Internet Tools (InfoMagic)

home *** CD-ROM | disk | FTP | other *** search

/ Internet Tools (InfoMagic) / Internet Tools.iso / security / ipacl.README < prev next >

Wrap

Text File | 1993-12-16 | 11KB | 308 lines

What is IPACL ? --------------- IPACL stands for `IP access list'. It has been designed to filter incoming and outgoing TCP/UDP packets in the SVR4/386 kernel with Lachamnn Streams TCP. Depending on source/destination addresses and port numbers packets can be passed through or dropped. We run IPACL on Interactive SVR4 and on SINIX-L (on MX300 (Intel)). I believe, that it should be easy to port IPACL to other SVR4 bases systems, e.g. the new Solaris. Architecture ------------ Due to the modularity provided by AT&T's streams concept this module could be written without modifying any of the TCP/IP kernel sources (You just have to install the driver and relink the kernel). The access list module will be autopushed on /dev/ip whenever this device is opened. An IOCTL interface in the driver provides a facility to download a filter program into the kernel module (The utility command /usr/sbin/ipacl reads and compiles a configuration file and downloads the resulting filter program into the kernel). All TCP and UDP packets that are sent/recived (via IP) have to pass the access list module. Unfortunately there is no way to filter packtes, when your host acts as router (IPFORWARDING != 0), because IP will not pass packets, that are to be forwarded, up to TCP or UDP. ICMP packetes cannot be filtered by a user supplied filter program, but are handled in the following way: REDIRECT packetes will be dropped and all other ICMP packets will be passed through. For my application, that did not worry, because I only wanted to control access to the host, where IPACL is installed. +----------+----------+----------+ | TCP | UDP | ICMP | +----------+----------+----------+ | IPACC | +--------------------------------+ | IP | +--------------------------------+ | Network interfaces ... | +----+-----+-----+---------------+ | | | ... | | | LAN SLIP etc. ... Source files ------------ COPYING GNU general public license Driver.c The streams module, that sits between /dev/tcp, /dev/udp and /dev/ip Makefile The makefile Master Kernel configuration files for the System ipacc-Driver - written according to the SVR4 conventions README The file you are currently reading S69ipacl Startup script, called at boot time gram.doc Brief overview of the configuration file grammar. To get an exact definition of the grammar look at the yacc/lex sources in ipacl.[yl] ipacl.cfg The default configuration file - does not filter any packets ipacl.l Lexical analyzer for the configuration file - part of the utility program /usr/sbin/ipacl ipacl.y Parser for the configuration file - part of the utility program /usr/sbin/ipacl matcher.c Interpreter for the filter program (in the kernel) matcher.h Header file for matcher.c pkg This directory contains all the stuff necessary to build a SVR4 package sample.cfg Sample configuration file, this file will give you an overview how to write a configuration file for IPACL. Compiling and installing IPACL ------------------------------ - First look at the Makefile, maybe you have to change something (e.g. you want to use another C compiler). - Type `make' to compile the sources. - Type `make package' to build the SVR4 package. The package will be built in the default package spool directory (normally /var/spool/pkg). (You need write access to the package spool directory - either do it as root or do a chmod on the directory). - Type `pkgadd ipacl' to install the package that has been built in the previous step. (Must be run as root). - Relink your kernel (type `/etc/conf/bin/idbuild'). (pkgadd should do this - but it is not yet implemented in the install scripts). (Must be run as root). - Edit the IPACL configuration file in /var/ipacl/ipacl.cfg. (Must be run as root). - Reboot your system (type `init 6'). (Must be run as root). Components ---------- The installed binaries of IPACL consist of the following components: - /etc/conf/... This is the standard place, where SVR4 drivers, master and system files reside. The driver name of the IPACL streams module is `ipacc'. The file names, where to find the diriver componets in the /etc/conf subtree follow the SVR4 conventions (/etc/conf/pack.d/ipacc/*, /etc/conf/sdevice.d/ipacc, ...). - /etc/ap/chan.ap This is a configuration file for the autopush command. It is invoked the following line in /etc/inittab. ap::sysinit:/sbin/autopush -f /etc/ap/chan.ap The