IP Packet Filtering

Introduction

Packet filtering is one way of protecting your internal network from unwanted IP packets. Best used with a commercial or public domain firewall toolkit, packet filtering can shield your local data links from unauthorized outside users.

IP packets can be filtered based on information present in the IP, UDP, TCP and ICMP headers. Filtering rules can be composed using a simple yet powerful syntax. In addition, rules can be specified for each interface as well as direction. There is also a facility to test your rule database given various packet types.

Configuration

The startup script (xinet.rc) uploads the rules in the /etc/tsgfilter.rules file (if this file exists). This file contains the rules in the order they are to be examined for decision making. Each rule must be contained in one line; however, one line can extend to the next by placing a backslash (\) at the end of the line.

Each rule can have a name specified by rule=. Rule databases are constructed under each interface number (for example, xinet0, xinet1). A line such as interface=xinet ifaceno=0 introduces each data base. Usually all the primitives associated with a specific packet type must be specified for each rule.

Sample Rules File

The following is a short example of the filter rules file. For a more extensive example, see the /etc/tsgfilter.ex file. The rules file syntax is explained after this example.

 
#
#  Example filter rules to allow incoming SMTP and NNTP
#
DEF server=193.59.229.30
DEF provider=142.97.12.17
#
# Define the interface for the rules below
interface=xinet ifaceno=0 ipoptions=DENY trace=ON
# or IF=xinet IN=0 IO=DENY TR=ON for short
    # using long names:
    # Allow SMTP to server directly from provider
    rule=SMTP direction=IN protocol=TCP \
    sourceaddr=$provider destaddr=$server \
    sourceport=ANY destport=25 action=PERMIT
    # using short names:
    # allow NNTP to server directly from provider
    RL=NNTP DR=IN PR=TCP SA=$provider DA=$server SP=ANY DP=119 AC=PERMIT
# everything else is denied, since the default disposition=DENY

Variables

To define a packet filtering variable use:

 
DEF varname=value

There should be nothing before or after the variable declaration. To use a variable, prepend a dollar sign ($) to it. For example, destaddr=$ournet. Variables are replaced only in address or port primitives.

Rules Syntax

The packet filtering option recognizes global options and rule primitives in the rules file as described in the following tables.

Global Options

Long Name

Short Name

Description

interface

IF

Interface name
16 characters; only the first is significant
binds until the next IF=

ifaceno

IN

Interface number
binds until the next IN=

trace

TR

Tracing (ON or OFF) (binds until the next TR=)
Tracing is OFF by default.

ipoptions

IO

IP Options are DENY by default

disposition

DI

Disposition (PERMIT or DENY) (global binding)
By default the disposition is DENY.

Rule Primitives

Long Name

Short Name

Description

rule

RL

Rule Name (up to 16 characters)
Defaults to UNKNOWN.

direction

DR

Direction (IN, OUT, or ANY)
No default.

protocol

PR

Protocol (TCP, UDP, or ICMP)
No default.

sourceaddr

SA

Source Address
No default.

destaddr

DA

Destination Address
No default.

sourceport

SP

Source Port
No default.

destport

DP

Destination Port
No default.

action

AC

Action (PERMIT or DENY)
Defaults to global disposition (DI)

bits

BT

Bits (S=SYN, F=FYN, or A=ACK)
Defaults to no bit checking.

icmptype

IT

ICMP Report Type
To be used only with protocol=ICMP
No default.

Notes:

  1. Everything is case insensitive (that is, case does not matter).

  2. Rules must contain all applicable rule primitives.

  3. Options must not appear with primitives on the same line.
  4. You may put a backslash (\) at the end of the line to extend a rule to multiple lines.

Addresses can contain:

Ports can contain:

icmptype values can be defined as described in the following table.

Value

Description

0

echo reply

3

destination unreachable

4

packet lost, slow down

5

redirect, shorter route

8

echo service

11

time exceeded

12

bad IP header

13

time stamp request

14

time stamp reply

15

information request

16

information reply

17

address mask request

18

address mask reply

ANY

any ICMP report type

Uploading filter rules

If the rules reside in the /etc/tsgfilter.rules file, simply run the tsgfilter utility without arguments. Otherwise, the name of the rule database may be given on the command line. Note that while rules are uploaded, certain packets could potentially make it through the filter checking mechanism. If this is an issue, you may want to temporarily disable the interface(s) involved by issuing ifconfig down commands.

Checking the rule database

To check a rule file, first create a check file which contains concise packet information. All addresses, ports, and protocols need to be explicit. That is, there should not be ANY, ALL, USER, ROOT or * in any check. The action primitive should contain the expected result when checked against the filter rules.

To check the rules, run

 
tsgfilter rulefile checkfile  >  results

The results file will contain the listing of rules followed by the check packets and the decision reached for each specific check packet. A summary is given at the end of the file for the decisions reached during the checking process. Rules which failed, and rules that are denied or accepted based on disposition should be thoroughly investigated. A more extensive example check file has been provided in the file /etc/tsgfilter.chk.

 
#
#  Example check file to check incoming SMTP and NNTP
#
DEF server=193.59.229.30
DEF provider=142.97.12.17
DEF evil=142.98.13.17
#
interface=xinet ifaceno=0 trace=ON
    # these packets should be allowed since they come from our provider
    RL=SMTP DR=IN PR=TCP SA=$provider DA=$server SP=1055 DP=25 AC=PERMIT
    RL=NNTP DR=IN PR=TCP SA=$provider DA=$server SP=1066 DP=119 AC=PERMIT
    # these packets should be denied since they come from an evil host
    RL=SMTP2 DR=IN PR=TCP SA=$evil DA=$server SP=1095 DP=25 AC=DENY
    RL=NNTP2 DR=IN PR=TCP SA=$evil DA=$server SP=1096 DP=119 AC=DENY

Notice that the source ports are just arbitrary values, but they have to be set to precise values. The report generated by tsgfilter summarizes the packet filtering decisions reached.

 
Packet Filtering Results:
--------------------------------
No packets failed.

Passed packets:
--------------------------------
Input packet SMTP is allowed based on rule SMTP
Input packet NNTP is allowed based on rule NNTP
Input SMTP2 packet is denied - no matching filters.
Input NNTP2 packet is denied - no matching filters.

Passed packets by disposition:
--------------------------------
Input SMTP2 packet is denied - no matching filters.
Input NNTP2 packet is denied - no matching filters.

Tracing Packet Filtering Decisions

If trace=on was set for some or all rules, then each filtering decision is written to the log(M) driver. The standard strace utility can be used to show these decisions.

The following command:

 
strace 841 (pkttype|all) ((ifaceno+1)|all)

displays packet filtering decisions. The pkttype should be 0 for TCP, 1 for UDP, 2 for ICMP, or ALL to see all packet types. ifaceno should be the xinet interface number on which the event occurred plus 1. Note that strerr must be running for logging to work properly.

Revision 6.1.0 (February 2003)

Copyright © 1997-2003 The Software Group Limited. All Rights Reserved.
® Netcom is a registered trademark of The Software Group Limited.