home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
IRIX Patches 1995 September
/
SGI IRIX Patches 1995 Sep.iso
/
5.3_patches
/
patchSG0000620
/
patchSG0000620.idb
/
usr
/
share
/
catman
/
a_man
/
cat1
/
ipfilterd.z
/
ipfilterd
Wrap
Text File
|
1995-09-07
|
13KB
|
322 lines
IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM)))) IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM))))
NNNNAAAAMMMMEEEE
ipfilterd - IP packet filtering daemon
SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS
////uuuussssrrrr////eeeettttcccc////iiiippppffffiiiilllltttteeeerrrrdddd [ ----dddd ]
DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
_I_p_f_i_l_t_e_r_d is a networking daemon that screens all inbound packets that
use the Internet Protocol (IP). Packets are filtered based on their
source or destination IP address, the network interface they arrived on,
their IP protocol number, their source or destination TCP/UDP port
number, or any combination of the above. Supported IP protocols include
TCP, UDP, ICMP and IGMP.
_I_p_f_i_l_t_e_r_d is started at system initialization from /_e_t_c/_i_n_i_t._d/_n_e_t_w_o_r_k if
the configuration flag _i_p_f_i_l_t_e_r_d is set ``on'' with _c_h_k_c_o_n_f_i_g(1M). When
_i_p_f_i_l_t_e_r_d is started, it reads its configuration information from the
file /_e_t_c/_i_p_f_i_l_t_e_r_d._c_o_n_f and compiles the packet filters specified there,
storing them in an array in the order in which they were specified.
Inbound IP code passes packet information to the daemon, requesting
verdicts based on the filter database. An inbound packet is compared with
each filter in the array until a match is found, then the verdict
associated with that filter is returned to IP, which will process the
packet unless it has been dropped by the filtering code. If no match is
found, the packet is dropped by default.
During filter initialization, _i_p_f_i_l_t_e_r_d reads /_e_t_c/_i_p_f_i_l_t_e_r_d._c_o_n_f one
line at a time. Lines that begin with "#" are comments and are ignored.
All other lines begin with a keyword, followed by either a macro or a
filter. Macros and filters use _n_e_t_s_n_o_o_p(1M) filter syntax; however, the
optional specification of a network interface must precede all protocol
filter information. All standard _n_e_t_s_n_o_o_p(1M) macros relating to
_i_p_f_i_l_t_e_r_d'_s supported protocols may be used.
Currently supported keywords include:
accept accept all packets matching this filter
grab grab all packets matching this filter rather than forwarding them
reject silently discard all packets matching this filter
define define a new macro
IP addresses may be specified in hexadecimal, in Internet dot format (see
_i_n_e_t(3N)), or by the fully-qualified hostname or its nickname:
0xC000022C 192.0.2.44 bambi.test.com bambi
IP protocols may be referenced either by their assigned IP protocol
number or by their well-known name (tcp, udp, icmp, igmp), as listed in
/_e_t_c/_p_r_o_t_o_c_o_l_s. Ports may likewise be referenced directly by number;
port numbers assigned to specific Internet network or UNIX-specific ser-
vices may also be referenced by the well-known names found in
/_e_t_c/_s_e_r_v_i_c_e_s (e.g., ftp, telnet, snmp, sunrpc, login, etc.).
PPPPaaaaggggeeee 1111
IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM)))) IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM))))
_I_p_f_i_l_t_e_r_d will support up to 100 discrete filters. There is no limit on
the number of macros that may be defined.
IP maintains a kernel cache of recent _i_p_f_i_l_t_e_r_d filtering verdicts,
arranged in a most-recently-used linked list. The size of this cache is
configurable, as is the search depth into the cache before a filter match
causes the matched entry to be moved to the head of the cache (MRU reord-
ering). With the 5.0 release of IRIX, cache entries will be aged and
deleted when idle for a configurable interval (default 60 seconds). Use
of the cache decreases the number of times that IP must poll the daemon,
reducing system overhead associated with context switching out of the
kernel.
While a larger cache minimizes context switches, its size adds a longer
search path overhead to the IP kernel code before a decision to consult
the daemon may be made. The optimum cache size will vary with system
usage - e.g., an external gateway will have more filtering responsibility
and will see many more IP-address/protocol/port combinations than a
workstation on a LAN; hence it will require a larger cache.
The number of verdicts cached in the kernel is defined by the constant
_N_U_M_I_P_K_F_L_T in the IP filtering configuration file
/_v_a_r/_s_y_s_g_e_n/_m_a_s_t_e_r._d/_i_p_f_i_l_t_e_r. To change the size, as the superuser edit
this file and then use _a_u_t_o_c_o_n_f_i_g(1M) to generate a new kernel and
reboot.
The effects of kernel cache size can be observed empirically by monitor-
ing network performance, and also by explicitly observing how often and
to what effect the daemon is being used. Executing _i_p_f_i_l_t_e_r_d with the ----dddd
option provides that information. It turns on additional use of
_s_y_s_l_o_g_d(1M) to log data about each filter that is built, and also about
each daemon filtering request. This includes: an indication of whether
the packet matched a filter or was dropped by default; whether the filter
was one that specified an interface only, or included protocol informa-
tion; a timestamp; and a running count of the number of times that kind
of decision happened.
