Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import ip-filter 3.2beta5

This commit is contained in:
veego 1997-09-21 16:47:50 +00:00
parent 4f72ff44fd
commit 985ac74a98
56 changed files with 4053 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/netinet/ip_auth.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_auth.h,v 1.1.1.1 1997/07/06 04:58:52 thorpej Exp $ */
/* $NetBSD: ip_auth.h,v 1.1.1.2 1997/09/21 16:49:28 veego Exp $ */
/*
* (C)opyright 1997 by Darren Reed & Guido Van Rooij.
@ -7,7 +7,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp
* Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp
*
*/
#ifndef __IP_AUTH_H__

432
sys/netinet/ip_log.c Normal file
View File

@ -0,0 +1,432 @@
/* $NetBSD: ip_log.c,v 1.1.1.1 1997/09/21 16:49:48 veego Exp $ */
/*
* (C)opyright 1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* Id: ip_log.c,v 2.0.2.6 1997/09/10 13:08:18 darrenr Exp
*/
#ifdef IPFILTER_LOG
# ifndef SOLARIS
# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
# endif
# ifdef __FreeBSD__
# if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
# endif
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/osreldate.h>
# else
# include <osreldate.h>
# endif
# endif
# ifndef _KERNEL
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
# include <ctype.h>
# endif
# include <sys/errno.h>
# include <sys/types.h>
# include <sys/param.h>
# include <sys/file.h>
# if __FreeBSD_version >= 220000 && defined(_KERNEL)
# include <sys/fcntl.h>
# include <sys/filio.h>
# else
# include <sys/ioctl.h>
# endif
# include <sys/time.h>
# ifdef _KERNEL
# include <sys/systm.h>
# endif
# include <sys/uio.h>
# if !SOLARIS
# if NetBSD > 199609
# include <sys/dirent.h>
# else
# include <sys/dir.h>
# endif
# include <sys/mbuf.h>
# else
# include <sys/filio.h>
# include <sys/cred.h>
# include <sys/ddi.h>
# include <sys/sunddi.h>
# include <sys/ksynch.h>
# include <sys/kmem.h>
# include <sys/mkdev.h>
# include <sys/dditypes.h>
# include <sys/cmn_err.h>
# endif
# include <sys/protosw.h>
# include <sys/socket.h>
# include <net/if.h>
# ifdef sun
# include <net/af.h>
# endif
# if __FreeBSD_version >= 300000
# include <net/if_var.h>
# endif
# include <net/route.h>
# include <netinet/in.h>
# include <netinet/in_var.h>
# include <netinet/in_systm.h>
# include <netinet/ip.h>
# include <netinet/ip_var.h>
# include <netinet/tcp.h>
# include <netinet/udp.h>
# include <netinet/tcpip.h>
# include <netinet/ip_icmp.h>
# ifndef _KERNEL
# include <syslog.h>
# endif
# include "netinet/ip_compat.h"
# include "netinet/ip_fil.h"
# include "netinet/ip_proxy.h"
# include "netinet/ip_nat.h"
# include "netinet/ip_frag.h"
# include "netinet/ip_state.h"
# include "netinet/ip_auth.h"
# ifndef MIN
# define MIN(a,b) (((a)<(b))?(a):(b))
# endif
#if SOLARIS
extern kmutex_t ipl_mutex;
extern kcondvar_t iplwait;
#endif
iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
int iplused[IPL_LOGMAX+1];
u_long iplcrc[IPL_LOGMAX+1];
u_long iplcrcinit;
/*
* Initialise log buffers & pointers. Also iniialised the CRC to a local
* secret for use in calculating the "last log checksum".
*/
void ipflog_init()
{
struct timeval tv;
int i;
for (i = IPL_LOGMAX; i >= 0; i--) {
iplt[i] = NULL;
iplh[i] = &iplt[i];
iplused[i] = 0;
}
# if BSD >= 199306 || defined(__FreeBSD__)
microtime(&tv);
# else
uniqtime(&tv);
# endif
iplcrcinit = tv.tv_sec ^ (tv.tv_usec << 8) ^ tv.tv_usec;
}
/*
* ipflog
* Create a log record for a packet given that it has been triggered by a
* rule (or the default setting). Calculate the transport protocol header
* size using predetermined size of a couple of popular protocols and thus
* how much data to copy into the log, including part of the data body if
* requested.
*/
int ipflog(flags, ip, fin, m)
u_int flags;
ip_t *ip;
fr_info_t *fin;
mb_t *m;
{
ipflog_t ipfl;
register int mlen, hlen;
u_long crc;
size_t sizes[2];
void *ptrs[2];
int types[2];
# if SOLARIS
ill_t *ifp = fin->fin_ifp;
# else
struct ifnet *ifp = fin->fin_ifp;
# endif
/*
* calculate header size.
*/
hlen = fin->fin_hlen;
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
else if (ip->ip_p == IPPROTO_ICMP) {
struct icmp *icmp = (struct icmp *)((char *)ip + hlen);
/*
* For ICMP, if the packet is an error packet, also include
* the information about the packet which caused the error.
*/
switch (icmp->icmp_type)
{
case ICMP_UNREACH :
case ICMP_SOURCEQUENCH :
case ICMP_REDIRECT :
case ICMP_TIMXCEED :
case ICMP_PARAMPROB :
hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen);
break;
default :
hlen += MIN(sizeof(struct icmp), fin->fin_dlen);
break;
}
}
/*
* Get the interface number and name to which this packet is
* currently associated.
*/
# if SOLARIS
ipfl.fl_unit = (u_char)ifp->ill_ppa;
bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4));
mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0;
# else
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ);
# else
ipfl.fl_unit = (u_char)ifp->if_unit;
if ((ipfl.fl_ifname[0] = ifp->if_name[0]))
if ((ipfl.fl_ifname[1] = ifp->if_name[1]))
if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
ipfl.fl_ifname[3] = ifp->if_name[3];
# endif
mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
# endif
ipfl.fl_plen = (u_char)mlen;
ipfl.fl_hlen = (u_char)hlen;
ipfl.fl_rule = fin->fin_rule;
ipfl.fl_flags = flags;
ptrs[0] = (void *)&ipfl;
sizes[0] = sizeof(ipfl);
types[0] = 0;
#if SOLARIS
/*
* Are we copied from the mblk or an aligned array ?
*/
if (ip == (ip_t *)m->b_rptr) {
ptrs[1] = m;
sizes[1] = hlen + mlen;
types[1] = 1;
} else {
ptrs[1] = ip;
sizes[1] = hlen + mlen;
types[1] = 0;
}
#else
ptrs[1] = m;
sizes[1] = hlen + mlen;
types[1] = 1;
#endif
crc = (ipf_cksum((u_short *)fin, FI_CSIZE) << 8) + iplcrcinit;
return ipllog(IPL_LOGIPF, crc, ptrs, sizes, types, 2);
}
/*
* ipllog
*/
int ipllog(dev, crc, items, itemsz, types, cnt)
int dev;
u_long crc;
void **items;
size_t *itemsz;
int *types, cnt;
{
iplog_t *ipl;
caddr_t buf, s;
int len, i;
/*
* Check to see if this log record has a CRC which matches the last
* record logged. If it does, just up the count on the previous one
* rather than create a new one.
*/
if (crc) {
MUTEX_ENTER(&ipl_mutex);
if ((iplcrc[dev] == crc) && *iplh[dev]) {
(*iplh[dev])->ipl_count++;
MUTEX_EXIT(&ipl_mutex);
return 1;
}
iplcrc[dev] = crc;
MUTEX_EXIT(&ipl_mutex);
}
/*
* Get the total amount of data to be logged.
*/
for (i = 0, len = sizeof(iplog_t); i < cnt; i++)
len += itemsz[i];
/*
* check that we have space to record this information and can
* allocate that much.
*/
KMALLOC(buf, caddr_t, len);
if (!buf)
return 0;
MUTEX_ENTER(&ipl_mutex);
if ((iplused[dev] + len) > IPLLOGSIZE) {
MUTEX_EXIT(&ipl_mutex);
KFREES(buf, len);
return 0;
}
iplused[dev] += len;
MUTEX_EXIT(&ipl_mutex);
/*
* advance the log pointer to the next empty record and deduct the
* amount of space we're going to use.
*/
ipl = (iplog_t *)buf;
ipl->ipl_count = 1;
ipl->ipl_next = NULL;
ipl->ipl_dsize = len;
# if SOLARIS
uniqtime((struct timeval *)&ipl->ipl_sec);
# else
# ifdef sun
uniqtime((struct timeval *)&ipl->ipl_sec);
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&ipl->ipl_sec);
# endif
# endif
/*
* Loop through all the items to be logged, copying each one to the
* buffer. Use bcopy for normal data or the mb_t copyout routine.
*/
for (i = 0, s = buf + sizeof(*ipl); i < cnt; i++) {
if (types[i] == 0)
bcopy(items[i], s, itemsz[i]);
else if (types[i] == 1) {
# if SOLARIS
copyout_mblk(items[i], 0, itemsz[i], s);
# else
m_copydata(items[i], 0, itemsz[i], s);
# endif
}
s += itemsz[i];
}
MUTEX_ENTER(&ipl_mutex);
*iplh[dev] = ipl;
iplh[dev] = &ipl->ipl_next;
# if SOLARIS
cv_signal(&iplwait);
mutex_exit(&ipl_mutex);
# else
wakeup(iplh[dev]);
# endif
return 1;
}
int ipflog_read(unit, uio)
int unit;
struct uio *uio;
{
iplog_t *ipl;
int error = 0, dlen;
# if defined(_KERNEL) && !SOLARIS
int s;
# endif
/*
* Sanity checks. Make sure the minor # is valid and we're copying
* a valid chunk of data.
*/
if ((IPL_LOGMAX < unit) || (unit < 0))
return ENXIO;
if (!uio->uio_resid)
return 0;
if ((uio->uio_resid < sizeof(iplog_t)) ||
(uio->uio_resid > IPLLOGSIZE))
return EINVAL;
/*
* Lock the log so we can snapshot the variables. Wait for a signal
* if the log is empty.
*/
SPLNET(s);
MUTEX_ENTER(&ipl_mutex);
# if SOLARIS && defined(_KERNEL)
while (!iplused[unit])
if (!cv_wait_sig(&iplwait, &ipl_mutex)) {
MUTEX_EXIT(&ipl_mutex);
return EINTR;
}
# else
while (!iplused[unit]) {
SPLX(s);
error = SLEEP(iplh[unit], "ipl sleep");
if (error)
return error;
SPLNET(s);
}
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
uio->uio_rw = UIO_READ;
# endif
while ((ipl = iplt[unit])) {
dlen = ipl->ipl_dsize;
if (dlen + sizeof(iplog_t) > uio->uio_resid)
break;
/*
* Don't hold the mutex over the uiomove call.
*/
iplt[unit] = ipl->ipl_next;
MUTEX_EXIT(&ipl_mutex);
SPLX(s);
error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio);
KFREES((caddr_t)ipl, ipl->ipl_dsize);
if (error)
break;
SPLNET(s);
MUTEX_ENTER(&ipl_mutex);
iplused[unit] -= dlen;
}
if (!ipl)
iplh[unit] = &iplt[unit];
if (!error) {
MUTEX_EXIT(&ipl_mutex);
SPLX(s);
}
return error;
}
int ipflog_clear(unit)
int unit;
{
iplog_t *ipl;
int used;
while ((ipl = iplt[unit])) {
iplt[unit] = ipl->ipl_next;
KFREES((caddr_t)ipl, ipl->ipl_dsize);
}
iplh[unit] = &iplt[unit];
used = iplused[unit];
iplused[unit] = 0;
iplcrc[unit] = 0;
return used;
}
#endif /* IPFILTER_LOG */

