PKTFilter use reference
Creation time: 2003-07-20
Article attribute: finishing
Article submission:
Tombkeeper (Tombkeeper_at_126.com)
PKTFilter use reference
Tombkeeper@whitecell.org
/ *
This document is primarily based on the pktfilter.pdf included with the pktfilter, fixes some original errors, increase
Add some of my own experience.
I like this firewall mainly because resources are less, UNIX style, no graphical interface, no hate
System tray icon.
Like IP Filter, this firewall is not designed for people who don't know anything else or slightly,
If you use it, please make sure you understand the basics such as TCP / IP protocols. If there is a problem with the program, please write the program
: Jean-baptiste.marchand@hsc.fr. If you have any questions to use, please write a letter to the author. I am
Documents, rules generate scripts, and modified programs do not provide any support.
* /
Pktfilter is a packaged firewall running on Windows 2000 / XP / 2003.
PKTFilter does not implement network filtering driver, in fact it is a configuration of the system itself package filtering mechanism
interface. There is an IPFilterDriver service in Windows 2000 or more, but the system itself is
There is no easy-to-use configuration interface.
Because it is called the system itself, the pktfilter works very stable, and the occupancy is small, but it is
Because of this, the functional implementation of the pktfilter is also limited by the system.
The rule syntax of the pktfilter is actually a subset of IP Filter4. Refer
http://www.ipfilter.org/.
------------
Installation use:
------------
Create a directory for PKTFilter, copy pktfltsrv.exe and pktctl.exe.
Create a rule file. You can write rules yourself according to the grammar described below. If you install the pktfilter
One as a gateway, and write the corresponding rules, then pktfilter can be used as a network.
The firewall work.
If you just use to protect your personal computer, you don't need to set too complicated rules, then you can use the script I wrote.
Rulesbuild.cmd. Simply set some variables at the beginning of the file, you can quickly generate a rule.
Install the boot service:
C: / pktfilter> pktfltsrv -i "c: /pktfilter/pktfilter.conf" "c: /pktfilter/pktfilter.log"
C: / pktfilter> Net Start Pktfilter
-------------
Filter rule introduction:
-------------
Global option
Option
Small_frags, refused to be too small, the default small_frags refers to less than 16 bytes
Split package. This value can be created by establishing an registry
HKLM / SYSTEM / CURRENTCONTROLSET / Services / IPFilterDriver / Fragmentthreshold
To set.
Strong_host, did not say this document, but the program support, MSDN's explanation is
"Causes a Check of The Destination Address of Incoming Packets."
Check_frags, did not say this document, but program support, MSDN's explanation is
"Causes a check of the fragments from the cache." Filter
Pass, allowed
Block, blocking
direction
in, come in
OUT, go out
protocol
Proto, including:
TCP, TCP protocol
UDP, UDP protocol
ICMP, ICMP protocol
[Number], specify other IP protocol numbers
[EMPTY], all protocols
source address
From [addr], specify an IPv4 address
FROM [Subnet / Mask], specify a network
Source port (TCP / UDP protocol only)
Port [Expression] [Port number]
Expressions include:
=
> =
>
<=
<
> target address To [addr], specify an IPv4 address To [Subnet / Mask], specify a network Target port (TCP / UDP protocol only) Port [Expression] [Port number] Expressions include: = > = > <= < > ICMP type and code ICMP-TYPE [TYPE] ICMP-code [code] TCP connection is established ESTABLISHED, blocking only the SYN flag and there is no TCP package of the ACK flag, in the end of the rule Only the TCP package after the connection is allowed. ----- example: ----- #Drop packets composed of small fragments Option small_frags on et0 # default behavior = deny everything Block in th0 all0 all Block Out on Eth0 All # Allow DNS Resolution To Our Nameserver Pass Out on Eth0 Proto Udp from 192.168.1.1 port> 1023 to 192.168.1.254 port = 53 Pass in th0 proto udp from 192.168.1.254 port = 53 to 192.168.1.1 port> 1023 # allow inbound icmp traffic (ping) Pass in th0 proto icmp from any to 192.168.1.1 