1 / 11

Modification of Pktfilter tool

Brad Baker CS591 Spring 2007 Term project. Modification of Pktfilter tool. The Pktfilter tool. Open source project listed on sourceforge ( http://sourceforge.net/projects/pktfilter/ ) Developed by Jean- Baptiste Marchand , project inactive since February 2003

byrd
Download Presentation

Modification of Pktfilter tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Brad Baker CS591 Spring 2007 Term project Modification of Pktfilter tool Pktfilter modification - Brad Baker

  2. The Pktfilter tool • Open source project listed on sourceforge (http://sourceforge.net/projects/pktfilter/) • Developed by Jean-BaptisteMarchand, project inactive since February 2003 • Uses the Win32 filtering API (Windows 2000 packet filtering) • Runs as a service, configures filtering API on start • Provides command line utility Pktfilter modification - Brad Baker

  3. Pktfilter basics • Filtering is controlled through a rules file • Rules define a default action, then exceptions • For example, block everything then pass each allowed connection • Rule mixing isn't allowed, you can't block a connection after you have created a pass exception • Example of rule setup: • block in on eth0 all • block out on eth0 all • pass out on eth0 proto tcp from any to 128.198.1.212 port = 80 • pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 • Rules require numeric IP addresses • Rules can specify ports and ranges, protocols, and use the “any” keyword. Pktfilter modification - Brad Baker

  4. Pktfiler Usage • Installation is a manual process • Copy the Pktfilter folder to program files or the desired directory • From command prompt, run “pktfltsrv.exe -i” followed by the path to three files • Rules file, log file, DNS log file • This command installs as service • Configure service to run automatically • Configure the rules file as desired • Restrict access to the rules file Pktfilter modification - Brad Baker

  5. My project goals • In order of priority: • Research why the tool doesn't work on Windows Vista and Windows XP x64 version • Research and include rule mixing • For example, after creating an exception for HTTP we would like to block a specific website • Research and fix the logging problem • Research and implement performing DNS IP resolution from the rules file • Research and implement localhost IP resolution Pktfilter modification - Brad Baker

  6. Goal #1 – Windows Vista & x64 • Windows Vista doesn't include this API • The “Windows Filtering Platform” replaces the packet filtering API • WFP is a much more robust filtering solution • WFP allows application based filtering, boot time filtering, and packet inspection • Moving Pktfilter to x64 just requires building with the correct platform • Conclusion: Save WFP for future, x64 was success Pktfilter modification - Brad Baker

  7. Goals #2/#3 – Mixing & Logging • Mixing is not possible based on the design of the underlying API • The filtering engine is specifically designed to provide only the default and exception actions • Logging works with a fresh Windows XP installation • Changes to iphlpapi.dll in Service Pack 1 broke the logging function • Conclusion: Mixing and logging aren't possible due to larger system issues Pktfilter modification - Brad Baker

  8. Goals #4/#5 – IP resolution Modified program to use brackets for DNS lookup “[www.uccs.edu]” Modified program to use “me” keyword for localhost lookup Looked at several DNS query methods First used: DnsQuery_A() in <Windns.h> Then used: gethostbyname() in <winsock2.h> Finally: getaddrinfo() in <winsock2.h> Tool Produces a log file to document translation Pktfilter modification - Brad Baker

  9. Example of IP resolution Log file output: ----------------------------------------------------- Begin rule file parsing, GMT: 2007-05-06 04:43:25 > local 'me' symbol resolved : ( 192.168.1.100 : artos ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) END, GMT: 2007-05-06 04:43:30 Corresponding input configuration: # input rules rule 1: pass in on eth0proto udp from any port = 53 to any rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100 rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100 rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100 rule 8: pass in on eth0proto udp from any port = 67 to any port = 68 Pktfilter modification - Brad Baker

  10. Summary • The tool will remain effective until Windows Vista is a common platform • Several goals were not met, however the IP resolution will provide a benefit • Protected the application from long URLs and blank URLs • The rules file won't compromise the filtering configuration • Future enhancements can involve port information, fixing DNS timeout, etc • Security concerns with relying on DNS query • For example, the current Windows DNS server bug Pktfilter modification - Brad Baker

  11. References • Original Pktfilter project source • http://sourceforge.net/projects/pktfilter/ • Information about filtering API • http://www.ndis.com/papers/winpktfilter.htm • http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt-NWU20041108.142435/public/02Whole.pdf • WFP summaries • http://www.microsoft.com/whdc/device/network/WFP.mspx • http://msdn2.microsoft.com/en-us/library/aa363967.aspx • DNS lookup information • http://msdn2.microsoft.com/en-us/library/ms738524.aspx • http://msdn2.microsoft.com/en-us/library/ms738520.aspx • PfCreateInterface, references other filtering API functions • http://msdn2.microsoft.com/en-gb/library/aa376646.aspx Pktfilter modification - Brad Baker

More Related