81
usr.sbin/ipf/ipf/ipf.4
View File

@ -2,7 +2,8 @@
.SH NAME
ipf \- packet filtering kernel interface
.SH SYNOPSIS
#include <sys/ip_fil.h>
#include <netinet/ip_compat.h>
#include <netinet/ip_fil.h>
.SH IOCTLS
.PP
To add and delete rules to the filter list, three 'basic' ioctls are provided
@ -41,10 +42,17 @@ which it is inserted is stored in the "fr_hits" field, below.
.nf
typedef struct frentry {
struct frentry *fr_next;
u_short fr_group; /* group to which this rule belongs */
u_short fr_head; /* group # which this rule starts */
struct frentry *fr_grp;
int fr_ref; /* reference count - for grouping */
struct ifnet *fr_ifa;
u_long fr_hits;
u_long fr_bytes; /* this is only incremented when a packet */
/* stops matching on this rule */
/*
* These are only incremented when a packet matches this rule and
* it is the last match
*/
U_QUAD_T fr_hits;
U_QUAD_T fr_bytes;
/*
* Fields after this may not change whilst in the kernel.
*/
@ -64,6 +72,7 @@ typedef struct frentry {
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_long fr_flags; /* per-rule flags && options (see below) */
int fr_skip; /* # of rules to skip */
int (*fr_func)(); /* call this function */
char fr_icode; /* return ICMP code */
char fr_ifname[IFNAMSIZ];
@ -81,26 +90,31 @@ be put in the "fr_hits" field (the first rule is number 0).
Flags which are recognised in fr_pass:
.nf
FR_BLOCK 0x00001 /* do not allow packet to pass */
FR_PASS 0x00002 /* allow packet to pass */
FR_OUTQUE 0x00004 /* outgoing packets */
FR_INQUE 0x00008 /* ingoing packets */
FR_LOG 0x00010 /* Log */
FR_LOGP 0x00011 /* Log-pass */
FR_LOGB 0x00012 /* Log-fail */
FR_LOGBODY 0x00020 /* log the body of packets too */
FR_LOGFIRST 0x00040 /* log only the first packet to match */
FR_RETRST 0x00080 /* return a TCP RST packet if blocked */
FR_RETICMP 0x00100 /* return an ICMP packet if blocked */
FR_NOMATCH 0x00200 /* no match occured */
FR_ACCOUNT 0x00400 /* count packet bytes */
FR_KEEPFRAG 0x00800
FR_KEEPSTATE 0x01000 /* keep packet flow state information */
FR_INACTIVE 0x02000
FR_QUICK 0x04000 /* quick-match and return */
FR_FASTROUTE 0x08000
FR_CALLNOW 0x10000
FR_DUP 0x20000 /* duplicate the packet (not Solaris2)
FR_BLOCK 0x000001 /* do not allow packet to pass */
FR_PASS 0x000002 /* allow packet to pass */
FR_OUTQUE 0x000004 /* outgoing packets */
FR_INQUE 0x000008 /* ingoing packets */
FR_LOG 0x000010 /* Log */
FR_LOGP 0x000011 /* Log-pass */
FR_LOGB 0x000012 /* Log-fail */
FR_LOGBODY 0x000020 /* log the body of packets too */
FR_LOGFIRST 0x000040 /* log only the first packet to match */
FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
FR__RETICMP 0x000100 /* return an ICMP packet if blocked */
FR_NOMATCH 0x000200 /* no match occured */
FR_ACCOUNT 0x000400 /* count packet bytes */
FR_KEEPFRAG 0x000800 /* keep fragment information */
FR_KEEPSTATE 0x001000 /* keep `connection' state information */
FR_INACTIVE 0x002000
FR_QUICK 0x004000 /* match & stop processing list */
FR_FASTROUTE 0x008000 /* bypass normal routing */
FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */
FR_DUP 0x020000 /* duplicate the packet */
FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */
FR_NOTSRCIP 0x080000 /* not the src IP# */
FR_NOTDSTIP 0x100000 /* not the dst IP# */
FR_AUTH 0x200000 /* use authentication */
FR_PREAUTH 0x400000 /* require preauthentication */
.fi
.PP
@ -134,8 +148,10 @@ Takes an unsigned integer as the parameter. The flags are then set to
those provided (clearing/setting all in one).
.nf
FF_LOGPASS 1
FF_LOGBLOCK 2
FF_LOGPASS 0x10000000
FF_LOGBLOCK 0x20000000
FF_LOGNOMATCH 0x40000000
FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */
.fi
.IP SIOCGETFF 16
Takes a pointer to an unsigned integer as the parameter. A copy of the
@ -149,10 +165,14 @@ through the kernel. To retrieve this structure, use this ioctl:
ioctl(fd, SIOCGETFS, struct friostat *)
struct friostat {
struct filterstats f_st[2];
struct frentry *f_fin;
struct frentry *f_fout;
struct friostat {
struct filterstats f_st[2];
struct frentry *f_fin[2];
struct frentry *f_fout[2];
struct frentry *f_acctin[2];
struct frentry *f_acctout[2];
struct frentry *f_auth;
int f_active;
};
struct filterstats {
@ -172,6 +192,7 @@ struct filterstats {
u_long fr_bads; /* bad attempts to allocate packet state */
u_long fr_ads; /* new packet state kept */
u_long fr_chit; /* cached hit */
u_long fr_pull[2]; /* good and bad pullup attempts */
#if SOLARIS
u_long fr_bad; /* bad IP packets to the filter */
u_long fr_notip; /* packets passed through no on ip queue */

