PKTFilter use reference

xiaoxiao2021-03-06 106

Creation time: 2003-07-20

Article attribute: finishing

Article submission:

Tombkeeper (Tombkeeper_at_126.com)

PKTFilter use reference

Tombkeeper@whitecell.org

/ *

This document is primarily based on the pktfilter.pdf included with the pktfilter, fixes some original errors, increase

Add some of my own experience.

I like this firewall mainly because resources are less, UNIX style, no graphical interface, no hate

System tray icon.

Like IP Filter, this firewall is not designed for people who don't know anything else or slightly,

If you use it, please make sure you understand the basics such as TCP / IP protocols. If there is a problem with the program, please write the program

: Jean-baptiste.marchand@hsc.fr. If you have any questions to use, please write a letter to the author. I am

Documents, rules generate scripts, and modified programs do not provide any support.

* /

Pktfilter is a packaged firewall running on Windows 2000 / XP / 2003.

PKTFilter does not implement network filtering driver, in fact it is a configuration of the system itself package filtering mechanism

interface. There is an IPFilterDriver service in Windows 2000 or more, but the system itself is

There is no easy-to-use configuration interface.

Because it is called the system itself, the pktfilter works very stable, and the occupancy is small, but it is

Because of this, the functional implementation of the pktfilter is also limited by the system.

The rule syntax of the pktfilter is actually a subset of IP Filter4. Refer

http://www.ipfilter.org/.

------------

Installation use:

------------

Create a directory for PKTFilter, copy pktfltsrv.exe and pktctl.exe.

Create a rule file. You can write rules yourself according to the grammar described below. If you install the pktfilter

One as a gateway, and write the corresponding rules, then pktfilter can be used as a network.

The firewall work.

If you just use to protect your personal computer, you don't need to set too complicated rules, then you can use the script I wrote.

Rulesbuild.cmd. Simply set some variables at the beginning of the file, you can quickly generate a rule.

Install the boot service:

C: / pktfilter> pktfltsrv -i "c: /pktfilter/pktfilter.conf" "c: /pktfilter/pktfilter.log"

C: / pktfilter> Net Start Pktfilter

-------------

Filter rule introduction:

-------------

Global option

Option

Small_frags, refused to be too small, the default small_frags refers to less than 16 bytes

Split package. This value can be created by establishing an registry

HKLM / SYSTEM / CURRENTCONTROLSET / Services / IPFilterDriver / Fragmentthreshold

To set.

Strong_host, did not say this document, but the program support, MSDN's explanation is

"Causes a Check of The Destination Address of Incoming Packets."

Check_frags, did not say this document, but program support, MSDN's explanation is

"Causes a check of the fragments from the cache." Filter

Pass, allowed

Block, blocking

direction

in, come in

OUT, go out

protocol

Proto, including:

TCP, TCP protocol

UDP, UDP protocol

ICMP, ICMP protocol

[Number], specify other IP protocol numbers

[EMPTY], all protocols

source address

From [addr], specify an IPv4 address

FROM [Subnet / Mask], specify a network

Source port (TCP / UDP protocol only)

Port [Expression] [Port number]

Expressions include:

> =

target address

To [addr], specify an IPv4 address

To [Subnet / Mask], specify a network

Target port (TCP / UDP protocol only)

Port [Expression] [Port number]

Expressions include:

> =

ICMP type and code

ICMP-TYPE [TYPE]

ICMP-code [code]

TCP connection is established

ESTABLISHED, blocking only the SYN flag and there is no TCP package of the ACK flag, in the end of the rule

Only the TCP package after the connection is allowed.

