brad baker cs591 spring 2007 term project
Download
Skip this Video
Download Presentation
Modification of Pktfilter tool

Loading in 2 Seconds...

play fullscreen
1 / 11

Modification of Pktfilter tool - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Brad Baker CS591 Spring 2007 Term project. Modification of Pktfilter tool. The Pktfilter tool. Open source project listed on sourceforge ( http://sourceforge.net/projects/pktfilter/ ) Developed by Jean- Baptiste Marchand , project inactive since February 2003

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Modification of Pktfilter tool' - byrd


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
brad baker cs591 spring 2007 term project
Brad Baker

CS591 Spring 2007

Term project

Modification of Pktfilter tool

Pktfilter modification - Brad Baker

the pktfilter tool
The Pktfilter tool
  • Open source project listed on sourceforge (http://sourceforge.net/projects/pktfilter/)
  • Developed by Jean-BaptisteMarchand, project inactive since February 2003
  • Uses the Win32 filtering API (Windows 2000 packet filtering)
  • Runs as a service, configures filtering API on start
  • Provides command line utility

Pktfilter modification - Brad Baker

pktfilter basics
Pktfilter basics
  • Filtering is controlled through a rules file
  • Rules define a default action, then exceptions
    • For example, block everything then pass each allowed connection
    • Rule mixing isn\'t allowed, you can\'t block a connection after you have created a pass exception
  • Example of rule setup:
    • block in on eth0 all
    • block out on eth0 all
    • pass out on eth0 proto tcp from any to 128.198.1.212 port = 80
    • pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100
  • Rules require numeric IP addresses
  • Rules can specify ports and ranges, protocols, and use the “any” keyword.

Pktfilter modification - Brad Baker

pktfiler usage
Pktfiler Usage
  • Installation is a manual process
  • Copy the Pktfilter folder to program files or the desired directory
  • From command prompt, run “pktfltsrv.exe -i” followed by the path to three files
    • Rules file, log file, DNS log file
    • This command installs as service
  • Configure service to run automatically
  • Configure the rules file as desired
    • Restrict access to the rules file

Pktfilter modification - Brad Baker

my project goals
My project goals
  • In order of priority:
    • Research why the tool doesn\'t work on Windows Vista and Windows XP x64 version
    • Research and include rule mixing
      • For example, after creating an exception for HTTP we would like to block a specific website
    • Research and fix the logging problem
    • Research and implement performing DNS IP resolution from the rules file
    • Research and implement localhost IP resolution

Pktfilter modification - Brad Baker

goal 1 windows vista x64
Goal #1 – Windows Vista & x64
  • Windows Vista doesn\'t include this API
  • The “Windows Filtering Platform” replaces the packet filtering API
  • WFP is a much more robust filtering solution
  • WFP allows application based filtering, boot time filtering, and packet inspection
  • Moving Pktfilter to x64 just requires building with the correct platform
  • Conclusion: Save WFP for future, x64 was success

Pktfilter modification - Brad Baker

goals 2 3 mixing logging
Goals #2/#3 – Mixing & Logging
  • Mixing is not possible based on the design of the underlying API
  • The filtering engine is specifically designed to provide only the default and exception actions
  • Logging works with a fresh Windows XP installation
  • Changes to iphlpapi.dll in Service Pack 1 broke the logging function
  • Conclusion: Mixing and logging aren\'t possible due to larger system issues

Pktfilter modification - Brad Baker

goals 4 5 ip resolution
Goals #4/#5 – IP resolution

Modified program to use brackets for DNS lookup “[www.uccs.edu]”

Modified program to use “me” keyword for localhost lookup

Looked at several DNS query methods

First used: DnsQuery_A() in <Windns.h>

Then used: gethostbyname() in <winsock2.h>

Finally: getaddrinfo() in <winsock2.h>

Tool Produces a log file to document translation

Pktfilter modification - Brad Baker

example of ip resolution
Example of IP resolution

Log file output:

-----------------------------------------------------

Begin rule file parsing, GMT: 2007-05-06 04:43:25

> local \'me\' symbol resolved : ( 192.168.1.100 : artos )

> Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org )

> Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org )

> Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com )

> Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com )

> Remote DNS lookup FAILED : ( - : test.my.blah )

> Remote DNS lookup FAILED : ( - : test.my.blah )

> Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo)

> Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo)

> Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu )

> Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu )

> Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com )

> Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com )

END, GMT: 2007-05-06 04:43:30

Corresponding input configuration:

# input rules

rule 1: pass in on eth0proto udp from any port = 53 to any

rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100

rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100

rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100

rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100

rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100

rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100

rule 8: pass in on eth0proto udp from any port = 67 to any port = 68

Pktfilter modification - Brad Baker

summary
Summary
  • The tool will remain effective until Windows Vista is a common platform
  • Several goals were not met, however the IP resolution will provide a benefit
  • Protected the application from long URLs and blank URLs
    • The rules file won\'t compromise the filtering configuration
  • Future enhancements can involve port information, fixing DNS timeout, etc
  • Security concerns with relying on DNS query
    • For example, the current Windows DNS server bug

Pktfilter modification - Brad Baker

references
References
  • Original Pktfilter project source
    • http://sourceforge.net/projects/pktfilter/
  • Information about filtering API
    • http://www.ndis.com/papers/winpktfilter.htm
    • http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt-NWU20041108.142435/public/02Whole.pdf
  • WFP summaries
    • http://www.microsoft.com/whdc/device/network/WFP.mspx
    • http://msdn2.microsoft.com/en-us/library/aa363967.aspx
  • DNS lookup information
    • http://msdn2.microsoft.com/en-us/library/ms738524.aspx
    • http://msdn2.microsoft.com/en-us/library/ms738520.aspx
  • PfCreateInterface, references other filtering API functions
    • http://msdn2.microsoft.com/en-gb/library/aa376646.aspx

Pktfilter modification - Brad Baker

ad