ . | |_ | || | | | | _| | |_) | . | _| | || |___| | | |___| _ < . |_| |___|_____|_| |_____|_| \_\ . . . . . . . F/X Communications . DK-4300 Holbaek . Denmark . E-mail: support@fx.dk . http://www.fx.dk . . . . Copyright (c) 1999-2001, F/X Communications, All Rights Reserved. . . ========================================================================== C O N T E N T S =======================================What's Where======================= o Description...............................................Simple o Installation................................................Easy o Features................................................Powerful o Setup Guidance...........................................General o Filter Attributes.......................................Specific o Errors.........................................check filters.err o Sample Filters................................To Get You Started o On The Fly updates...............................Utility program ========================================================================== D E S C R I P T I O N =================================================Simple=================== This guide includes all you need to get started with the F/X Packet Filter Plugin. Packet filtering allows TCP/IP packets to be selectively discarded as they flow through the plugin. The Packet Filter Plugin binaries operate seamlessly with the following F/X Communications products: o InJoy Internet Dialer o InJoy Connect PPP Server o InJoy Firewall o Tunnel/2 Configuration is by way of simple ASCII files. ========================================================================== I N S T A L L A T I O N =================================================Easy===================== There are two ways of getting the Packet Filter Plugin. Either as a zipped archive ready for extraction into the directory of an above mentioned F/X product, or as an integrated part of the host product. If you received the plugin as a zipped archive, then extract it with InfoZip's UNZIP.EXE (or PKUNZIP.EXE using the -d option) to create a new /FILTERS subdirectory to contain a sample configuration file. After installation the new binary file is demand-loaded by the host application when needed. Please consult the host-application documentation for possible extra installation guidelines. ========================================================================== F E A T U R E S =================================================Powerful================= o The Packet Filter Plugin allows all attributes in a packet to be used as a filtering trigger to selectively discard packets when presented. These packet attributes (and others listed in Guidance, below) can be used to cause filtering: - Incoming traffic - Outgoing traffic - Source and Destination IP numbers (via netmask match) - Protocol match (TCP, UDP, ICMP) - Service match (FTP, WWW, TELNET, GOPHER, etc) - Bit-match (e.g. FIN or SYN bit of TCP) - Byte pattern match at specified offset - Byte pattern search o The Plugin supports compound Boolean filters for complex filtering with great flexibility. o There are three possible filter states: - Always active - Active when product is off-line - Inactive (but easily activated) o The plugin reports errors to the file FILTERS.ERR in the home directory of the host-application. o Filters are easily identified by linkable names. o Filters may have human readable comments attached. o Filter usage report at the touch of a key. This feature depends on the host product. o Filtering plugs in as a separate loadable component, maintaining a modular design. o Supports new filters on the fly ========================================================================== S E T U P G U I D A N C E =================================================General================== o Configuration Files Filters are specified in one or more ASCII configuration files. Each configuration file can contain one or more filters, each identified by a name and a set of attribute/parameter values. The plugin expects no more than 3 different configuration files. They are: - FILTERS.CNF This file is in the base directory of the host application. It contains template values used in all user created filters. This means that any attribute value you specify in your own filters will override the default values specified in this file. - .\FILTERS\FILTERS.CNF This file contains the actual user crafted filters. The file is usually located in the FILTERS subdirectory of the host application but may be setup differently, depending on the host's capabilities. See the following Filter Attribute section for syntax information. - FILTERS.DCT This file is in the base directory of the host application. It is a descriptor file that instructs the Filter Plugin about allowable attributes in the FILTER.CNF files. This file should NOT be modified. However, if you take the time to become familiar with it, you will be able to use it as a quick reference when writing/modifying filters. Otherwise the following specific attributes be of interest. ========================================================================== F I L T E R A T T R I B U T E S =================================================Specific================= ----------------- --------------- ------------------------------ ATTRIBUTE POSSIBLE VALUES DESCRIPTION ----------------- --------------- ------------------------------ Filter-Status Passive Tells when the filtering is Offline active. 