icmp-type echo Pass Out on eth0 proto icmp from 192.168.1.1 type echo-rep to any # Allow RDP (Terminal Services) Administration from Our Administration Subnet PASS IN ETH0 Proto TCP from 10.42.42.0/24 port> 1024 to 192.168.1.1 port = 3389 Pass out on eth0 proto tcp from 192.168.1.1 port = 3389 to 10.42.42.0/24 port> 1024 ESTABLISHED ------------- Filter rule reference: ------------- The filtering rule consists of a global-option and normal-rule. The syntax of the global option: "Option" global_option ifce Now supported Global-Option only "small_frags". The syntax of ordinary rules: Action [in-out] IFACE [Proto_Spec] IP [proto-options] Action = "pass" | "block" IN-out = "in" | "out" iface = "on" ifname Digit IFNAME = "Eth *" | "PPP" | "SL" | "LO" | "TR" | "fd" Proto_spec = "proto" [proto] Proto = "TCP" | "UDP" | "ICMP" | "Any" | ip_proto IP_PROTO = Decnumber Decnumber = DIGIT [Decnumber] IP = "all" | "from" ip-addr [port-comp | port-range] "to" ip-addr [Port-Comp | Port-Range] IP-addr = "any" | ip-dotted-addr [ip-mask] IP-dotted-addr = host-num "." Host-num "." Host-Num " Host-num = DIGIT [DIGIT [DIGIT]] IP-MASK = "/" ip-addr | decnumber Port-comp = "port" Comparator Decnumber Comparator = ">" |> = "|" <= "|" = " Port-Range = "Port" Decnumber "> <" Decnumber Proto-options = "ICMP-TYPE" ICMP-TYPE ["Code" ICMP-CODE] | "ESTABLISHED" ICMP-TYPE = "echorep" | "unreach" | "scired" | "echo" | "Router_adv" | "Router_sol" | "Timex" | "paramprob" | "Timest" | "TimeStrep" | "Infore Q" | "inforep" | "maskreq" | "maskrep" ICMP-CODE = Decnumber ----------------- Usage of pktctl command: ----------------- PKTCTL has two usage: command line mode and interactive mode. PKTCTL -I enters interactive mode. List the network interface: C: /> pktctl -i Eth0: (3COM Etherlink PCI): 192.168.0.1 Loading Rules: C: /> pktctl -f rules.txt PKTCTL> Source Rules.txt First remove all loaded rules and then load rule files: C: /> pktctl -f rules.txt PKTCTL> Reload Rules.txt Handmade temporary add a rule: C: /> pktctl -a "pass in th0 from 10.0.0.0.0.42 to any" Pktctl> Pass in th0 proto udp from 10.0.0.42 to any List the rules on the specified interface: C: /> pktcl -l eth0 PKTCL> List on eth0 List the rules and rules numbers on the specified interface: Option: C: /> pktcl -l eth0 PKTCL> List on eth0 The specified rule number is required when deleting the rules. Delete rules: C: /> pktctl -d 2 Eth0 Delete all rules on the specified interface: C: /> pktctl -fa eth0 PKTCTL> Flush on et0 Delete all rules on all interfaces: C: /> pktctl -fa all C: /> pktctl -fa Pktctl> Flush on All Show the statistics of the filtration: C: /> pktctl -s eth0 PKTCTL> Stats on Eth0 Detailed statistics showing the filtering condition: C: /> pktctl -s eth0 PKTCTL> Stats on Eth0 ---------------------- PKTFLTSRV command line options: ---------------------- -i "path_to_rules_file" "Path_to_log_file" -u: uninstalls the service. some problems: 1. The log cannot be logged on Windows XP SP1. This is the problem of XP, and the PFsetLogbuffer function of SP1 iPhlPapi.dll is not working properly. (This problem is on the list of pktfilter mail) 2. Adding certain formats incorrect rules that can cause the service to crash. 3. Because only SDK's WinBase.H defines the invalid_set_file_point. So when compiling pktfltsrv VS's Tools - Options puts the SDK's INCLUDE directory to the forefront. I have no SDK installed now. It is used by the previous installation directory COPY, so it needs to be handled. I don't remember whether I will cover the VC file after installing SDK. If so, you may not need to be more. 4. The Windows 2000 Pro version may not be able to run, I have not tried, just Msnd talks about those functions, always said: "Included in Windows 2000 Server and Windows .NET Server." 