117
usr.sbin/ipf/ipf/ipf.5
View File

@ -18,28 +18,26 @@ The format used by \fBipf\fP for construction of filtering rules can be
described using the following grammar in BNF:
\fC
.nf
filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
insert = "@" decnumber .
action = block | "pass" | log | "count" | skip | "auth" | "preauth" | call .
action = block | "pass" | log | "count" | skip | auth | call .
in-out = "in" | "out" .
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
match = [ tos ] [ ttl ] [ proto ] [ ip ] .
keep = "keep state" | "keep frags" .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
call = "call" [ "now" ] function-name .
auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
call = "call" [ "now" ] function-name .
skip = "skip" decnumber .
dup = "dup-to" interface-name[":"ipaddr] .
dup = "dup-to" interface-name[":"ipaddr] .
froute = "fastroute" | "to" interface-name .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" object "to" object .
@ -48,11 +46,11 @@ object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags = "flags" flag { flag } [ "/" flag { flag } ] .
with = "with" | "and" .
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep = "keep" "state" | "keep" "frags" .
nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
@ -73,16 +71,16 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
"sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
"visa" | "imitd" | "eip" | "finn" .
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
"addext" | "visa" | "imitd" | "eip" | "finn" .
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
"le" | "ge" .
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
"gt" | "le" | "ge" .
range = "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
@ -95,19 +93,10 @@ not make sense (such as tcp \fBflags\fP for non-TCP packets).
.SH FILTER RULES
.PP
The "briefest" valid rules are (currently) no-ops and are of the form:
.nf
block in
pass in
log in
count in
.fi
.PP
These are supposed to be the same as, but currently differ from:
.\" XXX How, why do they differ??
.nf
block in all
pass in from any to any
log in all
pass in all
log out all
count in all
.fi
.PP
@ -154,6 +143,12 @@ must conform to a specific calling interface. Customised actions and
semantics can thus be implemented to supplement those available. This
feature is for use by knowledgeable hackers, and is not currently
documented.
.TP
.B "skip <n>"
.TP
.B auth
.TP
.B preauth
.PP
The next word must be either \fBin\fP or \fBout\fP. Each packet
moving through the kernel is either inbound (just been received on an
@ -222,7 +217,6 @@ packets with different Type-Of-Service values can be filtered.
Individual service levels or combinations can be filtered upon. The
value for the TOS mask can either be represented as a hex number or a
decimal integer value.
.\" XXX TOS mask?? not in grammar!
.TP
.B ttl
packets may also be selected by their Time-To-Live value. The value given in
@ -357,8 +351,9 @@ with which they are associated can be used. The most important from
a security point of view is the ICMP redirect.
.SH KEEP HISTORY
.PP
The last parameter which can be set for a filter rule is whether on not to
record historical information for that packet, and what sort to keep. The following information can be kept:
The second last parameter which can be set for a filter rule is whether on not
to record historical information for that packet, and what sort to keep. The
following information can be kept:
.TP
.B state
keeps information about the flow of a communication session. State can
@ -370,6 +365,23 @@ fragments.
.PP
allowing packets which match these to flow straight through, rather
than going through the access control list.
.SH GROUPS
The last pair of parameters control filter rule "grouping". By default, all
filter rules are placed in group 0 if no other group is specified. To add a
rule to a non-default group, the group must first be started by creating a
group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a
group, the filter processing then switches to the group, using that rule as
the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule
processing isn't stopped until it has returned from processing the group.
.PP
A rule may be both the head for a new group and a member of a non-default
group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
.TP
.B "head <n>"
indicates that a new group (number n) should be created.
.TP
.B "group <n>"
indicates that the rule should be put in group (number n) rather than group 0.
.SH LOGGING
.PP
When a packet is logged, with either the \fBlog\fP action or option,
@ -428,7 +440,42 @@ rule such as:
pass in quick from any to any port < 1024
.fi
.PP
would be needed before the first block.
would be needed before the first block. To create a new group for
processing all inbould packets on le0/le1/lo0, with the default being to block
all inbound packets, we would do something like:
.LP
.nf
block in all
block in on le0 quick all head 100
block in on le1 quick all head 200
block in on lo0 quick all head 300
.fi
.PP
and to then allow ICMP packets in on le0, only, we would do:
.LP
.nf
pass in proto icmp all group 100
.fi
.PP
Note that because only inbound packets on le0 are used processed by group 100,
there is no need to respecify the interface name. Likewise, we could further
breakup processing of TCP, etc, as follows:
.LP
.nf
block in proto tcp all head 110 group 100
pass in from any to any port = 23 group 110
.fi
.PP
and so on. The last line, if written without the groups would be:
.LP
.nf
pass in on le0 proto tcp from any to any port = telnet
.fi
.PP
Note, that if we wanted to say "port = telnet", "proto tcp" would
need to be specified as the parser interprets each rule on its own and
qualifies all service/port names with the protocol specified.
.SH FILES
/etc/services
.br

4
usr.sbin/ipf/ipf/ipf.8
View File

@ -87,8 +87,8 @@ recognised as IP packets. They will be printed out on the console.
Turn verbose mode on. Displays information relating to rule processing.
.TP
.B \-y
(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
by IP Filter with the current interface status list.
Manually resync the in-kernel interface list maintained by IP Filter with
the current interface status list.
.TP
.B \-z
For each rule in the input file, reset the statistics for it to zero and

7
usr.sbin/ipf/ipf/ipf.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipf.h,v 1.1.1.5 1997/07/05 05:12:40 darrenr Exp $ */
/* $NetBSD: ipf.h,v 1.1.1.6 1997/09/21 16:47:51 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -8,7 +8,7 @@
* to the original author and the contributors.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 1.1.1.5 1997/07/05 05:12:40 darrenr Exp $
* Id: ipf.h,v 2.0.2.9 1997/08/26 12:52:46 darrenr Exp
*/
#ifndef __IPF_H__
@ -36,6 +36,7 @@
#define OPT_ZERORULEST 0x10000
#define OPT_SAVEOUT 0x20000
#define OPT_AUTHSTATS 0x40000
#define OPT_RAW 0x80000
#ifndef __P
# ifdef __STDC__
@ -60,7 +61,7 @@ struct ipopt_names {
};
extern u_32_t buildopts __P((char *, char *));
extern u_32_t buildopts __P((char *, char *, int));
extern u_32_t hostnum __P((char *, int *));
extern u_32_t optname __P((char ***, u_short *));
extern void printpacket __P((struct ip *));

96
usr.sbin/ipf/ipf/opt.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: opt.c,v 1.1.1.5 1997/07/05 05:12:39 darrenr Exp $ */
/* $NetBSD: opt.c,v 1.1.1.6 1997/09/21 16:47:50 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -9,6 +9,7 @@
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
@ -19,12 +20,13 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
#include <arpa/inet.h>
#include <netinet/ip_compat.h>
#include "ipf.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: opt.c,v 1.1.1.5 1997/07/05 05:12:39 darrenr Exp $";
static char rcsid[] = "Id: opt.c,v 2.0.2.7 1997/09/10 13:08:23 darrenr Exp ";
#endif
extern int opts;
@ -65,7 +67,9 @@ struct ipopt_names secclass[] = {
{ 0, 0, 0, NULL } /* must be last */
};
static u_char seclevel __P((char *));
int addipopt __P((char *, struct ipopt_names *, int, char *));
static u_char seclevel(slevel)
char *slevel;
@ -84,14 +88,70 @@ char *slevel;
}
u_32_t buildopts(cp, op)
int addipopt(op, io, len, class)
char *op;
struct ipopt_names *io;
int len;
char *class;
{
int olen = len;
struct in_addr ipadr;
u_short val;
u_char lvl;
char *s;
if ((len + io->on_siz) > 48) {
fprintf(stderr, "options too long\n");
return 0;
}
len += io->on_siz;
*op++ = io->on_value;
if (io->on_siz > 1) {
s = op;
*op++ = io->on_siz;
*op++ = IPOPT_MINOFF;
if (class) {
switch (io->on_value)
{
case IPOPT_SECURITY :
lvl = seclevel(class);
*(op - 1) = lvl;
break;
case IPOPT_LSRR :
case IPOPT_SSRR :
ipadr.s_addr = inet_addr(class);
s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
bcopy((char *)&ipadr, op, sizeof(ipadr));
break;
case IPOPT_SATID :
val = atoi(class);
bcopy((char *)&val, op, 2);
break;
}
}
op += io->on_siz - 3;
if (len & 3) {
*op++ = IPOPT_NOP;
len++;
}
}
if (opts & OPT_DEBUG)
fprintf(stderr, "bo: %s %d %#x: %d\n",
io->on_name, io->on_value, io->on_bit, len);
return len - olen;
}
u_32_t buildopts(cp, op, len)
char *cp, *op;
int len;
{
struct ipopt_names *io;
u_char lvl;
u_32_t msk = 0;
char *s, *t;
int len = 0;
int inc;
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
if ((t = strchr(s, '=')))
@ -99,30 +159,10 @@ char *cp, *op;
for (io = ionames; io->on_name; io++) {
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
continue;
if ((len + io->on_siz) > 48) {
fprintf(stderr, "options too long\n");
return 0;
if ((inc = addipopt(op, io, len, t))) {
op += inc;
len += inc;
}
len += io->on_siz;
*op++ = io->on_value;
if (io->on_siz > 1) {
*op++ = io->on_siz;
*op++ = IPOPT_MINOFF;
if (t && !strcasecmp(s, "sec-class")) {
lvl = seclevel(t);
*(op - 1) = lvl;
}
op += io->on_siz - 3;
if (len & 3) {
*op++ = IPOPT_NOP;
len++;
}
}
if (opts & OPT_DEBUG)
fprintf(stderr, "bo: %s %d %#x: %d\n",
io->on_name, io->on_value,
io->on_bit, len);
msk |= io->on_bit;
break;
}

7
usr.sbin/ipf/ipfstat/ipfstat.8
View File

@ -4,7 +4,7 @@ ipfstat \- reports on packet filter statistics and filter list
.SH SYNOPSIS
.B ipfstat
[
.B \-hIinov
.B \-aAfhIinosv
] [
.B \-d
<device>
@ -24,6 +24,9 @@ accumulated over time as the kernel has put packets through the filter.
.B \-a
Display the accounting filter list and show bytes counted against each rule.
.TP
.B \-A
Display packet authentication statistics.
.TP
.BR \-d \0<device>
Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
.TP
@ -68,6 +71,6 @@ kernel.
.br
/vmunix
.SH SEE ALSO
ipf(1), ipfstat(1)
ipf(1)
.SH BUGS
none known.

