Re: packet filtering as a virtual machine
They would have to have been really serious about protecting their patent to threaten Sun; remember that almost all FW1 installations (checkpoints cash cow) were dependant on solaris boxes. Perhaps. OTOH, if you don't protect IP, you lose it. That is why so many warnings about infringement get sent. You have to, or the evidence that you've stopped protecting it can be used against you in a future infringement suit. It looks like Checkpoint's patent is number 5,606,668. http://tinyurl.com/dzhf2 Unfortunately I can't view the images from this workstation, so it's a bit hard to follow the text. -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: Adding support for FTP
Kevin said the following on 10/24/05 12:55: On 10/24/05, Daniel Hartmeier [EMAIL PROTECTED] wrote: On Mon, Oct 24, 2005 at 06:14:49PM +0930, Aluminium Oxide wrote: While is the satisfactory and workable solution using a rdr and passing the role to an ftp-proxy, I would like to add to pf the capability to actually monitor the erection of an ftp connection and creating an anticipatory state to permit : . . . If your module simply scans individual packets' payload to search for a magic string, it will be fooled like this. I agree with Dan. One alternative to bypassing ftp-proxy might be to enhance the interaction between ftp-proxy and pf, so instead of proxying the data connection, ftp-proxy can optionally build the appropriate temporary NAT and pass rules to allow the data connection via pf, eliminating a performance bottleneck while keeping *most* of the security of ftp-proxy. Two drawbacks to the above approach are the loss of visibility into and transfer accounting for the data connection, and greater exposure to attacks such as this one: http://www.enyo.de/fw/security/java-firewall/ Kevin Kadow /usr/src/usr.sbin/ftp-proxy uses anchors in pf.conf to add rules for the ftp traffic. hasn't been linked in yet. From the link: In firewalls, do not use heuristic approaches to stateful filtering. Complex protocols should be handled by application layer gateways that actually understand the protocols they are letting through.
Re: packet filtering as a virtual machine
On Mon, Oct 24, 2005 at 02:38:43AM -0500, Travis H. wrote: Has anyone thought of modeling packet filtering/translation/queueing as a virtual machine? BSD/OS ipfw (http://www.pix.net/software/ipfw/) did use BPF bytecode for filterrules. basically you compile you filter ruleset into BPF bytecode and match the packets. however, in practice its very had to retrieve the current filter set and read the optimized BPF bytecode while trying to figure out the the active rule set does.
Re: Adding support for FTP
http://www.enyo.de/fw/security/java-firewall/ Towards the end... RFC 3514... check the date on that RFC. HHOS at its best. -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: Adding support for FTP
I am attempting to do something along these lines using a python+pcap sniffer to watch for certain traffic, and use DFD (specifically dfd_keeper) to make the changes to the firewall. It will also be able to tear down the connection when it sees it close (or after a timeout - rules can be made with specified lifetimes): http://www.lightconsulting.com/~travis/dfd/dfd_keeper/ Check it out; I'd like to get some people using it and helping me make it better. Once I finish the sniffer, it'll be able to do SPA (single packet authentication), blocking of malicious hosts, FTP, peer-to-peer stuff, streaming multimedia protocols, port scan detection, etc.* Much of the framework is there, it just needs a sniffer program to exploit it. There might be some delay or packet loss, but I suspect these problems will be manageable on modern machines. [*] There will also be a cutting-edge DoS/DDoS mitigation technique, if everything works the way I think it will. -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: no scrub reassemble tcp from foo to bar
On Thu, Oct 20, 2005 at 08:24:32AM -0400, Jon Hart wrote: On Wed, Oct 19, 2005 at 07:51:13PM -0600, jared r r spiegel wrote: On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote: What I'd like is to disable scrub's tcp reassembly on per host/port/protol basis, something along the lines of: scrub all no-df random-id fragment reassemble reassemble tcp no scrub inet proto tcp from any to $SAN_NET port 3260 reassemble tcp I'll bring up a test system to see if this is possible, but my question is will this get me what I want? I want to do full scrubbing on all of my traffic except I don't want to do tcp reassembly on port 3260/tcp for a specific host. flip the order, no scrub first (normalization is like translation, first match). other than that, looks fine. Great, I'll give it a shot. The order makes sense as you've described, but... will this give me scrubbing on all traffic (including 3260/tcp), but do tcp reassembly on everything that isn't 3260/tcp? I've tried this out as suggested: no scrub inet proto tcp from any to $SAN_NET port 3260 reassemble tcp no scrub inet proto tcp from $SAN_NET to any port 3260 reassemble tcp scrub all no-df random-id fragment reassemble reassemble tcp The ruleset loads as expected but the initial problem still remains. I did not have time to validate whether or not 3260/tcp was still having 'reassemble tcp' applied to it but I have plans to see whether or not TCP timestamps are being munged which'll tell me for sure. If anyone has any thoughts on this, I'm all ears. When things calm down a bit, I hope to get a test machine up to figure this out once and for all. Thanks! -jon
Load Balancing Outgoing, its possible ?
Complicated ? Its possible ? TELECOM LOAD SHARING PER PACKET -- | | | | || | | | | || - - CISCO 2600 (6mbps) HAUWEI (6mbps) LOAD SHARING PER PACKET LOAD SHARING PER PACKET - - Ethernet (64.XX.XX.1/30) Ethernet (65.XX.XX.1/30) | | | | | | | | XL0 (64.XX.XX.2/30)XL1 (65.XX.XX.2/30) -- FREEBSD 5.4 + PF -- XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) | | -- SWITCH --- IP: 65.XX.XX.6/30 -- GW: 65.XX.XX.5 / \ / \ IP: 192.168.0.10/24 IP: 64.XX.XX.6/30 GW: 192.168.0.254 GW: 64.XX.XX.5 and more clients ... I need load balancing outgoing traffic from: 192.168.0.0/24 ( NAT ) and 64.XX.XX.0/24, 65.XX.XX.0/24 It is possible to make this balancing with the PF ? Exists some software that I make this ? Zebra can help me? This type of balancing gives to problems with the navigation of the user of NAT or IP valid ? If it is possible, wanted to see examples with rules. Thanks, -- Daniel Dias Gonçalves DGNET Network Solutions [EMAIL PROTECTED] (37) 99824809