David Stes wrote:
Greetings,
I am trying to setup a development Linux Slackware system to develop an
extension to IPFILTER to 'filter' on RPC calls/responses, over UDP/TCP.
Currently the extension is the 'rpc' keyword so
# UDP
pass in quick proto udp all rpc = portmapper keep state
pass in quick proto udp all rpc 390100:390120 keep state
This checks that the PROGRAM is either portmapper or in the LEGATO (EMC
NetWorker, backup software, aka SUN EBS) range.
Basically this differs from the "PROXY" approach because instead of
checking for portmapper calls and creating states for these connections,
I simply look at the RPC call packet and when I see a RPC call I can mark
the XID and 'expect' a response (RPC response) and allow it.
So basically the firewall can 'close' everything and allow packets that
are RPC calls and responses for given ranges (such as portmapper and Legato).
The code that I've sent (experimental) also includes a first attempt for
TCP, but for TCP I'm not yet very satisfied.
The changes are fairly simple and are marked with #ifdef STES in the
ipfilter source code.
Hi David,
Interesting approach...
Just to ponder the RPC problem...
- each RPC name has an assigned number
- the port on which an RPC lives is dynamic and determined at runtime
- the start of each RPC call includes the RPC number
- determining the correct port is done by asking the portmapper
For UDP, the RPC# must be included in the packet sent to the port,
but for TCP, in order to get the RPC# you need to allow the connection
to establish first. This connection establishment might be more than
what people are comfortable with (or expect.)
A different approach might be to work it like this:
pass in quick proto udp from any to any port = 111 keep state (rpcmap)
..and use that with your rules like this:
pass in quick proto udp all rpc 390100:390120 keep state
and to then build up a mapping of port#'s to RPC#'s per IP# by monitoring
the conversation with the portmapper (it's been a long time since I looked
at the proxy, so I don't know if this is how it works.)
What do you think?
Darren