'Passive' means the Always filter is not active at all. 'Offline' means the filter is active when the host application is not connected. This could be (for example) the InJoy dialer that is offline, waiting for a packet to trigger Dial On Demand. 'Always' means that the filter is active at all times, disregarding the connect state of the host application. ----------------- --------------- ------------------------------ Filter-Scope Incoming-Packets Defines which packets that are Outgoing-Packets exposed to the filter. Outgoing or incoming. ----------------- --------------- ------------------------------ Filter-Root Yes Only filters that have No 'Filter-Root' set to 'Yes' are loaded by the host application and used. Filters not carrying this flag are only used if specifically addressed by other filters as part of a compound filter. ----------------- --------------- ------------------------------ Source-IP An IP address The source IP address in the packet is compared to the value of this attribute. Please keep the 'Source-Netmask' in mind. Leave field empty if you do not wish to filter using the source IP address as criteria. ----------------- --------------- ------------------------------ Source-Netmask Netmask The 'Source-IP' address, together with the 'Source-Netmask' denote a mask with which source IP addresses from the IP packets are compared. ----------------- --------------- ------------------------------ Destination-IP IP address The 'Destination-IP' address, together with the 'Destination-Netmask' denote a mask with which destination IP addresses from the IP packets are compared. Leave field empty if you do not wish to filter using the destination IP address as criteria. ----------------- --------------- ------------------------------ Destination-Netmask Netmask The 'Destination-IP' address, together with the 'Destination-Netmask' denote a mask with which destination IP addresses from the IP packets are compared. ----------------- --------------- ------------------------------ Port Any number The 'Port' attribute defines Or, one of these: the type of service that a DNS packet is carrying. You may FTP specify either the number or FTP-DATA lettered value for the GOPHER service. SMTP SNMP Leave the field empty if you do SNMP-TRAP not wish to filter using this TELNET criteria. TFTP NETBIOS NETBIOS-NS NETBIOS-SSN NNTP POP2 POP3 WWW ----------------- --------------- ------------------------------ Protocol Any number Each IP header holds a protocol Or, one of these: byte that can be addressed by ICMP this attribute. TCP UDP Leave field empty if you do not wish to filter using this criteria. ----------------- --------------- ------------------------------ Bit-Number Positive number This attribute is part of the Or, one of these: bit field checking, allowing a FIN certain bit to be checked SYN within an IP packet (see the RST 'Bit-Value' parameter). PSH ACK This is particularly useful for URG checking the bit flags in the TCP header. Leave field empty if you do not wish to filter using this criteria. ----------------- --------------- ------------------------------ Bit-Value Binary value 0 or 1 This attribute is part of the bit field checking. When you check a certain bit within a packet, then you should use this attribute to specify whether the bit should have the value of 0 or 1. Leave field empty if you do not wish to filter using this criteria. ----------------- --------------- ------------------------------ Offset-Relativity Packet-Start This attribute is part of the TCP-Head-Start hex string matching criteria. Data-Start Specifying an offset into an IP packet often doesn't make sense, due to various options that be used on and off. Accordingly this parameter lets you define a certain point within a packet from where the offset is used (refer to the 'Offset' attribute). Leave field empty if you do not wish to filter using this criteria. ----------------- --------------- ------------------------------ Offset Any number This attribute is part of the Or 'Search-All' hex string matching criteria, allowing you to specify an offset into an IP packet for hex string checking (see also the 'Offset-Relativity' attribute). To search the entire packet, simply specify the value 'Search-All'. Leave field empty if you do not wish to filter using this criteria. ----------------- --------------- ------------------------------ Hex-String A string This attribute is part of the (See filter samples) hex string matching criteria, Letting you specify a string to be searched for within a packet. The string can contain both normal characters and hex notation. Leave field empty if you do not wish to filter using this criteria. ----------------- --------------- ------------------------------ Action Drop-Packet Specifies the action taken when Next-Filter a filter matches a packet. Forward-Packet ----------------- --------------- ------------------------------ Next-Filter Name of a filter Specifies the name of a compound filter that will be run when the filter is matched and the action attribute is set to 'Next-Filter'. ----------------- --------------- ------------------------------ Comment A string A free-text comment for easy identifiable filters. ========================================================================== E R R O R S =================================================Check