Configuring Filters   8

  This chapter describes how to configure input and output packet filters. IP, IPX, and Service Advertising Protocol (SAP) rules are reviewed, and filter examples are given. You can also use the ChoiceNet application to filter IP packets by lists of sites rather than by individual IP addresses. For more information on ChoiceNet, see the ChoiceNet Administrator's Guide.

  This chapter discusses the following topics:

•  "Overview of PortMaster Filtering" on page 8-1
•  "Creating Filters" on page 8-4
•  "Displaying Filters" on page 8-7
•  "Deleting Filters" on page 8-7
•  "Example Filters" on page 8-7
•  "Restricting User Access" on page 8-12

  Each topic in this chapter includes examples of filters used to accomplish the goal described.

  See the PortMaster 4 Command Line Reference for more detailed command descriptions and instructions.

  You can also configure the PortMaster 4 using the PMVision application for Microsoft Windows, UNIX, and other platforms supporting the Java Virtual Machine (JVM). PMVision replaces the PMconsole interface to ComOS.

  The FilterEditor application provides a graphical interface to construct and edit filters for both PortMaster 4 InterNetworking Systems Concentrators and ChoiceNet servers.

  PMVision, FilterEditor, and other Java-based configuration tools for the PortMaster are available via anonymous FTP at ftp://ftp.livingston.com/pub/livingston/software/java/ .

       Overview of PortMaster Filtering

  Packet filters can increase security and decrease traffic on your network. You use filters to limit certain kinds of internetwork communications by permitting or denying the passage of packets through network interfaces. By creating appropriate filters, you can control access to specific hosts, networks, and network services.

  You can enhance security on your network by limiting authorized activities to certain hosts. For example, you can restrict the DNS and SMTP interchange with the Internet to a well-secured host on your network. All Internet hosts can then access only this single server for those services. If you have several name servers or mail servers, you can use additional rules to allow access to these servers.

  You use Ethernet filters to constrain the types of packets that can enter the local Ethernet port, and you can set filters on asynchronous ports configured for hardwired operation when security with another network is an issue.

  The packet filtering process analyzes the header information in each packet sent or received through a network interface. The header information is evaluated against a set of rules that either allow the packet to pass through the interface or cause the packet to be discarded.

  A maximum of 256 filter rules per filter is allowed for the PortMaster 4. The PortMaster generates an error message when the number of filter rules exceeds the limit.

  If a packet is discarded by a filter, an appropriate "ICMP unreachable" message is returned to the source address. This message provides immediate feedback to the user attempting the unauthorized access. Packets permitted or denied can optionally be logged to a host.

  Filters can also be used for packet selection--for example, you can use a packet trace filter to do troubleshooting. The packets permitted by the ptrace  filter are displayed, while packets not permitted by the filter are not displayed. For more information about the ptrace  facility, see the PortMaster Troubleshooting Guide.

       Filter Options

  Table 8-1 shows different filter options.

  Table 8-1 Filter Options 

 

Option	Description
Restricting packet traffic	Each user, location entry, and network hardwired port can be assigned both an input packet filter and an output packet filter. Having both input and output filters can decrease the number of rules needed and can provide better tuning of your security policy.
Restricting access based on source and destination address	You can create filters that evaluate both the source and destination addresses of a packet against a rule list. The number of significant bits used in IP address comparisons can be set, allowing filtering by host, subnet, network number, or group of hosts whose addresses are within a given bit-aligned boundary.
Restricting access to particular protocols	Packets of certain protocols can be permitted or denied by a filter, including IPX, SAP, TCP, UDP, and ICMP packets.
Restricting access to network services	You can create filters that use the source and destination port numbers to control access to certain network services. The evaluation can be based upon whether the port number is less than, equal to, or greater than a specified value.
Restricting access based on TCP status	You can create filters that use the status of TCP connections as part of the rule set. This feature can allow network users to open connections to external networks without allowing external users access to the local network.

       Filter Organization

  Filters are stored in a filter table in the PortMaster nonvolatile configuration memory. Filters can be created or modified at any time, and the changes are not applied to an active use of the filter. Filter names must be between 1 and 15 characters.

  Each packet filter can contain three sets of rules: IP, IPX, and SAP. Within each set, the rules are numbered starting at one. Newly created packet filters contain zero rules, or an empty set of rules.