-----

example:

-----

#Drop packets composed of small fragments

Option small_frags on et0

# default behavior = deny everything

Block in th0 all0 all

Block Out on Eth0 All

# Allow DNS Resolution To Our Nameserver

Pass Out on Eth0 Proto Udp from 192.168.1.1 port> 1023 to 192.168.1.254 port = 53

Pass in th0 proto udp from 192.168.1.254 port = 53 to 192.168.1.1 port> 1023

# allow inbound icmp traffic (ping)

Pass in th0 proto icmp from any to 192.168.1.1 icmp-type echo

Pass Out on eth0 proto icmp from 192.168.1.1 type echo-rep to any

# Allow RDP (Terminal Services) Administration from Our Administration Subnet

PASS IN ETH0 Proto TCP from 10.42.42.0/24 port> 1024 to 192.168.1.1 port = 3389

Pass out on eth0 proto tcp from 192.168.1.1 port = 3389 to 10.42.42.0/24 port> 1024 ESTABLISHED

-------------

Filter rule reference:

-------------

The filtering rule consists of a global-option and normal-rule.

The syntax of the global option:

"Option" global_option ifce

Now supported Global-Option only "small_frags". The syntax of ordinary rules:

Action [in-out] IFACE [Proto_Spec] IP [proto-options]

Action = "pass" | "block"

IN-out = "in" | "out"

iface = "on" ifname Digit

IFNAME = "Eth *" | "PPP" | "SL" | "LO" | "TR" | "fd"

Proto_spec = "proto" [proto]

Proto = "TCP" | "UDP" | "ICMP" | "Any" | ip_proto

IP_PROTO = Decnumber

Decnumber = DIGIT [Decnumber]

IP = "all" | "from" ip-addr [port-comp | port-range] "to" ip-addr

[Port-Comp | Port-Range]

IP-addr = "any" | ip-dotted-addr [ip-mask]

IP-dotted-addr = host-num "." Host-num "." Host-Num "

Host-num = DIGIT [DIGIT [DIGIT]]

IP-MASK = "/" ip-addr | decnumber

Port-comp = "port" Comparator Decnumber

Comparator = ">" |> = "|" <= "|" = "

Port-Range = "Port" Decnumber "> <" Decnumber

Proto-options = "ICMP-TYPE" ICMP-TYPE ["Code" ICMP-CODE] | "ESTABLISHED"

"Infore Q" | "inforep" | "maskreq" | "maskrep"

ICMP-CODE = Decnumber

-----------------

Usage of pktctl command:

-----------------

PKTCTL has two usage: command line mode and interactive mode. PKTCTL -I enters interactive mode.

List the network interface:

C: /> pktctl -i

Eth0: (3COM Etherlink PCI): 192.168.0.1 Loading Rules:

C: /> pktctl -f rules.txt

PKTCTL> Source Rules.txt

First remove all loaded rules and then load rule files:

C: /> pktctl -f rules.txt

PKTCTL> Reload Rules.txt

Handmade temporary add a rule:

C: /> pktctl -a "pass in th0 from 10.0.0.0.0.42 to any"

Pktctl> Pass in th0 proto udp from 10.0.0.42 to any

List the rules on the specified interface:

C: /> pktcl -l eth0

PKTCL> List on eth0

List the rules and rules numbers on the specified interface:

Option:

C: /> pktcl -l eth0

PKTCL> List on eth0

The specified rule number is required when deleting the rules.

Delete rules:

C: /> pktctl -d 2 Eth0

Delete all rules on the specified interface:

C: /> pktctl -fa eth0

PKTCTL> Flush on et0

Delete all rules on all interfaces:

C: /> pktctl -fa all

C: /> pktctl -fa

Pktctl> Flush on All

Show the statistics of the filtration:

C: /> pktctl -s eth0

PKTCTL> Stats on Eth0

Detailed statistics showing the filtering condition:

C: /> pktctl -s eth0

PKTCTL> Stats on Eth0

----------------------

PKTFLTSRV command line options:

----------------------

-i "path_to_rules_file" "Path_to_log_file"

-u: uninstalls the service.

some problems:

1. The log cannot be logged on Windows XP SP1.

This is the problem of XP, and the PFsetLogbuffer function of SP1 iPhlPapi.dll is not working properly. (This problem is on the list of pktfilter mail)

2. Adding certain formats incorrect rules that can cause the service to crash.

3. Because only SDK's WinBase.H defines the invalid_set_file_point. So when compiling pktfltsrv

VS's Tools - Options puts the SDK's INCLUDE directory to the forefront. I have no SDK installed now.

