110 likes | 195 Views
Brad Baker CS591 Spring 2007 Term project. Modification of Pktfilter tool. The Pktfilter tool. Open source project listed on sourceforge ( http://sourceforge.net/projects/pktfilter/ ) Developed by Jean-Baptiste Marchand, project inactive since February 2003
E N D
Brad Baker CS591 Spring 2007 Term project Modification of Pktfilter tool Pktfilter modification - Brad Baker
The Pktfilter tool • Open source project listed on sourceforge (http://sourceforge.net/projects/pktfilter/) • Developed by Jean-Baptiste Marchand, project inactive since February 2003 • Uses the Win32 filtering API (Windows 2000 packet filtering) • Runs as a service, configures filtering API on start • Provides command line utility Pktfilter modification - Brad Baker
Pktfilter basics • Filtering is controlled through a rules file • Rules define a default action, then exceptions • For example, block everything then pass each allowed connection • Rule mixing isn't allowed, you can't block a connection after you have created a pass exception • Example of rule setup: • block in on eth0 all • block out on eth0 all • pass out on eth0 proto tcp from any to 128.198.1.212 port = 80 • pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 • Rules require numeric IP addresses • Rules can specify ports and ranges, protocols, and use the “any” keyword. Pktfilter modification - Brad Baker
Pktfiler Usage • Installation is a manual process • Copy the Pktfilter folder to program files or the desired directory • From command prompt, run “pktfltsrv.exe -i” followed by the path to three files • Rules file, log file, DNS log file • This command installs as service • Configure service to run automatically • Configure the rules file as desired • Restrict access to the rules file Pktfilter modification - Brad Baker
My project goals • In order of priority: • Research why the tool doesn't work on Windows Vista and Windows XP x64 version • Research and include rule mixing • For example, after creating an exception for HTTP we would like to block a specific website • Research and fix the logging problem • Research and implement performing DNS IP resolution from the rules file • Research and implement localhost IP resolution Pktfilter modification - Brad Baker
Goal #1 – Windows Vista & x64 • Windows Vista doesn't include this API • The “Windows Filtering Platform” replaces the packet filtering API • WFP is a much more robust filtering solution • WFP allows application based filtering, boot time filtering, and packet inspection • Moving Pktfilter to x64 just requires building with the correct platform • Conclusion: Save WFP for future, x64 was success Pktfilter modification - Brad Baker
Goals #2/#3 – Mixing & Logging • Mixing is not possible based on the design of the underlying API • The filtering engine is specifically designed to provide only the default and exception actions • Logging works with a fresh Windows XP installation • Changes to iphlpapi.dll in Service Pack 1 broke the logging function • Conclusion: Mixing and logging aren't possible due to larger system issues Pktfilter modification - Brad Baker
Goals #4/#5 – IP resolution • Modified program to use brackets for DNS lookup “[www.uccs.edu]” • Modified program to use “me” keyword for localhost lookup • Looked at several DNS query methods • First used: DnsQuery_A() in <Windns.h> • Then used: gethostbyname() in <winsock2.h> • Finally: getaddrinfo() in <winsock2.h> • Tool Produces a log file to document translation Pktfilter modification - Brad Baker
Example of IP resolution • Log file output: ----------------------------------------------------- Begin rule file parsing, GMT: 2007-05-06 04:43:25 > local 'me' symbol resolved : ( 192.168.1.100 : artos ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) END, GMT: 2007-05-06 04:43:30 • Corresponding input configuration: # input rules rule 1: pass in on eth0proto udp from any port = 53 to any rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100 rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100 rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100 rule 8: pass in on eth0proto udp from any port = 67 to any port = 68 Pktfilter modification - Brad Baker
Summary • The tool will remain effective until Windows Vista is a common platform • Several goals were not met, however the IP resolution will provide a benefit • Protected the application from long URLs and blank URLs • The rules file won't compromise the filtering configuration • Future enhancements can involve port information, fixing DNS timeout, etc • Security concerns with relying on DNS query • For example, the current Windows DNS server bug Pktfilter modification - Brad Baker
References • Original Pktfilter project source • http://sourceforge.net/projects/pktfilter/ • Information about filtering API • http://www.ndis.com/papers/winpktfilter.htm • http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt-NWU20041108.142435/public/02Whole.pdf • WFP summaries • http://www.microsoft.com/whdc/device/network/WFP.mspx • http://msdn2.microsoft.com/en-us/library/aa363967.aspx • DNS lookup information • http://msdn2.microsoft.com/en-us/library/ms738524.aspx • http://msdn2.microsoft.com/en-us/library/ms738520.aspx • PfCreateInterface, references other filtering API functions • http://msdn2.microsoft.com/en-gb/library/aa376646.aspx Pktfilter modification - Brad Baker