5. There is no space between the adapter and the agreement between the PKTCTL.EXE -L command column rules, I added one. Filter_stats.c / 70 lines. Maybe the author does not leave a little, so the ICMP type and status code cannot be recorded, plus it. Logging.c / 187 lines. You cannot record information such as TTL, TCP window value, plus it. Some record formats I looked not used to it. 6, the program implementation principle can be referenced: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rras/rras/packet_filtering_reference.asp Attachment: Rule generation script: @echo off Echo # rules generated by the PKTfilter rules Rulesbuild.cmd v0.1 echo # Tombkeeper@whitecell.org echo. SetLocal REM does not plan to fill in the contents of the content, let it be empty. REM Specifies the network interface to set the rule: Set interface = eth0 REM specifies the rule file to be generated: SET Rules_File = pktfilter.conf REM Specifies the native IP, here only considers an IP: Set local_ip = 192.168.0.1 REM specifies the IP of trust, pay attention! Access from these IP will not be controlled by firewall completely. Between multiple IPs separated by commas: Set trust_ip = 192.168.0.2, 192.168.0.3 REM specifies the gateway, some gateway will set up the PING host: SET GATEWAY = 192.168.0.254 REM specifies the QQ server, with a comma between multiple IPs: SET QQ_Server = 219.133.40.15 Does REM want to use the active mode FTP: Set ftp_active = true Does REM want to access DNS: SET DNS = TRUE Does REM want to access TFTP: Set TFTP = TRUE Does REM want to access SNMP: SET SNMP = TRUE REM wants to use MSN direct file transfer: SET MSN = TRUE REM wants to use QQ: Set QQ = True Whether the REM uses Jinshan drug tyrants online upgrade: Set KAV = TRUE REM uses NetBIOS: Set NetBIOS = TRUE REM Other TCP ports to be open, with a comma between multiple ports: SET OTHER_TCP = echo ############################################################################################################################################################################################################################################################################## ################################################# echo # global rules echo ############################################################################################################################################################################################################################################################################## ################################################# echo. Echo # Drop the small fragmentation package echo option small_frags on% interface% echo. Echo # Default blocking all access and export data Echo Block in 1% Interface% All Echo Block Out on% Interface% All echo. Echo # allows% local_ip% to initiate TCP connections to arbitrary addresses Echo Pass Out on% Interface% Proto TCP from% local_ip% port 1 ^> ^ <65535 to any port 1 ^> ^ <65535 Echo pass in% interface% proto tcp from any port 1 ^> ^ <65535 TO% local_ip% port 1 ^> ^ <65535 EstablishEDecho. : Trust_IP IF "% trust_ip%" == "" GOTO TCP Echo # Set trust host% trust_IP% can fully access% local_ip% For %% i in (% trust_ip%,) do echo pass in% interface% from %% I to% local_ip% && echo pass out% interface% from% local_ip% to %% i REM% trust_ip% Behind a comma is considered only one% trust_ip% situation echo. : TCP echo ############################################################################################################################################################################################################################################################################## ################################################# Echo # TCP rules echo ############################################################################################################################################################################################################################################################################## ################################################# echo. : ftp_active IF not "% ftp_active% ==" true "goto msn Echo # Open TCP 20, FTP Active Mode Echo pass in% interface% proto tcp from any port = 20 TO% local_ip% port ^> 1023 echo. : MSN IF not "% msn%" == "true" goto other_tcp Echo # Open TCP 6890 - 6900, allowing MSN to directly transfer files Echo pass in% interface% proto tcp from any port ^> 1023 TO% local_ip% port 6890 ^> ^ <6900 echo. : Other_TCP IF "% Other_tcp%" == "" GOTO UDP Echo # Other TCP ports to be open:% Other_tcp% For %% I in (% orthore) do echo pass in% interface ^> 1023 TO% local_ip% port = %% i echo. : UDP echo ############################################################################################################################################################################################################################################################################## ################################################# Echo # udp rules echo ############################################################################################################################################################################################################################################################################## ################################################# echo. : DNS IF not "% DNS%" == "true" goto snmp echo # Access DNS Service Echo Pass Out on% Interface% Proto UDP from% local_ip% port ^> 1023 to any port = 53 Echo pass in% interface% proto udp from any port = 53 TO% local_ip% port ^> 1023echo. : SNMP IF not "% snmp%" == "true" goto tftp echo # Access SNMP Services Echo Pass Out on% Interface% Proto UDP from% Local_IP% Port ^> 1023 to any port = 161 Echo pass in% interface% proto udp from any port = 161 TO% local_ip% port ^> 1023 echo. : TFTP IF not "% TFTP%" == "True" Goto NetBIOS echo # Access TFTP Services Echo Pass Out on% Interface% Proto UDP from% local_ip% port ^> 1023 to any port = 69 Echo pass in% interface% proto udp from any port = 69 TO% local_ip% port ^> 1023 echo. : NetBIOS IF not "% netbios%" == "true" goto kav Echo # Access NetBIOS-NS (UDP 137) NetBIOS-DGM (UDP 138) service Echo Pass Out on% Interface% Proto UDP from any port = 137 to any port = 137 Echo pass in% interface% proto udp from any port = 137 to any port = 137 Echo Pass Out on% Interface% Proto UDP from any port = 138 to any port = 138 Echo Pass in% Interface% proto udp from any port = 138 to any port = 138 echo. : KAV IF not "% kav%" == "true" goto QQ echo # Visit the Jinshan Drug Security Upgrade Verification Port Echo Pass Out on% Interface% Proto udp from% local_ip% port ^> 1023 to any port = 6868 Echo pass in% interface% proto udp from any port = 6868 TO% local_ip% port ^> 1023 echo. : qq IF not "% qq%" == "true" goto ICMP echo # Use UDP mode to access QQ For %% i in (% qq_server%,) do echo pass out on% interface% proto udp from% local_ip% port = 6000 to %% i port = 8000 && echo pass in% Interface% Proto UDP from %% i Port = 8000 TO% local_ip% port = 6000 Ream% QQ_SERVER% After adding a comma is considered only one% qq_server basis Echo. : ICMP echo ############################################################################################################################################################################################################################################################################## ################################################# Echo # ICMP rules echo ############################################################################################################################################################################################################################################################################## ################################################# echo. : ping echo #% local_ip% can ping any address Echo Pass Out on% Interface% Proto ICMP from% local_ip% to any iCMP-TYPE ECHO Echo Pass in% Interface% Proto ICMP from ANY TO% LOCAL_IP% ICMP-TYPE ECHOREP echo. : GATEWAY IF "% GATEWAY" == "" GOTO WRITE Echo # gateway can ping% local_ip% Echo Pass in% Interface% Proto ICMP FROM% GATEWAY% to% local_ip% ICMP-TYPE ECHO Echo Pass OUT ON% Interface% Proto ICMP from% local_ip% to% Gateway% ICMP-TYPE ECHOREP : Write Call% 0 1>% rules_file% 2> NUL @echo off REM writes files with this method without resetting the write operation multiple times, and the speed is fast and easy to maintain. REM can be used in Call or CMD / C, and it will be exited because the file is occupied by another CMD process. REM If you do not call directly in the batch, the command is executed in the same CMD process and a dead cycle will occur. Rem In fact this kind of writing is more suitable for files to be written in the interactive script, REM, such as the process of setting variables, can be used to obtain from the console. Endlocal @echo on