>Anyone out there using any of these PD software (kbridge or drawbridge)
>on PC platform to use as a firewall? How effective they're? Are they
>able to do source filtering?
>Appreciate anyone could share their experience.
we've been running kbridge for a while, partly as the ends for an internal
fibre link, and more recently to apply some filtering. Compared to
drawbridge it seems kbridge only has quite basic filtering abilities,
though these are not limited to IP with some explicit support for
AppleTalk, DECNet and Novell. From my reading of the docs it seems that
kbridge allows to filter on ethernet address, protocol (DECNet, IP, etc),
internal IP address/mask, external address/mask, internal tcp/udp port,
external tcp/udp port, either int or ext udp/tcp sockets > 1023. A
menu-driven program is used for configuring the excutable and allows up to
ten items in each of these filter categories. Unfortunately you can't
combine the filters to allow finer control nor to produce different classes
of access, such as FTP but only to a particular host. It was sufficient
though for our need to drop all traffic to an address range within our
subnet.
Drawbridge transparently passes all non-IP traffic, and then filters only
for tcp & udp. Filters on tcp are only applied to ACKless SYN packets which
enables you to think in terms of connections. It uses a simple but
effective filter description language which is run through a compiler on a
UN*X host to produce a set of files read by the filter program when it
starts up on the PC. Currently, each filtering rule is based on incoming
tcp port, outgoing tcp port, source tcp port, or incoming udp port. These
conditions cannot be combined and-wise, eg to ALLOW packets (outgoing, to
the dns port) AND (outgoing, source from the dns port). However there is a
simple method of combining individual filtering rules - allowed services
are or'd, then all explicitly disallowed services are removed; there is no
concept of rule ordering which can lead to subtle problems as described in
the Packet Filtering paper. While filter rules can be specified for hosts
and network ranges, the 'default' filter is applied to all other addresses.
There are also 'reject' and 'allow' clauses that allow an address & mask to
specifically reject traffic from a particular source network, and
conversely to allow specified services from a particular source network
that is otherwise prohibited by other filters.
Drawbridge certainly *seems* sufficient for our needs, but I'll leave
it to better-qualified people to pass informed comment.
PS Release 1.0 of drawbridge had a few bugs such that some filters weren't
being correctly applied.
cheers,
Danny Thomas
Some other points of interest:
kbridge-1.31 (latest is 1.4 with commercial version funding further developemnt)
0) nisca.acs.ohio-state.edu /pub/kbridge
1) will run on a floppy-based 286 system
2) claims about twice the performance of PCBRIDGE, ie >10000 pps on 16MHz 286
3) doesn't come with source code
4) clicks the speaker for every packet forwarded (can be reassuring)
5) has SNMP capability
6) doesn't support spanning-tree
7) doesn't allow logging of filtered packets
8) 'exercises' the floppy by turning floppy motor on every hour
drawbridge-1.1
0) net.tamu.edu /pub/security/TAMU (***NB HOST CHANGE***)
1) docs claim 1M RAM with 5M disk space needed, 33MHz 486 preferred (I don't
know whether 386 code is used). I think disk space above that for the
initial 4 files (ca 200K) is only needed when the filter manager is
used to control the bridge. If you're willing to load the files directly
onto the disk it seems a floppy-based system is adequate.
2) apart from desirability of a fast 486, no mention is made of
performance
3) does come with source code. I've just submitted some patches so the
filter compiler will run on machines which aren't big-endian, eg NetBSD
4) doesn't click the speaker for every packet forwarded
5) doesn't have SNMP capability
6) doesn't support spanning-tree
7) doesn't allow logging of filtered packets
8) doesn't 'exercise' the floppy (?)
Follow-Ups:
|
|