postinstall script of IPACL edits this file and adds some entries to autopush `ipacc' onto /dev/ip. E.g. postinstall adds the following lines to /etc/ap/chan.ap (note that 24 is the major number of /dev/ip). # ipacc +++ do not edit this line # push ipacc over /dev/dip 24 0 255 ipacc # ipacc --- do not edit this line When the IPACL package is removed, the lines given above will be deleted from this file. When you have another (e.g. vendor specific) version of SVR4, it may be possible, that you will have to modify something to setup autopush correctly. - /usr/sbin/ipacl This command parses the configuration file, produces a binary filter program and loads this program down into the ipacc driver. The command takes no arguments. The configuration file has to be supplied on stdin, error messages will be printed to stderr and on stdout there will be printed an assembler listing of the generated filter program. - /var/ipacl/ipacl.cfg IPACL configuration file, that will be downloaded into the kernel at boot time. - /etc/rc2.d/S69ipacl This script will be executed at system startup time and load /var/ipacl/ipacl.cfg into the kernel. Configuration file ------------------ Definitions: Address: An address in the IPACL config file is a tuple consisting of an internet address and a mask. Internet addresses can be specified in dotted notation or as host names, that will be resolved to internet adresses with gethostbyname(). Masks can be specified in hex. You can also use a network specification (either in dotted notation or as network name from /etc/networks) to specify both parts of an IPACL address at once. Port: A port in the IPACL config file is a tuple consisting of the protocol (tcp/udp) and a 16 bit port number. Sets: IPACL allow you to define sets of addresses or ports. The configuration file consists of - declarations and - statements Declarations: You can use a declaration to assign a symbolic name to an address, a port, an address set or a port set. Statements: The statements describe, how packets are to be filtered. They are a kind of assembly notation of the filter program. accept Accept the current packet and pass it through. No further statements will be executed for this packet. deny Do not accep (drop) the current packet. No further statements will be executed for this packet. <cond> -> accept If <cond> is true, then accept the current packet. <cond> -> deny If <cond> is true, then drop the current packet. <cond> -> <label> If <cond> is true, then goto <label>. The condition <cond> can test, wheter - the src/dst address of the packet matches a given address. The comparison is done in the following way: (address-from-packet & address.mask) == address.address - the src/dst address of the packet does not match a given address. - the src/dst address of the packet is (or is not) a member of a given set of addresses. - the src/dst port of the packet is (or is not) a member of a given set of ports. - the src/dst port of the packet is ==, !=, >, <, >=, <= a given port. Note, that the condition `src >= port 1024/tcp' means protocol-in-packet == tcp && src-port-in-packet >= 1024. Therefore `src < port 1024/tcp' is *not* the opposite of the above condition ! This applies to the operators <, >, <= and >=. The file gram.doc gives a brief description of the grammar. A detailed description of the grammar you will find in the lex/yacc sources ipacl.[yl] itself. Example.cfg is a configuration file example. Bugs ---- - Sorry, but there exists no documentation at all. - The syntax for the configuration file is a little bit '&"%$'& - it is a kind of assembler language to describe the filter program and does not provide high level features. - Some parts of the program are really coded *dirty*, e.g. fixed size arrays are used to hold some data structures and there are no overflow checks, ... (That's not the normal way I do programming, but IPACL was a quick and dirty development and I never thouhgt, that I would release ist). - IPACL silently drops packets, that are not allowed (and prints a kernel message to the console). Perhaps an ICMP host unreach message should be sent back to the sender of the packet, but sometimes this is not desirable. - Forwarded packetes (IPFORWARDING != 0) cannot be filtered. Comments, bug reports, ... -------------------------- If you have any comments, find bugs, have some questrions, etc., then send mail to fuer@siemens.co.at When you make some improvements to IPACL, that might be interresting for me or anyone else, I would be appreciated to get a copy of the modified version too.