  An empty set of rules is equivalent to the permit rule. If a filter contains one or more rules in the set, any packet not explicitly permitted by a rule is denied at the end of the rule set.

       How Filters Work

  IP and IPX packet filters are attached to users, locations, Ethernet interfaces, or network hardwired ports as either input or output filters. SAP filters are attached as output filters only. The Ethernet interface filter is enabled as soon as the name of the input or output filter is set.

  Input and output are defined relative to the PortMaster interface. As shown in Figure 8-1, an input filter is used on packets entering the PortMaster and an output filter is used on packets exiting the PortMaster.

  Figure 8-1 Input and Output Filters

  All packets entering a PortMaster through an interface with an input filter are evaluated against the rules in the filter. As soon as a packet matches a rule, the action specified by that rule is taken. If no rules match the specific packet, the packet is denied and is discarded. Whenever an IP packet is discarded, the PortMaster generates an "ICMP Host Unreachable" message back to the originator.

  For interfaces with output filters attached, all packets exiting the interface are evaluated against the filter rules and only those packets permitted by the filter are allowed to exit the interface.

       Creating Filters

  You construct a filter by creating the filter and then adding rules that permit or deny certain types of packets. A maximum of 256 filter rules per filter is allowed for the PortMaster 4. The PortMaster generates an error message when the number of filter rules exceeds the limit.

  Because the PortMaster evaluates packets in the order in which rules are listed, you can avoid bottlenecks and maximize throughput by specifying early those rules representing your highest security concerns, followed by a rule limiting the volume of traffic.

  User filters are attached to users configured for dial-in SLIP or PPP access. When a user makes a PPP or SLIP connection, the designated filters are attached to the network interface created for that connection.

  Location filters are attached to dial-out locations by means of SLIP or PPP connections. When the connection is established to a remote site, the designated filters are attached to the network interface used.

  You can attach filters for incoming packets, or for outgoing packets or for both. It is usually more effective to filter incoming packets so that you can protect the PortMaster itself.

  For more detailed instructions on using the filter commands, see the PortMaster 4 Command Line Reference.

  To create a filter, use the following command:

  Command> add filter  Filtername

  You must then use the appropriate set  command to add rules that permit or deny packets. A maximum of 256 filter rules per filter is allowed. The PortMaster generates an error message when the number of filter rules exceeds the limit.

  See the following sections for instructions:

•  "Creating IP Filters" on page 8-4
•  "Filtering TCP and UDP Packets" on page 8-5

       Creating IP Filters

  You can create a rule that filters IP packets according to their source and destination IP addresses. For more information on the command syntax for creating filters, see the PortMaster 4 Command Line Reference.

  To create an IP filter rule that filters by address, use the following command--entered on one line:

  Command> set filter  Filtername RuleNumber permit |deny  [Ipaddress/NM Ipaddress(dest)/NM] [protocol  Number]  [log ] [notify]

  You can replace protocol  Number with one of the following keywords:

•  esp --matches packets using Encapsulation Security Payload (ESP) protocol. See RFC 1827 for more information on this protocol.
•  ah --matches packets using Authentication Header (AH) protocol. See RFC 1826 for more information on this protocol.
•  ipip --matches packets using the IP Encapsulation within IP (IPIP). See RFC 2003 for more information on this protocol.

  If you are using ChoiceNet, you can also replace either the source or destination IP address with the value =ListName, which specifies a list of sites in the /etc/choicenet/lists  directory in the ChoiceNet server. The equal sign (=) must immediately precede the value.

 

Filtering ICMP Packets

  Internet Control Message Protocol (ICMP) packets--commonly known as ping packets--report errors and provide other information about IP packet processing. You can filter ICMP packets by source and destination IP address, or by ICMP packet type. Packet types are identified in RFC 1700.

  To create an ICMP filter rule, use the following command--entered on one line:

  Command> set filter  Filtername RuleNumber permit |deny  [Ipaddress/NM Ipaddress(dest)/NM] icmp  [type  Itype] [log ]

  If you are using ChoiceNet, you can also replace either the source or destination IP address with the value =ListName, which specifies a list of sites in the /etc/choicenet/lists  directory in the ChoiceNet server. The equal sign (=) must immediately precede the value.