4
usr.sbin/ipf/ipfstat/kmem.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kmem.c,v 1.1.1.5 1997/07/05 05:12:43 darrenr Exp $ */
/* $NetBSD: kmem.c,v 1.1.1.6 1997/09/21 16:47:59 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -22,7 +22,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static char rcsid[] = "$Id: kmem.c,v 1.1.1.5 1997/07/05 05:12:43 darrenr Exp $";
static char rcsid[] = "Id: kmem.c,v 2.0.2.3 1997/03/10 08:10:37 darrenr Exp ";
#endif
static int kmemfd = -1;

4
usr.sbin/ipf/ipfstat/kmem.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: kmem.h,v 1.1.1.5 1997/07/05 05:12:44 darrenr Exp $ */
/* $NetBSD: kmem.h,v 1.1.1.6 1997/09/21 16:48:00 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -6,7 +6,7 @@
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* $Id: kmem.h,v 1.1.1.5 1997/07/05 05:12:44 darrenr Exp $
* Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp
*/
#ifndef __KMEM_H__

4
usr.sbin/ipf/ipftest/ipft_ef.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_ef.c,v 1.1.1.5 1997/07/05 05:12:48 darrenr Exp $ */
/* $NetBSD: ipft_ef.c,v 1.1.1.6 1997/09/21 16:48:07 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -51,7 +51,7 @@ etherfind -n -t
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static char rcsid[] = "$Id: ipft_ef.c,v 1.1.1.5 1997/07/05 05:12:48 darrenr Exp $";
static char rcsid[] = "Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp ";
#endif
static int etherf_open __P((char *));

25
usr.sbin/ipf/ipftest/ipft_hx.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_hx.c,v 1.1.1.5 1997/07/05 05:13:01 darrenr Exp $ */
/* $NetBSD: ipft_hx.c,v 1.1.1.6 1997/09/21 16:48:13 veego Exp $ */
/*
* (C)opyright 1995 by Darren Reed.
@ -42,7 +42,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static char rcsid[] = "$Id: ipft_hx.c,v 1.1.1.5 1997/07/05 05:13:01 darrenr Exp $";
static char rcsid[] = "Id: ipft_hx.c,v 2.0.2.5 1997/07/20 11:10:32 darrenr Exp ";
#endif
extern int opts;
@ -113,19 +113,24 @@ int cnt, *dir;
* interpret start of line as possibly "[ifname]" or
* "[in/out,ifname]".
*/
*ifn = NULL;
*dir = 0;
if (ifn)
*ifn = NULL;
if (dir)
*dir = 0;
if ((*buf == '[') && (s = index(line, ']'))) {
t = buf + 1;
if (t - s > 0) {
if ((u = index(t, ',')) && (u < s)) {
u++;
*ifn = u;
if (*t == 'i')
*dir = 0;
else if (*t == 'o')
*dir = 1;
} else
if (ifn)
*ifn = u;
if (dir) {
if (*t == 'i')
*dir = 0;
else if (*t == 'o')
*dir = 1;
}
} else if (ifn)
*ifn = t;
*s++ = '\0';
}

4
usr.sbin/ipf/ipftest/ipft_pc.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_pc.c,v 1.1.1.5 1997/07/05 05:12:50 darrenr Exp $ */
/* $NetBSD: ipft_pc.c,v 1.1.1.6 1997/09/21 16:48:09 veego Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
@ -33,7 +33,7 @@
#include "pcap.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char rcsid[] = "$Id: ipft_pc.c,v 1.1.1.5 1997/07/05 05:12:50 darrenr Exp $";
static char rcsid[] = "Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp ";
#endif
struct llc {

4
usr.sbin/ipf/ipftest/ipft_sn.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_sn.c,v 1.1.1.5 1997/07/05 05:12:47 darrenr Exp $ */
/* $NetBSD: ipft_sn.c,v 1.1.1.6 1997/09/21 16:48:06 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -37,7 +37,7 @@
#include "snoop.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char rcsid[] = "$Id: ipft_sn.c,v 1.1.1.5 1997/07/05 05:12:47 darrenr Exp $";
static char rcsid[] = "Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp ";
#endif
struct llc {

4
usr.sbin/ipf/ipftest/ipft_td.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_td.c,v 1.1.1.5 1997/07/05 05:12:49 darrenr Exp $ */
/* $NetBSD: ipft_td.c,v 1.1.1.6 1997/09/21 16:48:08 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -60,7 +60,7 @@ tcpdump -nqte
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static char rcsid[] = "$Id: ipft_td.c,v 1.1.1.5 1997/07/05 05:12:49 darrenr Exp $";
static char rcsid[] = "Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp ";
#endif
static int tcpd_open __P((char *));

6
usr.sbin/ipf/ipftest/ipft_tx.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipft_tx.c,v 1.1.1.5 1997/07/05 05:12:51 darrenr Exp $ */
/* $NetBSD: ipft_tx.c,v 1.1.1.6 1997/09/21 16:48:10 veego Exp $ */
/*
* (C)opyright 1995 by Darren Reed.
@ -43,7 +43,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static char rcsid[] = "$Id: ipft_tx.c,v 1.1.1.5 1997/07/05 05:12:51 darrenr Exp $";
static char rcsid[] = "Id: ipft_tx.c,v 2.0.2.7 1997/08/26 12:52:03 darrenr Exp ";
#endif
extern int opts;
@ -328,7 +328,7 @@ int *out;
u_long olen;
cpp++;
olen = buildopts(*cpp, ipopts);
olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
if (olen) {
bcopy(ipopts, (char *)(ip + 1), olen);
ip->ip_hl += olen >> 2;

4
usr.sbin/ipf/ipftest/ipt.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipt.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $ */
/* $NetBSD: ipt.h,v 1.1.1.6 1997/09/21 16:48:14 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -6,7 +6,7 @@
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* $Id: ipt.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $
* Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp
*/
#ifndef __IPT_H__

4
usr.sbin/ipf/ipftest/misc.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: misc.c,v 1.1.1.5 1997/07/05 05:12:57 darrenr Exp $ */
/* $NetBSD: misc.c,v 1.1.1.6 1997/09/21 16:48:11 veego Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
@ -43,7 +43,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
static char rcsid[] = "$Id: misc.c,v 1.1.1.5 1997/07/05 05:12:57 darrenr Exp $";
static char rcsid[] = "Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp ";
#endif
extern int opts;

2
usr.sbin/ipf/ipftest/pcap.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: pcap.h,v 1.1.1.2 1997/05/27 22:17:14 thorpej Exp $ */
/* $NetBSD: pcap.h,v 1.1.1.3 1997/09/21 16:48:16 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.

4
usr.sbin/ipf/ipftest/snoop.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: snoop.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $ */
/* $NetBSD: snoop.h,v 1.1.1.6 1997/09/21 16:48:15 veego Exp $ */
/*
* (C)opyright 1993-1997 by Darren Reed.
@ -13,7 +13,7 @@
/*
* written to comply with the RFC (1761) from Sun.
* $Id: snoop.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $
* Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp
*/
struct snoophdr {
char s_id[8];

14
usr.sbin/ipf/ipftest/test/Makefile
View File

@ -1,11 +1,9 @@
#
# (C)opyright 1993-1996 by Darren Reed.
#
# This code may be freely distributed as long as it retains this notice
# and is not changed in any way. The author accepts no responsibility
# for the use of this software. I hate legaleese, don't you ?
#
# where to put things.
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -26,13 +24,13 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
@(cd ..; make ipftest; )
1 2 3 4 5 6 7 8 9 10 11 14:
@./dotest $@
@/bin/sh ./dotest $@
12:
@./hextest $@
@/bin/sh ./hextest $@
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
@./itest $@
@/bin/sh ./itest $@
clean:
/bin/rm -f 1 2 3 4 5 6 7 8 9 10 11 12 results/*