It is used by the previous installation directory COPY, so it needs to be handled. I don't remember whether I will cover the VC file after installing SDK.

If so, you may not need to be more.

4. The Windows 2000 Pro version may not be able to run, I have not tried, just Msnd talks about those functions, always said:

"Included in Windows 2000 Server and Windows .NET Server."

5. There is no space between the adapter and the agreement between the PKTCTL.EXE -L command column rules, I added one. Filter_stats.c / 70 lines.

Maybe the author does not leave a little, so the ICMP type and status code cannot be recorded, plus it. Logging.c / 187 lines.

You cannot record information such as TTL, TCP window value, plus it.

Some record formats I looked not used to it. 6, the program implementation principle can be referenced:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rras/rras/packet_filtering_reference.asp

Attachment: Rule generation script:

@echo off

Echo # rules generated by the PKTfilter rules Rulesbuild.cmd v0.1

echo # Tombkeeper@whitecell.org

echo.

SetLocal

REM does not plan to fill in the contents of the content, let it be empty.

REM Specifies the network interface to set the rule:

Set interface = eth0

REM specifies the rule file to be generated:

SET Rules_File = pktfilter.conf

REM Specifies the native IP, here only considers an IP:

Set local_ip = 192.168.0.1

REM specifies the IP of trust, pay attention! Access from these IP will not be controlled by firewall completely. Between multiple IPs separated by commas:

Set trust_ip = 192.168.0.2, 192.168.0.3

REM specifies the gateway, some gateway will set up the PING host:

SET GATEWAY = 192.168.0.254

REM specifies the QQ server, with a comma between multiple IPs:

SET QQ_Server = 219.133.40.15

Does REM want to use the active mode FTP:

Set ftp_active = true

Does REM want to access DNS:

SET DNS = TRUE

Does REM want to access TFTP:

Set TFTP = TRUE

Does REM want to access SNMP:

SET SNMP = TRUE

REM wants to use MSN direct file transfer:

SET MSN = TRUE

REM wants to use QQ:

Set QQ = True

Whether the REM uses Jinshan drug tyrants online upgrade:

Set KAV = TRUE

REM uses NetBIOS:

Set NetBIOS = TRUE

REM Other TCP ports to be open, with a comma between multiple ports:

SET OTHER_TCP =

echo ############################################################################################################################################################################################################################################################################## #################################################

echo # global rules

echo.

Echo # Drop the small fragmentation package

echo option small_frags on% interface%

echo.

Echo # Default blocking all access and export data

Echo Block in 1% Interface% All

Echo Block Out on% Interface% All

echo.

Echo # allows% local_ip% to initiate TCP connections to arbitrary addresses

Echo Pass Out on% Interface% Proto TCP from% local_ip% port 1 ^> ^ <65535 to any port 1 ^> ^ <65535

Echo pass in% interface% proto tcp from any port 1 ^> ^ <65535 TO% local_ip% port 1 ^> ^ <65535 EstablishEDecho.

: Trust_IP

IF "% trust_ip%" == "" GOTO TCP

Echo # Set trust host% trust_IP% can fully access% local_ip%

For %% i in (% trust_ip%,) do echo pass in% interface% from %% I to% local_ip% && echo pass out% interface% from% local_ip% to %% i

REM% trust_ip% Behind a comma is considered only one% trust_ip% situation

echo.

: TCP

Echo # TCP rules

echo.

: ftp_active

IF not "% ftp_active% ==" true "goto msn

Echo # Open TCP 20, FTP Active Mode

Echo pass in% interface% proto tcp from any port = 20 TO% local_ip% port ^> 1023

echo.

: MSN

IF not "% msn%" == "true" goto other_tcp

Echo # Open TCP 6890 - 6900, allowing MSN to directly transfer files

Echo pass in% interface% proto tcp from any port ^> 1023 TO% local_ip% port 6890 ^> ^ <6900

echo.

