Several people asked about my PPP firewall software that fits
inside the dp-2.3 DialupPPP module.
FTP it from
ftp.yak.net (140.174.114.1) /pub/infilt/infilt-0.5.tar.gz
and here's my announcement to the dplist. ( For more info about
dp-2.3, look in ftp://www.yak.net/pub/faq/ppp-faq/part5 )
strick
==================================================================
>From strick @
nando .
yak .
net Thu Sep 1 01:45:55 1994
Message-Id: <199409010842 .
BAA00433 @
nando .
yak .
net>
To: dplist @
phoenix .
acn .
purdue .
edu
cc: strick @
yak .
net
Subject: infilt-0.5 : firewall-style filtering for dp-2.3
Date: Thu, 01 Sep 1994 01:42:32 -0700
From: strick <strick @
nando .
yak .
net>
ANNOUNCING FIREWALL-STYLE PACKET FILTERING FOR dp-2.3 -- infilt-0.5
Enclosed is a package named "infilt-0.5" that is a patch to DialupPPP
dp-2.3. (It may also work on other SunOS/BSD streams-based
PPP drivers.)
This package implements firewall-style filtering on packets coming
into a host over a PPP connection.
Please give me feedback if you attempt to use this package;
let me know of both success and failure. I'm particularly
interested in what platforms and drivers it works with.
This is the first release, named version "0.5", and you should
consider it alpha quality. I have been using it for several
weeks now, while developing it.
strick @
yak .
net
Henry Strickland
strick @
netcom .
com
------------------------------------------------------------------------
------------------------------------------------------------------------
Here is an excerpt from "infilt.doc". The package itself is small,
so it is enclosed at the end, gzip'ed and uuencoded.
------------------------------------------------------------------------
FIREWALL-STYLE FILTERING FOR INPUT PPP PACKETS
This package provides simple firewall-style packet filtering.
It is designed for a local network that is connected to the big
internet through a single PPP link. It runs inside the
operating system kernel on the "local host", the machine
in the local network that has the PPP interface to the
big internet:
----------------- ---------------------
| | |
| (filtered) | local |
the | incoming-> | |
| -------- network |
big <======PPP=link========> local| |
| | host | |
internet | <-outgoing -------- |
| (undisturbed) | |
| | |
----------------- ---------------------
The package looks at packets coming into the local network
though this PPP link ("incoming packets"), and it quietly drops
packets that it deems to be evil, using some simple criteria.
Packets leaving the local network through the PPP link
("outgoing packets") are unaffected and are never dropped.
FIVE ACTIONS
The infilt package may be configured to do any or all of
five different things to incoming packets:
1. Drop selected TCP packets, based on destination port.
2. Drop selected UDP packets, based on destination port.
3. Drop selected ICMP packets, based on icmp_type.
4. Drop packets containing IP header options.
5. Write zeros over IP header options, rendering them impotent.
------------------------------------------------------------------------
------------------------------------------------------------------------
To ftp the package:
ftp.yak.net (140.174.114.1) /pub/infilt/infilt-0.5.tar.gz
|
|