47
usr.sbin/ipf/ipmon/ipmon.8
View File

@ -4,9 +4,11 @@ ipmon \- monitors /dev/ipl for logged packets
.SH SYNOPSIS
.B ipmon
[
.B \-asfnSN
.B \-aFhnNsStvxX
] [
<filename>
.B "\-f <device>"
] [
.B <filename>
]
.SH DESCRIPTION
.LP
@ -20,6 +22,24 @@ via syslog have the day, month and year removed from the message, but the
time (including microseconds), as recorded in the log, is still included.
.SH OPTIONS
.TP
.B \-a
Open all of the device logfiles for reading log entries from. All entries
are displayed to the same output 'device' (stderr or syslog).
.TP
.B "\-f <device>"
specify an alternative device/file from which to read the log information.
.TP
.B \-F
Flush the current packet log buffer. The number of bytes flushed is displayed,
even should the result be zero.
.TP
.B \-n
IP addresses and port numbers will be mapped, where possible, back into
hostnames and service names.
.TP
.B \-N
Treat the logfile as being composed of NAT log records.
.TP
.B \-s
Packet information read in will be sent through syslogd rather than
saved to a file. The following levels are used:
@ -38,22 +58,17 @@ than pass or block.
\- packets which have been logged and which can be considered
"short".
.TP
.B \-a
Open all of the device logfiles for reading log entries from.
.TP
.B \-f
Flush the current packet log buffer. The number of bytes flushed is displayed,
even should the result be zero.
.TP
.B \-n
IP addresses and port numbers will be mapped, where possible, back into
hostnames and service names.
.TP
.B \-N
Treat the logfile as being composed of NAT log records.
.TP
.B \-S
Treat the logfile as being composed of state log records.
.TP
.B \-t
read the input file/device in a manner akin to tail(1).
.TP
.B \-x
show the packet data in hex.
.TP
.B \-X
show the log header record data in hex.
.SH DIAGNOSTICS
\fBipmon\fP expects data that it reads to be consistant with how it should be
saved and will abort if it fails an assertion which detects an anomoly in the

5
usr.sbin/ipf/ipnat/ipnat.4
View File

@ -2,7 +2,10 @@
.SH NAME
ipnat \- Network Address Translation kernel interface
.SH SYNOPSIS
#include <sys/ip_fil.h>
#include <netinet/ip_compat.h>
#include <netinet/ip_fil.h>
#include <netinet/ip_proxy.h>
#include <netinet/ip_nat.h>
.SH IOCTLS
.PP
To add and delete rules to the NAT list, two 'basic' ioctls are provided

107
usr.sbin/ipf/ipresend/ipresend.1 Normal file
View File

@ -0,0 +1,107 @@
.TH IPRESEND 1
.SH NAME
ipresend \- resend IP packets out to network
.SH SYNOPSIS
.B ipsend
[
.B \-EHPRSTX
] [
.B \-d
<device>
] [
.B \-g
<\fIgateway\fP>
] [
.B \-m
<\fIMTU\fP>
] [
.B \-r
<\fIfilename\fP>
]
.SH DESCRIPTION
.PP
\fBipresend\fP was designed to allow packets to be resent, once captured,
back out onto the network for use in testing. \fIipresend\fP supports a
number of different file formats as input, including saved snoop/tcpdump
binary data.
.SH OPTIONS
.TP
.BR \-d \0<interface>
Set the interface name to be the name supplied. This is useful with the
\fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is not otherwise possible
to associate a packet with an interface. Normal "text packets" can override
this setting.
.TP
.BR \-g \0<gateway>
Specify the hostname of the gateway through which to route packets. This
is required whenever the destination host isn't directly attached to the
same network as the host from which you're sending.
.TP
.BR \-m \0<MTU>
Specify the MTU to be used when sending out packets. This option allows you
to set a fake MTU, allowing the simulation of network interfaces with small
MTU's without setting them so.
.TP
.BR \-r \0<filename>
Specify the filename from which to take input. Default is stdin.
.B \-E
The input file is to be text output from etherfind. The text formats which
are currently supported are those which result from the following etherfind
option combinations:
.PP
.nf
etherfind -n
etherfind -n -t
.fi
.LP
.TP
.B \-H
The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in
the IP header.
.TP
.B \-P
The input file specified by \fB\-i\fP is a binary file produced using libpcap
(i.e., tcpdump version 3). Packets are read from this file as being input
(for rule purposes).
.TP
.B \-R
When sending packets out, send them out "raw" (the way they came in). The
only real significance here is that it will expect the link layer (i.e.
ethernet) headers to be prepended to the IP packet being output.
.TP
.B \-S
The input file is to be in "snoop" format (see RFC 1761). Packets are read
from this file and used as input from any interface. This is perhaps the
most useful input type, currently.
.TP
.B \-T
The input file is to be text output from tcpdump. The text formats which
are currently supported are those which result from the following tcpdump
option combinations:
.PP
.nf
tcpdump -n
tcpdump -nq
tcpdump -nqt
tcpdump -nqtt
tcpdump -nqte
.fi
.LP
.TP
.B \-X
The input file is composed of text descriptions of IP packets.
.TP
.SH FILES
.DT
.SH SEE ALSO
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
.PP
Needs to be run as root.
.SH BUGS
.PP
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.
If you find any, please send email to me at darrenr@cyber.com.au

23
usr.sbin/ipf/ipresend/ipresend.c
View File

@ -1,20 +1,16 @@
/* $NetBSD: ipresend.c,v 1.1.1.2 1997/05/27 22:18:08 thorpej Exp $ */
/* $NetBSD: ipresend.c,v 1.1.1.3 1997/09/21 16:49:04 veego Exp $ */
/*
* ipsend.c (C) 1995 Darren Reed
* ipresend.c (C) 1995-1997 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
*
* This was written and tested (successfully) on SunOS 4.1.x.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
@ -96,10 +92,10 @@ char **argv;
struct in_addr gwip;
struct ipread *ipr = NULL;
char *name = argv[0], *gateway = NULL, *dev = NULL;
char c, *resend = NULL;
int mtu = 1500;
char *resend = NULL;
int mtu = 1500, c;
while ((c = getopt(argc, argv, "EHPSTXd:g:m:r:")) != -1)
while ((c = getopt(argc, argv, "EHPRSTXd:g:m:r:")) != -1)
switch (c)
{
case 'd' :
@ -118,6 +114,9 @@ char **argv;
case 'r' :
resend = optarg;
break;
case 'R' :
opts |= OPT_RAW;
break;
#ifndef NO_IPF
case 'E' :
ipr = &etherf;

53
usr.sbin/ipf/ipsend/iplang.h Normal file
View File

@ -0,0 +1,53 @@
/* $NetBSD: iplang.h,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */
/*
* (C)opyright 1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
typedef struct iface {
int if_MTU;
char *if_name;
struct in_addr if_addr;
struct ether_addr if_eaddr;
struct iface *if_next;
int if_fd;
} iface_t;
typedef struct send {
struct iface *snd_if;
struct in_addr snd_gw;
} send_t;
typedef struct arp {
struct in_addr arp_addr;
struct ether_addr arp_eaddr;
struct arp *arp_next;
} arp_t;
typedef struct aniphdr {
union {
ip_t *ahu_ip;
char *ahu_data;
tcphdr_t *ahu_tcp;
udphdr_t *ahu_udp;
icmphdr_t *ahu_icmp;
} ah_un;
int ah_optlen;
int ah_lastopt;
int ah_p;
size_t ah_len;
struct aniphdr *ah_next;
struct aniphdr *ah_prev;
} aniphdr_t;
#define ah_ip ah_un.ahu_ip
#define ah_data ah_un.ahu_data
#define ah_tcp ah_un.ahu_tcp
#define ah_udp ah_un.ahu_udp
#define ah_icmp ah_un.ahu_icmp

20
usr.sbin/ipf/ipsend/iplang.tst Normal file
View File

@ -0,0 +1,20 @@
#
interface { ifname le0; mtu 1500; }
ipv4 {
src 10.1.1.49; dst 10.1.1.50; id 123; opt { rr 7; };
tcp {
seq 12345; ack 0; sport 9999; dport 23; flags S;
opt { mss 65535; }; data { value "abcdef"; } ;
}
}
send { via 10.1.1.50; }
#
ipv4 {
src 10.1.1.49; dst 10.1.1.50; id 1; opt { lsrr 1.1.1.1; };
tcp {
seq 12345; ack 0; sport 9999; dport 23; flags S;
opt { wscale 2 ; eol; mss 1; }; data { value "abcdef"; } ;
}
}
send { via 10.1.1.50; }