: Other_TCP

IF "% Other_tcp%" == "" GOTO UDP

Echo # Other TCP ports to be open:% Other_tcp%

For %% I in (% orthore) do echo pass in% interface ^> 1023 TO% local_ip% port = %% i

echo.

: UDP

Echo # udp rules

echo.

: DNS

IF not "% DNS%" == "true" goto snmp

echo # Access DNS Service

Echo Pass Out on% Interface% Proto UDP from% local_ip% port ^> 1023 to any port = 53

Echo pass in% interface% proto udp from any port = 53 TO% local_ip% port ^> 1023echo.

: SNMP

IF not "% snmp%" == "true" goto tftp

echo # Access SNMP Services

Echo Pass Out on% Interface% Proto UDP from% Local_IP% Port ^> 1023 to any port = 161

Echo pass in% interface% proto udp from any port = 161 TO% local_ip% port ^> 1023

echo.

: TFTP

IF not "% TFTP%" == "True" Goto NetBIOS

echo # Access TFTP Services

Echo Pass Out on% Interface% Proto UDP from% local_ip% port ^> 1023 to any port = 69

Echo pass in% interface% proto udp from any port = 69 TO% local_ip% port ^> 1023

echo.

: NetBIOS

IF not "% netbios%" == "true" goto kav

Echo # Access NetBIOS-NS (UDP 137) NetBIOS-DGM (UDP 138) service

Echo Pass Out on% Interface% Proto UDP from any port = 137 to any port = 137

Echo pass in% interface% proto udp from any port = 137 to any port = 137

Echo Pass Out on% Interface% Proto UDP from any port = 138 to any port = 138

Echo Pass in% Interface% proto udp from any port = 138 to any port = 138

echo.

: KAV

IF not "% kav%" == "true" goto QQ

echo # Visit the Jinshan Drug Security Upgrade Verification Port

Echo Pass Out on% Interface% Proto udp from% local_ip% port ^> 1023 to any port = 6868

Echo pass in% interface% proto udp from any port = 6868 TO% local_ip% port ^> 1023

echo.

: qq

IF not "% qq%" == "true" goto ICMP

echo # Use UDP mode to access QQ

For %% i in (% qq_server%,) do echo pass out on% interface% proto udp from% local_ip% port = 6000 to %% i port = 8000 && echo pass in% Interface% Proto UDP from %% i Port = 8000 TO% local_ip% port = 6000

Ream% QQ_SERVER% After adding a comma is considered only one% qq_server basis Echo.

: ICMP

Echo # ICMP rules

echo.

: ping

echo #% local_ip% can ping any address

Echo Pass Out on% Interface% Proto ICMP from% local_ip% to any iCMP-TYPE ECHO

Echo Pass in% Interface% Proto ICMP from ANY TO% LOCAL_IP% ICMP-TYPE ECHOREP

echo.

: GATEWAY

IF "% GATEWAY" == "" GOTO WRITE

Echo # gateway can ping% local_ip%

Echo Pass in% Interface% Proto ICMP FROM% GATEWAY% to% local_ip% ICMP-TYPE ECHO

Echo Pass OUT ON% Interface% Proto ICMP from% local_ip% to% Gateway% ICMP-TYPE ECHOREP

: Write

Call% 0 1>% rules_file% 2> NUL

@echo off

REM writes files with this method without resetting the write operation multiple times, and the speed is fast and easy to maintain.

REM can be used in Call or CMD / C, and it will be exited because the file is occupied by another CMD process.

REM If you do not call directly in the batch, the command is executed in the same CMD process and a dead cycle will occur.

Rem In fact this kind of writing is more suitable for files to be written in the interactive script,

REM, such as the process of setting variables, can be used to obtain from the console.

Endlocal

@echo on

转载请注明原文地址:https://www.9cbs.com/read-124676.html

9cbs

New Post(0)