Modification of Pktfilter tool
description
Transcript of Modification of Pktfilter tool
Brad BakerCS591 Spring 2007
Term project
04/20/231
Pktfilter modification - Brad Baker
Open source project listed on sourceforge (http://sourceforge.net/projects/pktfilter/)
Developed by Jean-Baptiste Marchand, project inactive since February 2003
Uses the Win32 filtering API (Windows 2000 packet filtering)
Runs as a service, configures filtering API on start
Provides command line utility
04/20/23Pktfilter modification - Brad Baker2
Filtering is controlled through a rules file Rules define a default action, then exceptions
• For example, block everything then pass each allowed connection
• Rule mixing isn't allowed, you can't block a connection after you have created a pass exception
Example of rule setup:• block in on eth0 all• block out on eth0 all• pass out on eth0 proto tcp from any to 128.198.1.212 port = 80• pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100
Rules require numeric IP addresses Rules can specify ports and ranges, protocols,
and use the “any” keyword.04/20/23Pktfilter modification - Brad Baker
3
Installation is a manual process Copy the Pktfilter folder to program files or the
desired directory From command prompt, run “pktfltsrv.exe -i”
followed by the path to three files• Rules file, log file, DNS log file• This command installs as service
Configure service to run automatically Configure the rules file as desired
• Restrict access to the rules file
04/20/23Pktfilter modification - Brad Baker4
In order of priority:• Research why the tool doesn't work on
Windows Vista and Windows XP x64 version• Research and include rule mixing
For example, after creating an exception for HTTP we would like to block a specific website
• Research and fix the logging problem• Research and implement performing DNS IP
resolution from the rules file• Research and implement localhost IP
resolution
04/20/23Pktfilter modification - Brad Baker5
Windows Vista doesn't include this API The “Windows Filtering Platform”
replaces the packet filtering API WFP is a much more robust filtering
solution WFP allows application based filtering,
boot time filtering, and packet inspection
Moving Pktfilter to x64 just requires building with the correct platform
Conclusion: Save WFP for future, x64 was success
04/20/23Pktfilter modification - Brad Baker6
Mixing is not possible based on the design of the underlying API
The filtering engine is specifically designed to provide only the default and exception actions
Logging works with a fresh Windows XP installation
Changes to iphlpapi.dll in Service Pack 1 broke the logging function
Conclusion: Mixing and logging aren't possible due to larger system issues
04/20/23Pktfilter modification - Brad Baker7
Modified program to use brackets for DNS lookup “[www.uccs.edu]”
Modified program to use “me” keyword for localhost lookup
Looked at several DNS query methods
First used: DnsQuery_A() in <Windns.h>
Then used: gethostbyname() in <winsock2.h>
Finally: getaddrinfo() in <winsock2.h>
Tool Produces a log file to document translation
04/20/23Pktfilter modification - Brad Baker8
Log file output:-----------------------------------------------------Begin rule file parsing, GMT: 2007-05-06 04:43:25 > local 'me' symbol resolved : ( 192.168.1.100 : artos ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com )END, GMT: 2007-05-06 04:43:30 Corresponding input configuration:# input rulesrule 1: pass in on eth0proto udp from any port = 53 to any rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100 rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100 rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100 rule 8: pass in on eth0proto udp from any port = 67 to any port = 68
04/20/23Pktfilter modification - Brad Baker9
The tool will remain effective until Windows Vista is a common platform
Several goals were not met, however the IP resolution will provide a benefit
Protected the application from long URLs and blank URLs• The rules file won't compromise the filtering
configuration Future enhancements can involve port
information, fixing DNS timeout, etc Security concerns with relying on DNS
query• For example, the current Windows DNS server
bug 04/20/23Pktfilter modification - Brad Baker10
Original Pktfilter project source• http://sourceforge.net/projects/pktfilter/
Information about filtering API• http://www.ndis.com/papers/winpktfilter.htm• http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt-
NWU20041108.142435/public/02Whole.pdf WFP summaries
• http://www.microsoft.com/whdc/device/network/WFP.mspx• http://msdn2.microsoft.com/en-us/library/aa363967.aspx
DNS lookup information• http://msdn2.microsoft.com/en-us/library/ms738524.aspx• http://msdn2.microsoft.com/en-us/library/ms738520.aspx
PfCreateInterface, references other filtering API functions
• http://msdn2.microsoft.com/en-gb/library/aa376646.aspx
04/20/23Pktfilter modification - Brad Baker11