246
usr.sbin/ipf/ipsend/iplang_l.l Normal file
View File

@ -0,0 +1,246 @@
/* $NetBSD: iplang_l.l,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $ */
%{
/*
* (C)opyright 1997 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* Id: iplang_l.l,v 2.0.2.8 1997/09/13 07:14:23 darrenr Exp
*/
#include <stdio.h>
#include <string.h>
#include <sys/param.h>
#include "y.tab.h"
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
int lineNum = 0, proto = 0, oldproto = 0, next = -1, laststate = 0;
int *prstack = NULL, numpr = 0, state = 0, token = 0;
void push_proto __P((void));
void pop_proto __P((void));
int next_state __P((int, int));
int next_item __P((int));
int save_token __P((void));
void swallow __P((void));
int yylex __P((void));
%}
%%
[ \t\r] ;
\n { lineNum++; swallow(); }
interface |
iface { return next_state(IL_INTERFACE, -1); }
name |
ifname { return next_state(IL_IFNAME, IL_TOKEN); }
router { return next_state(IL_DEFROUTER, IL_TOKEN); }
mtu { return next_state(IL_MTU, IL_NUMBER); }
eaddr { return next_state(IL_EADDR, IL_TOKEN); }
v4addr { return next_state(IL_V4ADDR, IL_TOKEN); }
ipv4 { return next_state(IL_IPV4, -1); }
v { return next_state(IL_V4V, IL_TOKEN); }
proto { return next_state(IL_V4PROTO, IL_TOKEN); }
hl { return next_state(IL_V4HL, IL_TOKEN); }
id { return next_state(IL_V4ID, IL_TOKEN); }
ttl { return next_state(IL_V4TTL, IL_TOKEN); }
tos { return next_state(IL_V4TOS, IL_TOKEN); }
src { return next_state(IL_V4SRC, IL_TOKEN); }
dst { return next_state(IL_V4DST, IL_TOKEN); }
opt { return next_state(IL_OPT, -1); }
len { return next_state(IL_LEN, IL_TOKEN); }
off { return next_state(IL_OFF, IL_TOKEN); }
sum { return next_state(IL_SUM, IL_TOKEN); }
tcp { return next_state(IL_TCP, -1); }
sport { return next_state(IL_SPORT, IL_TOKEN); }
dport { return next_state(IL_DPORT, IL_TOKEN); }
seq { return next_state(IL_TCPSEQ, IL_TOKEN); }
ack { return next_state(IL_TCPACK, IL_TOKEN); }
flags { return next_state(IL_TCPFL, IL_TOKEN); }
urp { return next_state(IL_TCPURP, IL_TOKEN); }
win { return next_state(IL_TCPWIN, IL_TOKEN); }
udp { return next_state(IL_UDP, -1); }
send { return next_state(IL_SEND, -1); }
via { return next_state(IL_VIA, IL_TOKEN); }
arp { return next_state(IL_ARP, -1); }
data { return next_state(IL_DATA, -1); }
value { return next_state(IL_DVALUE, IL_TOKEN); }
file { return next_state(IL_DFILE, IL_TOKEN); }
nop { return next_state(IL_IPO_NOP, -1); }
eol { return next_state(IL_IPO_EOL, -1); }
rr { return next_state(IL_IPO_RR, -1); }
zsu { return next_state(IL_IPO_ZSU, -1); }
mtup { return next_state(IL_IPO_MTUP, -1); }
mtur { return next_state(IL_IPO_MTUR, -1); }
encode { return next_state(IL_IPO_ENCODE, -1); }
ts { return next_state(IL_IPO_TS, -1); }
tr { return next_state(IL_IPO_TR, -1); }
sec { return next_state(IL_IPO_SEC, -1); }
secclass { return next_state(IL_IPO_SECCLASS, IL_TOKEN); }
lsrr { return next_state(IL_IPO_LSRR, -1); }
esec { return next_state(IL_IPO_ESEC, -1); }
cipso { return next_state(IL_IPO_CIPSO, -1); }
satid { return next_state(IL_IPO_SATID, -1); }
ssrr { return next_state(IL_IPO_SSRR, -1); }
addext { return next_state(IL_IPO_ADDEXT, -1); }
visa { return next_state(IL_IPO_VISA, -1); }
imitd { return next_state(IL_IPO_IMITD, -1); }
eip { return next_state(IL_IPO_EIP, -1); }
finn { return next_state(IL_IPO_FINN, -1); }
mss { return next_state(IL_TCPO_MSS, IL_TOKEN); }
wscale { return next_state(IL_TCPO_MSS, IL_TOKEN); }
reserv-4 { return next_state(IL_IPS_RESERV4, -1); }
topsecret { return next_state(IL_IPS_TOPSECRET, -1); }
secret { return next_state(IL_IPS_SECRET, -1); }
reserv-3 { return next_state(IL_IPS_RESERV3, -1); }
confid { return next_state(IL_IPS_CONFID, -1); }
unclass { return next_state(IL_IPS_UNCLASS, -1); }
reserv-2 { return next_state(IL_IPS_RESERV2, -1); }
reserv-1 { return next_state(IL_IPS_RESERV1, -1); }
\{ { push_proto(); return next_item(IL_LBRACE); }
\} { pop_proto(); return next_item(IL_RBRACE); }
\. { return next_item(IL_DOT); }
; { return next_item(IL_SEMICOLON); }
[0-9]+ { return next_item(IL_NUMBER); }
[0-9a-fA-F] { return next_item(IL_HEXDIGIT); }
: { return next_item(IL_COLON); }
#[^\n]* { return next_item(IL_COMMENT); }
[^ {}\n\t;]* { return next_item(IL_TOKEN); }
\"[^\"]*\" { return next_item(IL_TOKEN); }
%%
void push_proto()
{
numpr++;
if (!prstack)
prstack = (int *)malloc(sizeof(int));
else
prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
prstack[numpr - 1] = oldproto;
}
void pop_proto()
{
numpr--;
proto = prstack[numpr];
if (!numpr) {
free(prstack);
prstack = NULL;
return;
}
prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
}
int save_token()
{
static char *buf = NULL;
if (buf && (buf == yylval.str))
free(buf);
buf = yylval.str = strdup(yytext);
return IL_TOKEN;
}
int next_item(nstate)
int nstate;
{
if (next == IL_TOKEN) {
next = -1;
return save_token();
}
next = -1;
if (nstate == IL_NUMBER)
yylval.num = atoi(yytext);
token++;
return nstate;
}
int next_state(nstate, fornext)
int nstate, fornext;
{
token++;
if (next == IL_TOKEN) {
next = -1;
return save_token();
}
next = fornext;
switch (nstate)
{
case IL_IPV4 :
case IL_TCP :
case IL_UDP :
case IL_ICMP :
case IL_DATA :
case IL_INTERFACE :
case IL_ARP :
oldproto = proto;
proto = nstate;
break;
case IL_SUM :
if (proto == IL_IPV4)
nstate = IL_V4SUM;
else if (proto == IL_TCP)
nstate = IL_TCPSUM;
else if (proto == IL_UDP)
nstate = IL_UDPSUM;
break;
case IL_OPT :
if (proto == IL_IPV4)
nstate = IL_V4OPT;
else if (proto == IL_TCP)
nstate = IL_TCPOPT;
break;
case IL_IPO_NOP :
if (proto == IL_TCP)
nstate = IL_TCPO_NOP;
break;
case IL_IPO_EOL :
if (proto == IL_TCP)
nstate = IL_TCPO_EOL;
break;
case IL_IPO_TS :
if (proto == IL_TCP)
nstate = IL_TCPO_TS;
break;
case IL_OFF :
if (proto == IL_IPV4)
nstate = IL_V4OFF;
else if (proto == IL_TCP)
nstate = IL_TCPOFF;
break;
case IL_LEN :
if (proto == IL_IPV4)
nstate = IL_V4LEN;
else if (proto == IL_UDP)
nstate = IL_UDPLEN;
break;
}
return nstate;
}
void swallow()
{
int c = input();
if (c == '#') {
while ((c != '\n') && (c != EOF))
c = input();
}
unput(c);
}

1808
usr.sbin/ipf/ipsend/iplang_y.y Normal file
View File

File diff suppressed because it is too large Load Diff

102
usr.sbin/ipf/ipsend/ipsend.1 Normal file
View File

@ -0,0 +1,102 @@
.TH IPSEND 1
.SH NAME
ipsend \- sends IP packets
.SH SYNOPSIS
.B ipsend
[
.B \-ITU
] [
.B \-d
<interface>
] [
.B \-f
<\fIoffset\fP>
] [
.B \-g
<\fIgateway\fP>
] [
.B \-m
<\fIMTU\fP>
] [
.B \-o
<\fIoption\fP>
] [
.B \-P
<protocol>
] [
.B \-s
<\fIsource\fP>
] [
.B \-t
<\fIdest. port\fP>
] [
.B \-w
<\fIwindow\fP>
] <destination> [TCP-flags]
.SH DESCRIPTION
.PP
\fBipsend\fP can be compiled in two ways. The first is used to send one-off
packets to a destination host, using command line options to specify various
attributes present in the headers. The \fIdestination\fP must be given as
the last command line option, except for when TCP flags are specified as
a combination of A, S, F, U, P and R, last.
.PP
The other way it may be compiled, with DOSOCKET defined, is to allow an
attempt at making a TCP connection using a with ipsend resending the SYN
packet as per the command line options.
.SH OPTIONS
.TP
.BR \-d \0<interface>
Set the interface name to be the name supplied.
.TP
.BR \-f \0<offset>
The \fI-f\fP allows the IP offset field in the IP header to be set to an
arbitrary value, which can be specified in decimal or hexidecimal.
.TP
.BR \-g \0<gateway>
Specify the hostname of the gateway through which to route packets. This
is required whenever the destination host isn't directly attached to the
same network as the host from which you're sending.
.TP
.BR \-m \0<MTU>
Specify the MTU to be used when sending out packets. This option allows you
to set a fake MTU, allowing the simulation of network interfaces with small
MTU's without setting them so.
.TP
.BR \-o \0<option>
Specify options to be included at the end of the IP header. An EOL option
is automatically appended and need not be given. If an option would also
have data associated with it (source as an IP# for a lsrr option), then
this will not be initialised.
.TP
.BR \-s \0<source>
Set the source address in the packet to that provided - maybe either a
hostname or IP#.
.TP
.BR \-t \0<dest. port>
Set the destination port for TCP/UDP packets.
.TP
.BR \-w \0<window>
Set the window size for TCP packets.
.TP
.B \-I
Set the protocol to ICMP.
.TP
.B \-P <protocol>
Set the protocol to the value given. If the parameter is a name, the name
is looked up in the \fI/etc/protocols\fP file.
.TP
.B \-T
Set the protocol to TCP.
.TP
.B \-U
Set the protocol to UDP.
.DT
.SH SEE ALSO
ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
.PP
Needs to be run as root.
.SH BUGS
.PP
If you find any, please send email to me at darrenr@cyber.com.au

