Brad BakerCS591 Spring 2007

Term project

04/21/231

Pktfilter modification - Brad Baker

Open source project listed on sourceforge (http://sourceforge.net/projects/pktfilter/)

Developed by Jean-Baptiste Marchand, project inactive since February 2003

Uses the Win32 filtering API (Windows 2000 packet filtering)

Runs as a service, configures filtering API on start

Provides command line utility

04/21/23Pktfilter modification - Brad Baker2

Filtering is controlled through a rules file Rules define a default action, then exceptions

• For example, block everything then pass each allowed connection

• Rule mixing isn't allowed, you can't block a connection after you have created a pass exception

Example of rule setup:• block in on eth0 all• block out on eth0 all• pass out on eth0 proto tcp from any to 128.198.1.212 port = 80• pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100

Rules require numeric IP addresses Rules can specify ports and ranges, protocols,

and use the “any” keyword.04/21/23Pktfilter modification - Brad Baker

3

Installation is a manual process Copy the Pktfilter folder to program files or the

desired directory From command prompt, run “pktfltsrv.exe -i”

followed by the path to three files• Rules file, log file, DNS log file• This command installs as service

Configure service to run automatically Configure the rules file as desired

• Restrict access to the rules file

04/21/23Pktfilter modification - Brad Baker4

In order of priority:• Research why the tool doesn't work on

Windows Vista and Windows XP x64 version• Research and include rule mixing

For example, after creating an exception for HTTP we would like to block a specific website

• Research and fix the logging problem• Research and implement performing DNS IP

resolution from the rules file• Research and implement localhost IP

resolution

04/21/23Pktfilter modification - Brad Baker5

Windows Vista doesn't include this API The “Windows Filtering Platform”

replaces the packet filtering API WFP is a much more robust filtering

solution WFP allows application based filtering,

boot time filtering, and packet inspection

Moving Pktfilter to x64 just requires building with the correct platform

Conclusion: Save WFP for future, x64 was success

04/21/23Pktfilter modification - Brad Baker6

Mixing is not possible based on the design of the underlying API

The filtering engine is specifically designed to provide only the default and exception actions

Logging works with a fresh Windows XP installation

Changes to iphlpapi.dll in Service Pack 1 broke the logging function

Conclusion: Mixing and logging aren't possible due to larger system issues

04/21/23Pktfilter modification - Brad Baker7

Modified program to use brackets for DNS lookup “[www.uccs.edu]”

Modified program to use “me” keyword for localhost lookup

Looked at several DNS query methods

First used: DnsQuery_A() in <Windns.h>

Then used: gethostbyname() in <winsock2.h>

Finally: getaddrinfo() in <winsock2.h>

Tool Produces a log file to document translation

04/21/23Pktfilter modification - Brad Baker8

Log file output:-----------------------------------------------------Begin rule file parsing, GMT: 2007-05-06 04:43:25 > local 'me' symbol resolved : ( 192.168.1.100 : artos ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com )END, GMT: 2007-05-06 04:43:30 Corresponding input configuration:# input rulesrule 1: pass in on eth0proto udp from any port = 53 to any rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100 rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100 rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100 rule 8: pass in on eth0proto udp from any port = 67 to any port = 68

04/21/23Pktfilter modification - Brad Baker9

The tool will remain effective until Windows Vista is a common platform

Several goals were not met, however the IP resolution will provide a benefit

Protected the application from long URLs and blank URLs• The rules file won't compromise the filtering

configuration Future enhancements can involve port

information, fixing DNS timeout, etc Security concerns with relying on DNS

query• For example, the current Windows DNS server

bug 04/21/23Pktfilter modification - Brad Baker10

Original Pktfilter project source• http://sourceforge.net/projects/pktfilter/

Information about filtering API• http://www.ndis.com/papers/winpktfilter.htm• http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt-

NWU20041108.142435/public/02Whole.pdf WFP summaries

• http://www.microsoft.com/whdc/device/network/WFP.mspx• http://msdn2.microsoft.com/en-us/library/aa363967.aspx

DNS lookup information• http://msdn2.microsoft.com/en-us/library/ms738524.aspx• http://msdn2.microsoft.com/en-us/library/ms738520.aspx

PfCreateInterface, references other filtering API functions

• http://msdn2.microsoft.com/en-gb/library/aa376646.aspx

04/21/23Pktfilter modification - Brad Baker11