From owner-freebsd-security Sun Mar 19 13:27:18 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA28493 for security-outgoing; Sun, 19 Mar 1995 13:27:18 -0800 Received: from violet.berkeley.edu (violet.Berkeley.EDU [128.32.155.22]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA28467 for ; Sun, 19 Mar 1995 13:27:16 -0800 Received: by violet.berkeley.edu (8.6.10/1.33r) id NAA23420; Sun, 19 Mar 1995 13:27:12 -0800 Date: Sun, 19 Mar 1995 13:27:12 -0800 From: jkh@violet.berkeley.edu (Jordan K. Hubbard) Message-Id: <199503192127.NAA23420@violet.berkeley.edu> To: security@FreeBSD.org Sender: security-owner@FreeBSD.org Precedence: bulk Newsgroups: comp.sys.sun.admin,comp.sys.sun.misc,comp.security.unix,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc Path: agate!howland.reston.ans.net!swrinde!ihnp4.ucsd.edu!munnari.oz.au!cs.mu.OZ.AU!darrenr From: darrenr@arbld.unimelb.edu.au (Darren Reed) Subject: Internet Packet Filter for SunOS 4.1.x/xBSD Message-ID: Sender: news@cs.mu.OZ.AU (CS-Usenet) Organization: Computer Science, University of Melbourne, Australia X-Newsreader: NN version 6.5.0 #13 Date: Fri, 17 Mar 1995 04:08:02 GMT Lines: 53 Xref: agate comp.sys.sun.admin:53334 comp.sys.sun.misc:21223 comp.security.unix:13702 comp.unix.bsd.freebsd.misc:178 comp.unix.bsd.netbsd.misc:79 Internet Packet Filter for SunOS 4.1.x/NetBSD/FreeBSD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'd like to announce the most recent results of my efforts in writing an IP packet filter for Unix servers/workstations. Why would you need it ? * Allows you to protect your subnets against IP spoofing (the most recent `attack' against as used by Kevin Mitnick) where you have Unix doing IP routing; * Allows you to build a firewall using your existing SunOS/*BSD setup without needing to purchase expensive software/hardware. Recent featurisms added include: * optional returning ICMP error packets for "blocked" packets (a per-rule option, allowing some rules to block packets silently and others with a returned ICMP packet); * "short" TCP packets (which can be deficient in various TCP header details) can be filtered out - short UDP/ICMP packets are just dropped and logged as a matter of course - by default "short" packets are NOT checked against port values/TCP flags; * fragmented IP packets can be selectively filtered; * TCP/UDP packets can be grouped together for filtering on ports; * ipftest (largely as yet undocumented :/) will read in either tcpdump/ etherfind output (text) or snoop binary output (see recent RFC) and apply a ruleset against each IP packet found therein; (good for testing your rules before you "commit" yourself) * The "log reader", which reads the log "output device", has been updated to show which rule and the result (block/pass/log) of the filtering at the stage it was logged. Also, ICMP headers are now expanded out properly. How do I get it to work ? * Follow the instructions on installing the kernel patches, rebuild your kernel and use "modload" to load the packet filter. From there on, it is upto you and what you want to do with it. Where can I get it to check out ? coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5.tar.Z coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5.tar.gz Cheers, Darren