Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: IHL field in IP packet header
From: David Bonn <david @ klawatti . mazama . com>
Date: Thu, 21 Mar 1996 10:00:30 -0800
To: firewalls @ greatcircle . com 
Chris Kostick <ckostick @
 ashton .
 csc .
 com> writes:

>The short answer is, yes it's valid. The question is, do you want to do it
>or not?

>It's okay to reject if you have determined that no IP packets containing
>options will be permitted. Otherwise, that's not a good determining
>factor. The real solution is to filter on header offsets from the TCP
>Header and not IP.

You just nead to be a little careful on bounds checking.  Sending
short packets is a good way to confuse things (see RFC 1858).  I think
it is a win to check for short packets early on and also bounds-check
before checking transport-specific fields.

>A question to the group -- are there any firewalls / routers / 'anything
>else that filters' that will allow you to choose offsets from the transport
>header rather than the IP header?

I'm touting my own product here, but that's as good a straight line as
I'll ever get.  :)

Mazama Packet Filter can filter transport fields in a straightforward
fashion.  It uses C-style expressions and control flow (if and case
statements, but no loops!), variables are bound to useful things like
protocol names, well-known service names, and hostnames in /etc/hosts.
It is a win because script-style filter rules are much easier to
understand and verify than table-driven rules.  So sample code like
the following (which allows SMTP from and to a specific host, and
telnet and ftp [data connections excluded for clarity]) from anyplace:

	if (protocol == tcp && length >= ihl + 14) {
	    if (!(syn && !ack)) {
		# allow everything but start-of-connection packets
		allow
            } else { # syn && !ack
		switch (dest_port) {
		case smtp/tcp:
			if (source == mailhost || dest == mailhost) {
			    allow
			}

			log(warning)
			deny

		case telnet/tcp:
		case ftp/tcp:
			log(info)
			allow

		default:
			log(warning)
			deny
		}
            }
	} else if (protocol == tcp) {
	    # hold on, short packet!
	    log(warning)
	    deny
        }

I know there is a lot missing in this example from a "real" set of
filter rules, but this is enough to give folks an idea.  In a
realistic case, there is always a big fat "deny" at the bottom of the
script, spoof checking at the top of the script, and usually a gnarly
nested switch statement (network interface, protocol, and service) in
the middle.

David Bonn
david @
 mazama .
 com
Indexed By Date Previous: Solaris Virtual Domains and Firewall IRX
From: "Margaret H. McMahan - Staff" <mmcmahan @ internext . com>
Next: Sick Puppy
From: Gary Stanny <stanny @ handset . laa . com>
Indexed By Thread Previous: Re: IHL field in IP packet header
From: Chris Kostick <ckostick @ ashton . csc . com>
Next: Re: IHL field in IP packet header
From: amolitor @ anubis . network . com (Andrew Molitor)
Google
 
Search Internet Search www.greatcircle.com