       Filtering TCP and UDP Packets

  If you are using ChoiceNet, you can also replace either the source or destination IP address in a TCP or IDP filter with the value =ListName, which specifies a list of sites in the /etc/choicenet/lists  directory in the ChoiceNet server. The equal sign (=) must immediately precede the value.

 

TCP Packets

  You can filter TCP packets by source and destination IP address, or by TCP port number. Appendix B, "TCP and UDP Ports and Services," lists port numbers commonly used for UDP and TCP port services. For a more complete list, see RFC 1700.

  To create a TCP filter rule, use the following command--entered on one line:

  Command> set filter  Filtername RuleNumber permit |deny  [Ipaddress/NM Ipaddress(dest)/NM] tcp  [src  eq |lt |gt  Tport] [dst  eq |lt |gt  Tport] [established ] [log ]

 

UDP Packets

  You can filter UDP packets by source and destination IP address, or by UDP port number. Appendix B, "TCP and UDP Ports and Services," lists port numbers commonly used for UDP and TCP port services. For a more complete list, see RFC 1700.

  To create a UDP filter rule, use the following command--entered on one line:

  Command> set filter  Filtername RuleNumber permit |deny  [Ipaddress/NM Ipaddress(dest)/NM] udp  [src eq |lt |gt  Uport] [dst eq |lt |gt  Uport] [established ] [log ]

       Creating IPX Filters

  You can filter IPX packets in the following ways:

•  Source and/or destination IPX network number
•  Source and/or destination IPX node address
•  Source and/or destination IPX socket number

  To create an IPX filter rule, use the following command--entered on one line:

  Command> set ipxfilter  Filtername RuleNumber permit |deny  [srcnet  Ipxnetwork] [srchost  Ipxnode] [srcsocket eq |gt |lt  Ipxsock] [dstnet  Ipxnetwork] [dsthost  Ipxnode] [dstsocket eq |gt |lt  Ipxsock]

 

Creating SAP Filters

  The Service Advertising Protocol (SAP) is an IPX protocol used over routers and servers that informs network clients of available network services and resources. SAP packets can be filtered only on output. You can filter SAP packets according to the following information about the server that is advertising the service via SAP:

•  Name
•  IPX network number
•  IPX node address
•  IPX socket number

  To create a SAP filter rule, use the following command--entered on one line:

  Command> set sapfilter  Filtername RuleNumber permit |deny  [server  String][network  Ipxnetwork] [host  Ipxnode] [socket  eg |gt|lt  Ipxsock]

       Displaying Filters

  To display the filter table, use the following command:

  Command> show table filter 

  To display a particular filter, use the following command:

  Command> show filter  Filtername

       Deleting Filters

  To delete a filter, use the following command:

  Command> delete filter  Filtername

       Example Filters

  Because filters are very flexible, you must carefully evaluate the types of traffic that a specific filter permits or denies through an interface before attaching the filter. If possible, a filter should be tested from both sides of the filtering interface to verify that the filter is operating as you intended. Using the log  keyword to log packets that match a rule to the loghost is useful when you are testing and refining IP filters.

  Some of the following examples use the 192.168.1.0 network as the public network. Substitute the number of your network or subnetwork if you use these examples.

  Note ¯ Any packet that is not explicitly permitted by a filter is denied, except for the special case of a filter with no rules, which permits everything.

       Simple Filter

  A simple filter can consist of the following rules:

  Command> set filter simple 1 permit udp dst eq 53
 Command> set filter simple 2 permit tcp dst eq 25
 Command> set filter simple 3 permit icmp
 Command> set filter simple 4 permit  0.0.0.0/0 192.168.1.3/32 tcp dst eq 21
 Command> set filter simple 5 permit tcp src eq 20 dst gt 1023 

  Table 8-2 describes, line by line, each rule in the filter.

  Table 8-2 Description of Simple Filter 

 

Rule	Description
1.	Permits Domain Name Service (DNS) UDP packets from any host to any host.
2.	Permits SMTP (mail) packets.
3.	Permits ICMP packets.
4.	Permits FTP from any host, but only to the host 192.168.1.3.
5.	Permits FTP data to return to the requesting host. This rule is required to provide a reverse channel for the data portion of FTP.

       Input Filter for an Internet Connection

  The filter in this example is designed as an input filter for a network hardwired port that connects to the Internet. You can use this filter for a dial-on-demand connection by attaching it to the location entry.