236
usr.sbin/ipf/ipsend/ipsend.5 Normal file
View File

@ -0,0 +1,236 @@
.TH IPSEND 5
.SH NAME
ipsend \- IP packet description language
.SH DESCRIPTION
The \fBipsend\fP program expects, with the \fB-L\fP option, input to be a
text file which fits the grammar described below. The purpose of this
grammar is to allow IP packets to be described in an arbitary way which
also allows encapsulation to be so done to an arbitary level.
.SH GRAMMAR
.LP
.nf
line ::= iface | arp | send | defrouter | ipv4line .
iface ::= ifhdr "{" ifaceopts "}" .
ifhdr ::= "interface" | "iface" .
ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | "eaddr" eaddr .
send ::= "send" ";" | "send" "{" sendbodyopts "}" .
sendbodyopts ::= sendbody [ sendbodyopts ] .
sendbody ::= "ifname" name | "via" ipaddr .
defrouter ::= "router" ipaddr .
arp ::= "arp" "{" arpbodyopts "}" .
arpbodyopts ::= arpbody [ arpbodyopts ] .
arpbody ::= "v4addr" ipaddr | "eaddr" eaddr .
ipv4line ::= "ipv4" "{" ipv4bodyopts "}" .
ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] .
ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr |
"off" number | "v" number | "hl" number| "id" number |
"ttl" number | "tos" number | "sum" number | "len" number |
"opt" "{" ipv4optlist "}" | tcpline | udpline | icmpline |
ipv4line .
ipv4optlist ::= ipv4option [ ipv4optlist ] .
ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
"ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
"secclass" ipv4secclass.
ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" |
"reserv-3" | "reserv-4" | "secret" | "topsecret" .
tcpline ::= "tcp" "{" tcpbodyopts "}" .
tcpbodyopts ::= tcpbody [ tcpbodyopts ] .
tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number |
"off" number | "urp" number | "win" number | "sum" number |
"flags" tcpflags | data .
udpline ::= "udp" "{" udpbodyopts "}" .
udpbodyopts ::= udpbody [ udpbodyopts ] .
udpbody ::= "sport" port | "dport" port | "len" number | "sum" number |
data .
icmpline ::= "icmp" "{" icmpbodyopts "}" .
icmpbodyopts ::= icmpbody [ icmpbodyopts ] .
icmpbody ::= "type" icmptype [ typeopts ] [ "code" icmpcode ] .
icmptype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
.fi
.SH COMMANDS
.PP
Before sending any packets or defining any packets, it is necessary to
describe the interface(s) which will be used to send packets out.
.TP
.B interface
is used to describe a network interface. The description included need
not match the actual configuration currently employed by the operating
system.
.TP
.B send
is used to actually send out a packet across the network. If the
destination is not specified, it will attempt to send the packet
directly out on the network to the destination without routing it.
.TP
.B router
configures the default router for ipsend, as distinct from the default
route installed in the kernel.
.TP
.B ipv4
is used to describe an IP (version 4) packet. IP header fields can be
specified, including options, followed by a data section which may contain
further protocol headers.
.SH IPV4
.TP
.B hl <number>
manually specifies the IP header length (automatically adjusts with the
presence of IP options and defaults to 5);
.TP
.B v <number>
set the IP version. Default is 4.
.TP
.B tos <number>
set the type of service (TOS) field in the IP header. Default is 0.
.TP
.B len <number>
manually specifies the length of the IP packet. The length will automatically
be adjusted to accomodate data or further protocol headers.
.TP
.B off <number>
sets the fragment offset field of the IP packet. Default is 0.
.TP
.B ttl <number>
sets the time to live (TTL) field of the IP header. Default is 60.
.TP
.B proto <protocol>
sets the protocol field of the IP header. The protocol can either be a
number or a name found in \fB/etc/protocols\fP.
.TP
.B sum
manually specifies the checksum for the IP header. If left unset (0), it
will be calculated prior to being sent.
.TP
.B src
manually specifies the source address of the IP header. If left unset, it
will default to the host's IP address.
.TP
.B dst
sets the destination of the IP packet. The default is 0.0.0.0.
.TP
.B opt
is used to include IP options in the IP header.
.TP
.B tcp
is used to indicate the a TCP protocol header is to follow. See the \fBTCP\fP
section for TCP header options.
.TP
.B udp
is used to indicate the a UDP protocol header is to follow. See the \fBUDP\fP
section for UDP header options.
.TP
.B icmp
is used to indicate the a ICMP protocol header is to follow. See the
\fBICMP\fP section for ICMP header options.
.TP
.B data
is used to indicate that raw data is to be included in the IP packet. See the
\fBDATA\fP section for details on options available.
.SH TCP
.TP
.B sport <port>
sets the source port to the number/name given. Default is 0.
.TP
.B dport <port>
sets the destination port to the number/name given. Default is 0.
.TP
.B seq <number>
sets the sequence number to the number specified. Default is 0.
.TP
.B ack <number>
sets the acknowledge number to the number specified. Default is 0.
.TP
.B off <number>
sets the offset value for the start of data to the number specified. This
implies the size of the TCP header. It is automatically adjusted if TCP
options are included and defaults to 5.
.TP
.B urp <number>
sets the value of the urgent data pointer to the number specified. Default
is 0.
.TP
.B win <number>
sets the size of the TCP window to the number specified. Default is 4096.
.TP
.B sum <number>
manually specifies the checksum for the TCP pseudo-header and data. If left
unset, it defaults to 0 and is automatically calculated.
.TP
.B flags <tcp-flags>
sets the TCP flags field to match the flags specified. Valid flags are
"S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH).
.TP
.B opt
indicates that TCP header options follow. As TCP options are added to the
TCP header, the \fBoff\fP field is updated to match.
.TP
.B data
indicates that a data section is to follow and is to be included as raw
data, being appended to the header.
.SH UDP
.TP
.B sport <port>
sets the source port to the number/name given. Default is 0.
.TP
.B dport <port>
sets the destination port to the number/name given. Default is 0.
.TP
.B len <number>
manually specifies the length of the UDP header and data. If left unset,
it is automatically adjusted to match the header presence and any data if
present.
.TP
.B sum <number>
manually specifies the checksum for the UDP pseudo-header and data. If left
unset, it defaults to 0 and is automatically calculated.
.TP
.B data
indicates that a data section is to follow and is to be included as raw
data, being appended to the header.
.SH ICMP
.TP
.B type <icmptype>
sets the ICMP type according the to the icmptype tag. This may either be
a number or one of the recognised tags (see the ICMP TYPES section for a
list of names recognised).
.TP
.B code <icmpcode>
sets the ICMP code.
.TP
.B data
indicates that a data section is to follow and is to be included as raw
data, being appended to the header.
.SH DATA
Each of the following extend the packet in a different way. \fBLen\fP just
increases the length (without adding any content), \fBvalue\fP uses a string
and \fBfile\fP a file.
.TP
.B len <number>
extend the length of the packet by \fBnumber\fP bytes (without filling those
bytes with any particular data).
.TP
.B value <string>
indicates that the string provided should be added to the current packet as
data. A string may be a consecutive list of characters and numbers (with
no white spaces) or bounded by "'s (may not contain them, even if \\'d).
The \\ charcater is recognised with the appropriate C escaped values, including
octal numbers.
.TP
.B file <filename>
reads data in from the specified file and appends it to the current packet.
If the new total length would exceed 64k, an error will be reported.
.SH FILES
/etc/protocols
/etc/services
/etc/hosts
.SH SEE ALSO

