RDM/2 The Russian Electronic Developer Magazine  
RDM/2 òÕÓÓËÉÊ ÜÌÅËÔÒÏÎÎÙÊ ÖÕÒÎÁÌ ÒÁÚÒÁÂÏÔÞÉËÁ  
„®¬®©Žâ । ªâ®à ¨è¨â¥ ­ ¬Ž¡à â­ ï á¢ï§ìRU/2

TCP/IP v4.1 Security - First Step

Copyright (C) 1998 by Vit Timchishin
So, TCIP 4.1 for OS/2 (to be correct MPTN 5.3) has firewall included without any documentation.
But It was found that command system of firewall is very similar to AIX firewall one. The documentation for AIX can be found at hobbes.nmsu.edu (ipfwdocs.zip).
Taking all this together you can get next steps to start the firewall:

1. Check the existence of the next lines in you config.sys:

  DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYS
  DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS
  DEVICE=C:\MPTN\PROTOCOL\CDMF.SYS
  DEVICE=C:\MPTN\PROTOCOL\MD5.SYS
If you cant find them, then add them.

2. Create configuration files

%ETC%\fwsecad.cnf list of 'secure' interfaces (Firewall for OS/2 differ two types of network interfaces: secure and non-secure
Put one IP address a line. IP addresses not in file are non-secure.
%ETC%\security\fwfiltrs.cnf firewall rules list
Here is example:
deny 0.0.0.0 0.0.0.0 0 0 icmp any 0 any 0 both both inbound
This line disable incoming ICMP packets

3. To enable firewall enter:

  cfgfilt -u -i
  inetcfg -s firewall 1
You may add this lines into you \MPTN\BIN\SETUP.CMD file to run your firewall each time the computer started.

4. File fwfiltrs.cnf

File fwfiltrs.cnf consist of lines, that represent 'rules'. After getting IP packet, firewall check the file up-to-down until it will find:
  1. deny rule - packet skiped
  2. permit rule - packet processed
  3. EOF - packet skiped
Rule line consist of fields, divided with spaces:
1) Rule action.
Has the value permit or deny. Any IP packet that matches the other fields in the filter definition will either be passed or blocked depending on the value of this field.

2, 3) Source address definition
Two dotted-decimal addresses. The first is the desired address, and the second is a mask. The filter uses these fields by applying the mask to the source address of the packet (the mask is applied as a bitwise AND - the same as for IP subnet address masks). If the result of the mask operation is equal to the desired address, the source is deemed to match. For example, to match any address beginning 192.3.4.0 you would specify 192.3.4.0 255.255.255.0.

4, 5) Destination address definition
These fields are used in the same way as the source address definition to determine the allowable destination address(es) for the filter.

6) Protocol.
Defines the protocol type of the IP packet. It may have any of the following values:
any - doesn't care what the protocol is
icmp - matches ICMP requests only
udp - matches UDP packets only
tcp - matches TCP packets only
tcp/ack - matches only TCP packets that have the acknowledgment bit on
ipsp - matches only IPSP (IP security protocol, an IBM-specific protocol for the SNG secure tunnel)

Note that as SNG can only refer to protocols by names, it can only have specific rules for the previous protocols, and it will not accept rules for other protocols (for example, protocol number 89 for OSPF).

7, 8) Source port / ICMP Type
The first field specifies the type of operation, the second the desired port number (for ICMP packets it's the ICMP Type of message). The port operation field is an arithmetic operator field which can have values of: any, eq, neq, lt, gt, le or ge. The operator is applied to the desired port field, so, for example, if the two fields were gt 1023, we would only match packets with a source port number of 1024 or higher.

9, 10) Destination port / ICMP Code
This pair of fields is used in the same way as the source port fields to define which destination port(s) we want the filter to match. For ICMP packets, it refers to the ICMP Code field.
11) Adapter
This defines which adapter the packet is flowing through:
secure
non-secure
both (doesn't care which adapter its flowing through)

12) Routing
Defines whether the packet has a destination or source of the firewall, or whether the destination and source are both other machines, in which case the firewall is behaving as an IP router. Possible values are:
local (coming to or from the firewall itself)
route (going through the firewall)
both (doesn't care about the packet's routing)

13) Direction
Defines whether the packet is coming into or going out of the specified adapter. Possible values are:
inbound
outbound
both (doesn't care which way it is going)

ATTENTION! Next optional fields must be set in the form of 'name=value'. Ex:
deny 0.0.0.0 0.0.0.0 0 0 icmp eq 8 any 8 both both inbound l=yes f=only t=0

14) Log Control (l)
This packet decides if the packet should be logged or not. The default for permitted packets is no and for denied packets is yes.
no
yes

15) Fragmentation Control (f)
The possibilities are:
yes - matches header, fragments and nonfragmented packets
no - matches only nonfragmented packets
only - matches only headers and fragments.

16) Tunnel ID (T)
Identifies the tunnel through which the packet must be sent. The value 0 means do not use a tunnel. If someone have something to add: tvv@pharma.viaduk.net

---

Editor German Geboldov
Design Eugen Kuleshov (c) 1998