FFFFIIIILLLLEEEESSSS
/_v_a_r/_a_d_m/_S_Y_S_L_O_G is the general _s_y_s_l_o_g_d(1M) data file. It contains all
events and data logged by _i_p_f_i_l_t_e_r_d. /_e_t_c/_i_p_f_i_l_t_e_r_d._c_o_n_f contains macro
and filter definitions.
/_v_a_r/_s_y_s_g_e_n/_m_a_s_t_e_r._d/_i_p_f_i_l_t_e_r is used when generating a kernel to specify
the size of the kernel cache of recent filtering verdicts, the cache
search depth that must be exceeded before any MRU reordering of the cache
is performed, and the treatment of inbound IP packets when the filtering
daemon has died or been killed.
The constant NUMIPKFLT defines the size of the kernel cache of recent
filtering verdicts. This should be tuned based on system load.
PPPPaaaaggggeeee 2222
IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM)))) IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM))))
The _f_i_l_t_e_r_c_a_c_h_e__s_e_a_r_c_h__d_e_p_t_h variable is used to minimize the thrashing
of the cache that would occur if every filter hit was moved to the head
of the cache. It is defaulted to 4, which permits two simultaneous file
transfers to occur withour MRU reordering. This value should be tuned
based on expected system workload.
The _i_p_f_i_l_t_e_r_d__i_n_a_c_t_i_v_e__b_e_h_a_v_i_o_r variable specifies how inbound IP packets
will be treated when the daemon has died or been killed. A value of 0
specifies that inbound IP processing should proceed as though filtering
was not configured. A value of 1 specifies that all inbound IP packets
(except those from the local host) will be dropped. Use of this value
ensures that routing will be disabled in IP firewalls whose daemon is
inactive, preventing security holes.
With the 5.0 release of IRIX, the _i_p_f_i_l_t_e_r__t_t_l variable is used to set a
maximum lifetime for idle kernel cache entries. Entries idle longer than
that interval (default 60 seconds) are deleted.
EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
Examples of use of "define" to create macros:
A filter for all possible traffic between two machines, each of which is
multi-homed:
define ip.betwixt between($1,$3) || between($1,$4) || between($2,$3)
|| between($2,$4)
(Note: this one-line example is shown on two lines because of formatting
constraints).
A macro to specify any host not on a given Class C network (or on a Class
B network with 8-bit subnet masks) as the source. When masking against an
IP address in a macro, hex must be used. However, the IP (sub)network
number specified in the filter may be either in hex or dot format.
Parentheses are used to establish binding and precedence:
define ip.notnetCsrc not((src & 0xffffff00) = $1)
Filter examples:
To accept all IP traffic between two single-homed hosts:
accept between speaker squaw
To reject all IP traffic over one network interface between two hosts:
reject -i ec0 between speaker dizzy
To reject Sun RPC traffic between two hosts:
PPPPaaaaggggeeee 3333
IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM)))) IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM))))
reject between teton 192.99.99.99 and udp.port sunrpc
To grab all packets from one host over a given network interface rather
the forwarding them along to their destination:
grab -i ec0 src=boston
An example of ip.betwixt:
reject ip.betwixt foo1 foo2 boo1 boo2 and tcp.port login
To reject all FTP connections that do not originate from a given Class B
net:
reject ip.notnetBsrc 192.26.00.00 and tcp.port ftp
SSSSEEEEEEEE AAAALLLLSSSSOOOO
netsnoop(1M), master(4)
NNNNOOOOTTTTEEEE
IP filtering may be initiated or disabled only by the superuser. The com-
mand
/etc/killall ipfilterd
kills the filtering daemon and zeroes out the kernel cache of filtering
verdicts. It may also disable all IP forwarding and receipt of any
inbound IP traffic except that from the local host - see the discussion
of the _i_p_f_i_l_t_e_r_d__i_n_a_c_t_i_v_e__b_e_h_a_v_i_o_r variable in the FILES section above.
The command
/usr/etc/ipfilterd
which is normally executed from /_e_t_c/_i_n_i_t._d/_n_e_t_w_o_r_k, starts up the daemon
and initializes the configured filters. Only one instance of ipfilterd
may be active at any time; attempts to start a second daemon will fail
benignly.
Macros must be defined before they are referenced in filters in
/_e_t_c/_i_p_f_i_l_t_e_r_d._c_o_n_f. Each macro definition must be on one line and have
a maximum of 255 characters.
The daemon's array of filters is generated in the order specified in
/_e_t_c/_i_p_f_i_l_t_e_r_d._c_o_n_f. The filtering daemon examines filters from the top
of the array each time. As soon as it detects a match, it returns the
associated verdict. It is possible to have more than one filter match a
given packet, such as wishing to reject rlogin requests from all of a
given net except for one particular host. In that case, the particular
filter should appear first:
PPPPaaaaggggeeee 4444
IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM)))) IIIIPPPPFFFFIIIILLLLTTTTEEEERRRRDDDD((((1111MMMM))))
accept ip.src bambi and tcp.port login
followed by the general case:
reject ip.netBsrc 199.0.2.0 and tcp.port login
Several macros relating to (sub)networks rather than hosts are predefined
in /_e_t_c/_i_p_f_i_l_t_e_r_d._c_o_n_f.
PPPPaaaaggggeeee 5555