filters.err======== The host product will inform you of severe faults, such as inability to load the plugin. Possible configuration and syntax errors are written to the file FILTERS.ERR, located in the working directory of the host application. ========================================================================== S A M P L E F I L T E R S =================================================To Get You Started======= o Turning off ICMP Some system administrators turn off all ICMP traffic to harden the job for hackers and possible flood pingers. A simple filter to turn off ALL ICMP traffic (including ping and tracerte) is found below: ICMP-FILTER Filter-Status = Always, Filter-Root = Yes, Comment = "Remove ICMP using Protocol matching", Filter-Scope = Incoming-Packets, Protocol = ICMP, Action = Drop-Packet, o Only new connections cause Dial-on-Demand (DoD) When using the InJoy Dialer, it is often seen how just about any packet can trigger Dial-on-Demand. With filtering you have almost unlimited possibilities for fine-tuning DoD and below is a example that will allow only DNS-lookups and new TCP connections to trigger DoD. The three filters work together and the fact that filters are analyzed top-down helps us to simply allow the 2 special situations and then in the third filter reject everything else. DOD-ALLOW-DNS Filter-Status = Offline, Filter-Root = Yes, Comment = "Allow DNS lookups", Filter-Scope = Outgoing-Packets, Protocol = UDP, Port = DNS, Action = Forward-Packet, DOD-ALLOW-SYN Filter-Status = Offline, Filter-Root = Yes, Comment = "Allow SYN packets (new tcp connections)", Filter-Scope = Outgoing-Packets, Protocol = TCP, Bit-Number = SYN, Bit-Value = 1, Action = Forward-Packet, DOD-REJECT-ALL Filter-Status = Offline, Filter-Root = Yes, Comment = "Reject everything...", Filter-Scope = Outgoing-Packets, Protocol = IGNORE, Port = IGNORE, Action = Drop-Packet, o Preventing access to an Internet site The below filter demonstrates how all people on the 10.2.*.* network are cut off from the porn site found at 207.126.124.139. PORN-FILTER Filter-Status = Always, Filter-Root = Yes, Comment = "Filter WWW using IP Address matching", Filter-Scope = Outgoing-Packets, Protocol = TCP, Port = WWW, Source-IP = "10.2.0.0", Destination-IP = "207.126.124.139", Source-Netmask = "255.255.0.0", Destination-Netmask = "255.255.255.255", Action = Drop-Packet, o NETBIOS-KEEP-ALIVE Demonstrates the use of hex string matching to remove Netbios Keep alive packets. Safe to filter out these packets, unless you have a specific reason to let them pass. NETBIOS-KEEPALIVE Filter-Status = Always, Filter-Root = Yes, Comment = "Remove Keep-Alive via Hex-String match", Filter-Scope = Outgoing-Packets, Protocol = UDP, Port = NETBIOS, Offset-Relativity = Data-Start, Offset = 0, Hex-String = "\x00\x02\x0D\xF4\x0A\x03\x18\x61\x00\x8A\x00\xC6\x00\x00\x20", Action = Drop-Packet, o TCP session termination The tcp/ip stack has a habit of trying to kill tcp connections even after the IP connection is lost and the tcp application is dead. The below filters will remove these packets in the offline state, dramatically reducing the number of bogus packets in your network. FIN-PACKETS Filter-Status = Offline, Filter-Root = Yes, Comment = "Remove FIN pkts using Bit matching", Filter-Scope = Outgoing-Packets, Protocol = TCP, Bit-Number = FIN, Bit-Value = 1, Action = Drop-Packet, RST-PACKETS Filter-Status = Offline, Filter-Root = Yes, Comment = "Remove RST pkts using Bit matching", Filter-Scope = Outgoing-Packets, Protocol = TCP, Bit-Number = RST, Bit-Value = 1, Action = Drop-Packet, o NETBIOS An intranet with many Windows computers will typically generate a large number of NETBIOS packets, keeping your network busy. Here are a selection of filters that will keep these packets from hitting the ISP and the Internet. NETBIOS Filter-Status = Always, Filter-Root = Yes, Comment = "Remove Outgoing UDP Netbios", Filter-Scope = Outgoing-Packets, Protocol = UDP, Port = NETBIOS, Action = Drop-Packet, NETBIOS-NS Filter-Status = Always, Filter-Root = Yes, Comment = "Remove Outgoing UDP Netbios-NS", Filter-Scope = Outgoing-Packets, Protocol = UDP, Port = NETBIOS-NS, Action = Drop-Packet, NETBIOS-NS-S137 Filter-Status = Always, Filter-Root = Yes, Comment = "Source port 137, dest port 53 (also Netbios-NS)", Filter-Scope = Outgoing-Packets, Protocol = UDP, Port = 53, Offset-Relativity = TCP-Head-Start, Offset = 0, Hex-String = "\x00\x89", Action = Drop-Packet, ========================================================================== O N T H E F L Y U P D A T E S =================================================Utility program========== Updating the filter configuration, e.g. with new filters, on the fly is done through the use of an external utility program. Below a step-wise procedure for updating your filter configuration without having to close or reconnect the host application. 1. Update the filter configuration files with your desired changes. 2. Open an OS/2 window and switch to the directory of the host application. 3. In the OS/2 window, issue the command "sync -filter". The host product should then inform you that the filter config files have been re-read and possible problems are written to FILTERS.ERR (in the same directory). лллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллллл Copyright (c) 1999 F/X Communications. All rights reserved.