 |
The Russian Electronic Developer Magazine |
 |
òÕÓÓËÉÊ ÜÌÅËÔÒÏÎÎÙÊ ÖÕÒÎÁÌ ÒÁÚÒÁÂÏÔÞÉËÁ |
     |
TCP/IP v4.1 Security - First Step
Copyright (C) 1998 by Vit Timchishin
So, TCIP 4.1 for OS/2 (to be correct MPTN 5.3) has firewall included without
any documentation.
But It was found that command system of firewall is very similar to AIX
firewall one. The documentation for AIX can be found at hobbes.nmsu.edu
(ipfwdocs.zip).
Taking all this together you can get next steps to start the firewall:
1. Check the existence of the next lines in you config.sys:
DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYS
DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS
DEVICE=C:\MPTN\PROTOCOL\CDMF.SYS
DEVICE=C:\MPTN\PROTOCOL\MD5.SYS
If you cant find them, then add them.
2. Create configuration files
| %ETC%\fwsecad.cnf |
list of 'secure' interfaces (Firewall for OS/2 differ two types
of network interfaces: secure and non-secure
Put one IP address a line. IP addresses not in file are non-secure.
|
| %ETC%\security\fwfiltrs.cnf |
firewall rules list
Here is example:
deny 0.0.0.0 0.0.0.0 0 0 icmp any 0 any 0 both
both inbound
This line disable incoming ICMP packets
|
3. To enable firewall enter:
cfgfilt -u -i
inetcfg -s firewall 1
You may add this lines into you \MPTN\BIN\SETUP.CMD file to run your firewall
each time the computer started.
4. File fwfiltrs.cnf
File fwfiltrs.cnf consist of lines, that represent 'rules'. After getting
IP packet, firewall check the file up-to-down until it will find:
- deny rule - packet skiped
- permit rule - packet processed
- EOF - packet skiped
Rule line consist of fields, divided with spaces:
- 1) Rule action.
- Has the value permit or deny. Any IP packet that
matches the other fields in the filter definition will either be passed
or blocked depending on the value of this field.
- 2, 3) Source address definition
- Two dotted-decimal addresses. The first is the
desired address, and the second is a mask. The filter uses these fields
by applying the mask to the source address of the packet (the mask is
applied as a bitwise AND - the same as for IP subnet address masks).
If the result of the mask operation is equal to the desired address,
the source is deemed to match. For example, to match any address beginning
192.3.4.0 you would specify 192.3.4.0 255.255.255.0.
- 4, 5) Destination address definition
- These fields are used in the same way as the source address definition to
determine the allowable destination address(es) for the filter.
- 6) Protocol.
- Defines the protocol type of the IP packet. It may have any of the
following values:
any - doesn't care what the protocol is
icmp - matches ICMP requests only
udp - matches UDP packets only
tcp - matches TCP packets only
tcp/ack - matches only TCP packets that have the acknowledgment bit on
ipsp - matches only IPSP (IP security protocol, an IBM-specific protocol
for the SNG secure tunnel)
Note that as SNG can only refer to protocols by names, it can only have
specific rules for the previous protocols, and it will not accept rules
for other protocols (for example, protocol number 89 for OSPF).
- 7, 8) Source port / ICMP Type
- The first field specifies the type of operation,
the second the desired port number (for ICMP packets it's the ICMP Type
of message). The port operation field is an arithmetic operator field
which can have values of: any, eq, neq, lt, gt, le or ge. The operator
is applied to the desired port field, so, for example, if the two fields
were gt 1023, we would only match packets with a source port number
of 1024 or higher.
- 9, 10) Destination port / ICMP Code
- This pair of fields is used in the same way as
the source port fields to define which destination port(s) we want the
filter to match. For ICMP packets, it refers to the ICMP Code field.
- 11) Adapter
- This defines which adapter the packet is flowing through:
secure
non-secure
both (doesn't care which adapter its flowing through)
- 12) Routing
- Defines whether the packet has a destination
or source of the firewall, or whether the destination and source are
both other machines, in which case the firewall is behaving as an IP
router. Possible values are:
local (coming to or from the firewall itself)
route (going through the firewall)
both (doesn't care about the packet's routing)
- 13) Direction
- Defines whether the packet is coming into or going out of the specified adapter.
Possible values are:
inbound
outbound
both (doesn't care which way it is going)
ATTENTION! Next optional fields must
be set in the form of 'name=value'. Ex:
deny 0.0.0.0 0.0.0.0 0 0 icmp eq 8 any 8 both both inbound l=yes f=only t=0
- 14) Log Control (l)
- This packet decides if the packet should be logged
or not. The default for permitted packets is no and for denied packets
is yes.
no
yes
- 15) Fragmentation Control (f)
- The possibilities are:
yes - matches header, fragments and nonfragmented packets
no - matches only nonfragmented packets
only - matches only headers and fragments.
- 16) Tunnel ID (T)
- Identifies the tunnel through which the packet
must be sent. The value 0 means do not use a tunnel.
If someone have something to add: tvv@pharma.viaduk.net