  The rules for the filter are set as follows:

 

  Command> set filter internet.in 1 deny 192.168.1.0/24 0.0.0.0/0 log 

  Command> set filter internet.in 2 permit tcp estab 

  Command> set filter internet.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25 

  Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.4/32 tcp dst eq 21 

  Command> set filter internet.in 5 permit tcp 0.0.0.0/0 192.168.0.5/32 dst eq 80 

  Command> set filter internet.in 6 permit tcp src eq 20 dst gt 1023 

  Command> set filter internet.in 7 permit udp dst eq 53 

  Command> set filter internet.in 8 permit tcp dst eq 53 

  Command> set filter internet.in 9 permit icmp 

  Table 8-3 describes, line by line, each rule in the filter.

  Table 8-3 Description of Internet Filter 

 

Rule	Description
1.	Denies any incoming packets from the Internet claiming to be from-- or spoofing --your own network (192.168.1.0). This rule blocks IP spoofing attacks. This rule also logs the header information in the spoofing packets to syslog .
2.	Permits already established TCP connections that originated from your network--packets with the ACK bit set.
3.	Permits SMTP connections to 10.0.0.3 (the mail server).
4.	Permits FTP connections to host 172.16.0.4.
5.	Permits Hypertext Transfer Protocol (HTTP) access to host 192.168.0.5.
6.	Permits an FTP data channel.
7.	Permits DNS.
8.	Permits DNS zone transfers. (You can write this rule to allow only connections to your name servers.)
9.	Permits ICMP packets.

       Input and Output Filters for FTP Packets

  Filters can be used to either permit or deny File Transfer Protocol (FTP) packets. You must understand how this protocol works before you develop FTP filters.

  FTP uses TCP port 21 as a control channel, but it transfers data on another channel initiated by the FTP server from TCP port 20 (FTP-data). Therefore, if you want to allow your internal hosts to send out packets with FTP, you must allow external hosts to open an incoming connection from TCP port 20 to a destination port above 1023. Allowing this type of access to your network can be very risky if you are running Remote Procedure Call (RPC) or X Windows on the host from which you are transmitting FTP packets. As a result, many sites use FTP proxies or passive FTP, neither of which is discussed in this guide.

  Consult Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick and Bellovin and Building Internet Firewalls by Chapman and Zwicky for information on FTP proxies and passive FTP.

  Likewise, if you want to allow external hosts to connect to your FTP server and transfer files, you must allow incoming connections to TCP port 21 on your FTP server and allow outgoing connections from TCP port 20 of your FTP server.

  In the following examples, 172.16.0.2 is the address of your FTP server and 192.168.0.1 is the address of the host from which you allow outgoing FTP.

  Caution ¯ This configuration is not recommended if you run any of the following protocols on any of the hosts from which you allow FTP access: NFS, X, RPC, or any other service that listens on ports above 1023.

  The rules for the input filter are as follows:

  Command> set filter internet.in 1 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq 20 dst gt 1023
 Command> set filter internet.in 2 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq 21 estab
 Command> set filter internet.in 3 permit 0.0.0.0/0  172.16.0.2/32 tcp dst eq 21
 Command> set filter internet.in 4 permit 0.0.0.0/0  172.16.0.2/32 tcp src gt 1023 dst eq 20 estab 

  The rules for the output filter are as follows:

  Command> set filter internet.out 1 permit 192.168.0.1/32 0.0.0.0/0 tcp dst eq 21
 Command> set filter internet.out 2 permit 192.168.0.1/32 0.0.0.0/0 tcp src gt 1023 dst eq 20 estab
 Command> set filter internet.out 3 permit  172.16.0.2/32 0.0.0.0/0 tcp src eq 20 dst gt 1023
 Command> set filter internet.out 4 permit  172.16.0.2/32 0.0.0.0/0 tcp src eq 21 dst gt 1023 estab 

  If you allow any internal host to send out packets with FTP, replace 192.168.0.1/32 with 0.0.0.0/0 or your network_number/24. Take appropriate precautions to reduce the risk this configuration creates.

       Rule to Permit DNS into Your Local Network

  If the DNS name server for your domain is outside your local network, add the following rule to your input filter:

  Command> set filter  Filtername RuleNumber permit udp src eq 53 

  This rule permits DNS replies into your local network.

