Firewalls: IP Packet Filter for SunOS 4.1.x

Firewalls
(February 1995)

Indexed By Thread: [Previous] [Next]

Subject:	IP Packet Filter for SunOS 4.1.x
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Thu, 9 Feb 1995 01:51:25 +1100 (EDT)
To:	firewalls @ greatcircle . com

If you're running SunOS 4.1.1 through to 4.1.3_U1, need packet filtering
and don't have a router spare, then this might be what you're looking for.
I haven't yet tested it on SunOS 4.1.4, but this is on my list of thins to
do before semester starts.

The most recent version of a packet filter I've written for SunOS 4.1 is now
available from coombs.anu.edu.au:/pub/net/kernel/ip_fil2.4.tar.Z.  With
help from Mark Huber, I think I've pretty much ironed out all the bugs which
were annoying me at the time of the last announcement (that being the logging
wasn't 100%).

Why would you be interested in this ?

If you have a multihomed Sun server/workstation (2 or more ethernet
interfaces) which performs routing and wonder how you are meant to stop the
problem with IP headers being forged with no router to help you, then this
package will allow you to setup packet filters for each interface, much
like those which can be setup in Ciscos and others.  Packets going in, or
out can be filtered.  They can just be logged, blocked or passed.  You can
filter on any combination of TCP flags, the various ICMP types as well as
the standard variations on IP# source-destination pairs (with variable
netmasks) and source-destination ports for TCP and UDP.  Packets with non-
standard IP header lengths (such as those with source routing information
inside) can be selectived apart from standard packets.  There is no need
to worry about fragments as only complete IP packets are examined.

Even if your workstation isn't multihomed, you may wish to use this packet
filter in conjunction with PPP or SLIP (if it works as a server for one of
these protocols).  Or you may wish to use it on a standalone workstation,
to isolate yourself from "bad hosts" or networks.

This package contains no object files, only source code.  You will need to
compile and install a custom kernel (with loadable kernel modules enabled)
to take advantage of this package.

If you find any bugs or would like to make a suggestion regarding this
package, please do not hesitate to email me.  I'd like to ensure that
this product reaches a fairly high standard quickly, if possible.

Cheers,
Darren

Indexed By Date	Previous:	IP spoofing From: David Miller <isdmill @ gatekeeper . ddp . state . me . us>
Indexed By Date	Next:	Web proxy From: Gresley-Jones_Ian/Internet_admin @ nwwl . co . uk
Indexed By Thread	Previous:	Re: IP spoofing From: Brent @ GreatCircle . COM (Brent Chapman)
Indexed By Thread	Next:	Web proxy From: Gresley-Jones_Ian/Internet_admin @ nwwl . co . uk