       Rule to Listen to RIP Information

  To permit incoming RIP packets, add the following rule to your input filter:

  Command> set filter Filtername RuleNumber permit  172.16.0.0/32 192.168.0.0/32 udp dst eq 520 

  In this example, 172.16.0.0/32  is the other end of the Internet connection and 192.168.0.0/32  is the local address of the connection.

       Rule to Allow Authentication Queries

  To allow authentication queries used by some mailers and FTP servers, add the following rule to your input filter:

  Command> set filter Filtername RuleNumber permit tcp dst eq 113 

  For more information about these types of queries, refer to RFC 1413.

       Rule to Allow Networks Full Access

  To allow some other network to have complete access to your network, add the following rule. In the example below, 172.16.12.0 is granted full access to 192.168.1.0/24:

  Command> set filter Filtername RuleNumber permit 172.16.12.0/24 192.168.1.0/24 

  Caution ¯ Beware of associative trust. If you allow a network complete access to your network, you might unknowingly allow other networks complete access, as well. Any network that can access a network having complete access privileges to your network, also has access to your network. For example, if Network 1 trusts Network 2 and Network 2 trusts Network 3, then Network 1 trusts Network 3.

       Restrictive Internet Filter

  This example filter allows any kind of outgoing connection from the server, but blocks all incoming traffic to any host but your designated Internet server. This filter also limits incoming traffic on your Internet server to SMTP, Network News Transfer Protocol (NNTP), DNS, FTP, and ICMP services.

  Note ¯ Even if you have the latest versions of the daemons ftpd , httpd , and sendmail  you might be vulnerable to attacks through these services. Check the latest CERT Coordination Center advisories, available on ftp.cert.org , for the vulnerabilities of these services.

  If you use the following example, replace the name server  with the IP address or hostname of your Internet server:

  Command> set filter restrict.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
 Command> set filter restrict.in 2 permit 0.0.0.0/0 10.0.0.3/32 tcp estab
 Command> set filter restrict.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 21
 Command> set filter restrict.in 4 permit 0.0.0.0/0 10.0.0.3/32 tcp src eq 20 dst gt 1023
 Command> set filter restrict.in 5 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 119
 Command> set filter restrict.in 6 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
 Command> set filter restrict.in 7 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 80
 Command> set filter restrict.in 8 permit 0.0.0.0/0 10.0.0.3/32 udp dst eq 53
 Command> set filter restrict.in 9 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 53
 Command> set filter restrict.in 10 permit 0.0.0.0/0 10.0.0.3/32 icmp 

  Table 8-4 describes, line by line, each rule in the filter.

  Table 8-4 Description of Restrictive Internet Filter 

 

Rule	Description
1.	Denies any incoming packets from your own network (192.168.1.0) and makes a log.
2.	Permits packets from any established TCP connection to 10.0.0.3 (the Internet server).
3.	Permits FTP from any IP address to 10.0.0.3  (the server).
4.	Permits the FTP data back channel.
5.	Permits incoming NNTP (news) to 10.0.0.3 (the Internet server).
6.	Permits incoming SMTP (mail) to 10.0.0.3 (the Internet server).
7.	Permits HTTP requests to 10.0.0.3 (the Internet server).
8.	Permits DNS queries to 10.0.0.3 (the Internet server).
9.	Permits DNS zone transfers from 10.0.0.3 (the Internet server).
10.	Permits ICMP to 10.0.0.3 (the Internet server). You can further limit ICMP packet types to types 0, 3, 8, and 11 using four rules instead of one.

  To log all packets that are denied, add the following rule to the end of your filter:

  Command>  set filter Filtername RuleNumber deny log 

       Restricting User Access

  Access filters enable you to restrict Telnet or rlogin  connections to a specific host or network, or a list of hosts or networks. You can create an access filter that restricts user access to particular hosts.

  Access filters work as follows:

  1. The user specifies a host.

  2. The host address is compared against the access filter.

  3. If the address is permitted by the filter, the connection is established.

  4. If the address is not permitted, the connection is denied unless access override is enabled.

  If you want a user to be able to override a port's access filter, enable access override on that port. In this case, the process is as follows:

  1. Access is denied by the access filter.

  2. The user is prompted for a username and password.

  3. The user is verified by the user table or RADIUS.

  4. The access filter defined for this user is used to determine if the user has permission to access the specified host.

  To enable users to override a port access filter with their own filter, use the following command:

  Command> set  S0 access  on