136
usr.sbin/ipf/ipsend/ipsopt.c
View File

@ -1,23 +1,25 @@
/* $NetBSD: ipsopt.c,v 1.1.1.2 1997/05/27 22:18:17 thorpej Exp $ */
/* $NetBSD: ipsopt.c,v 1.1.1.3 1997/09/21 16:49:13 veego Exp $ */
/*
* (C)opyright 1995 by Darren Reed.
* (C)opyright 1995-1997 by Darren Reed.
*
* This code may be freely distributed as long as it retains this notice
* and is not changed in any way. The author accepts no responsibility
* for the use of this software. I hate legaleese, don't you ?
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
#endif
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <netinet/ip_compat.h>
@ -40,7 +42,7 @@ struct ipopt_names {
struct ipopt_names ionames[] = {
{ IPOPT_EOL, 0x01, 1, "eol" },
{ IPOPT_NOP, 0x02, 1, "nop" },
{ IPOPT_RR, 0x04, 7, "rr" }, /* 1 route */
{ IPOPT_RR, 0x04, 3, "rr" }, /* 1 route */
{ IPOPT_TS, 0x08, 8, "ts" }, /* 1 TS */
{ IPOPT_SECURITY, 0x08, 11, "sec-level" },
{ IPOPT_LSRR, 0x10, 7, "lsrr" }, /* 1 route */
@ -61,8 +63,10 @@ struct ipopt_names secnames[] = {
};
u_short seclevel __P((char *));
u_long optname __P((char *, char *));
u_short seclevel __P((char *));
u_long optname __P((char *, char *));
int addipopt __P((char *, struct ipopt_names *, int, char *));
u_32_t buildopts __P((char *, char *, int));
u_short seclevel(slevel)
@ -82,14 +86,82 @@ char *slevel;
}
u_long optname(cp, op)
int addipopt(op, io, len, class)
char *op;
struct ipopt_names *io;
int len;
char *class;
{
struct in_addr ipadr;
int olen = len, srr = 0;
u_short val;
u_char lvl;
char *s = op, *t;
if ((len + io->on_siz) > 48) {
fprintf(stderr, "options too long\n");
return 0;
}
len += io->on_siz;
*op++ = io->on_value;
if (io->on_siz > 1) {
/*
* Allow option to specify RR buffer length in bytes.
*/
if (io->on_value == IPOPT_RR) {
val = (class && *class) ? atoi(class) : 4;
*op++ = val + io->on_siz;
len += val;
} else
*op++ = io->on_siz;
*op++ = IPOPT_MINOFF;
while (class && *class) {
t = NULL;
switch (io->on_value)
{
case IPOPT_SECURITY :
lvl = seclevel(class);
*(op - 1) = lvl;
break;
case IPOPT_LSRR :
case IPOPT_SSRR :
if ((t = strchr(class, ',')))
*t = '\0';
ipadr.s_addr = inet_addr(class);
srr++;
bcopy((char *)&ipadr, op, sizeof(ipadr));
op += sizeof(ipadr);
break;
case IPOPT_SATID :
val = atoi(class);
bcopy((char *)&val, op, 2);
break;
}
if (t)
*t++ = ',';
class = t;
}
if (srr)
s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4 * srr;
if (io->on_value == IPOPT_RR)
op += val;
else
op += io->on_siz - 3;
}
return len - olen;
}
u_32_t buildopts(cp, op, len)
char *cp, *op;
int len;
{
struct ipopt_names *io;
u_short lvl;
u_long msk = 0;
u_32_t msk = 0;
char *s, *t;
int len = 0;
int inc, lastop = -1;
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
if ((t = strchr(s, '=')))
@ -97,21 +169,10 @@ char *cp, *op;
for (io = ionames; io->on_name; io++) {
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
continue;
if ((len + io->on_siz) > 48) {
fprintf(stderr, "options too long\n");
return 0;
}
len += io->on_siz;
*op++ = io->on_value;
if (io->on_siz > 1) {
*op++ = io->on_siz;
*op++ = IPOPT_MINOFF;
if (t && !strcasecmp(s, "sec-level")) {
lvl = seclevel(t);
bcopy(&lvl, op, sizeof(lvl));
}
op += io->on_siz - 3;
lastop = io->on_value;
if ((inc = addipopt(op, io, len, t))) {
op += inc;
len += inc;
}
msk |= io->on_bit;
break;
@ -121,7 +182,24 @@ char *cp, *op;
return 0;
}
}
*op++ = IPOPT_EOL;
len++;
if (len & 3) {
while (len & 3) {
*op++ = ((len & 3) == 3) ? IPOPT_EOL : IPOPT_NOP;
len++;
}
} else {
if (lastop != IPOPT_EOL) {
if (lastop == IPOPT_NOP)
*(op - 1) = IPOPT_EOL;
else {
*op++ = IPOPT_NOP;
*op++ = IPOPT_NOP;
*op++ = IPOPT_NOP;
*op = IPOPT_EOL;
len += 4;
}
}
}
return len;
}

77
usr.sbin/ipf/ipsend/tcpip.h Normal file
View File

@ -0,0 +1,77 @@
/* $NetBSD: tcpip.h,v 1.1.1.1 1997/09/21 16:49:15 veego Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)tcpip.h 8.1 (Berkeley) 6/10/93
* Id: tcpip.h,v 2.0.2.2 1997/05/28 13:49:45 darrenr Exp
*/
#ifndef _NETINET_TCPIP_H_
#define _NETINET_TCPIP_H_
/*
* Tcp+ip header, after ip options removed.
*/
struct tcpiphdr {
struct ipovly ti_i; /* overlaid ip structure */
struct tcphdr ti_t; /* tcp header */
};
#ifdef notyet
/*
* Tcp+ip header, after ip options removed but including TCP options.
*/
struct full_tcpiphdr {
struct ipovly ti_i; /* overlaid ip structure */
struct tcphdr ti_t; /* tcp header */
char ti_o[TCP_MAXOLEN]; /* space for tcp options */
};
#endif /* notyet */
#define ti_next ti_i.ih_next
#define ti_prev ti_i.ih_prev
#define ti_x1 ti_i.ih_x1
#define ti_pr ti_i.ih_pr
#define ti_len ti_i.ih_len
#define ti_src ti_i.ih_src
#define ti_dst ti_i.ih_dst
#define ti_sport ti_t.th_sport
#define ti_dport ti_t.th_dport
#define ti_seq ti_t.th_seq
#define ti_ack ti_t.th_ack
#define ti_x2 ti_t.th_x2
#define ti_off ti_t.th_off
#define ti_flags ti_t.th_flags
#define ti_win ti_t.th_win
#define ti_sum ti_t.th_sum
#define ti_urp ti_t.th_urp
#endif

101
usr.sbin/ipf/iptest/iptest.1 Normal file
View File

@ -0,0 +1,101 @@
.TH IPTEST 1
.SH NAME
iptest \- automatically generate a packets to test IP functionality
.SH SYNOPSIS
.B iptest
[
.B \-1234567
] [
.B \-d
<device>
] [
.B \-g
<gateway>
] [
.B \-m
<\fIMTU\fP>
] [
.B \-p
<\fIpointtest\fP>
] [
.B \-s
<\fIsource\fP>
] <destination>
.SH DESCRIPTION
.PP
\fBiptest\fP ...
.SH OPTIONS
.TP
.B \-1
Run IP test group #1. This group of tests generates packets with the IP
header fields set to invalid values given other packet characteristics.
The point tests are: 1 (ip_hl < ip_len), 2 (ip_hl > ip_len),
3 (ip_v < 4), 4 (ip_v > 4), 5 (ip_len < packetsize, long packets),
6 (ip_len > packet size, short packets), 7 (Zero length fragments),
8 (packet > 64k after reassembly), 9 (IP offset with MSB set), 10 (ttl
variations).
.TP
.B \-2
Run IP test group #2. This group of tests generates packets with the IP
options constructed with invalud values given other packet characteristics.
The point tests are: 1 (option length > packet length), 2 (option length = 0).
.TP
.B \-3
Run IP test group #3. This group of tests generates packets with the ICMP
header fields set to non-standard values. The point tests are: 1 (ICMP types
0-31 & 255), 2 (type 3 & code 0 - 31), 3 (type 4 & code 0, 127, 128, 255),
4 (type 5 & code 0, 127, 128, 255), 5 (types 8-10,13-18 with codes 0, 127,
128 and 255), 6 (type 12 & code 0, 127, 128, 129, 255) and 7 (type 3 & codes
9-10, 13-14 and 17-18 - shortened packets).
.TP
.B \-4
Run IP test group #4. This group of tests generates packets with the UDP
header fields set to non-standard values. The point tests are: 1 (UDP length
> packet size), 2 (UDP length < packetsize), 3 (sport = 0, 1, 32767, 32768,
65535), 4 (dport = 0, 1, 32767, 32768, 65535) and 5 (sizeof(struct ip) <= MTU
<= sizeof(struct udphdr) + sizeof(struct ip)).
.TP
.B \-5
Run IP test group #5. This group of tests generates packets with the TCP
header fields set to non-standard values. The point tests are: 1 (TCP flags
variations, all combinations), 2 (seq = 0, 0x7fffffff, 0x8000000, 0xa0000000,
0xffffffff), 3 (ack = 0, 0x7fffffff, 0x8000000, 0xa0000000, 0xffffffff),
4 (SYN packet with window of 0, 32768, 65535), 5 (set urgent pointer to 1,
0x7fff, 0x8000, 0xffff), 6 (data offset), 7 (sport = 0, 1, 32767, 32768,
65535) and 8 (dport = 0, 1, 32767, 32768, 65535).
.TP
.B \-6
Run IP test group #6. This test generates a large number of fragments in
an attempt to exhaust the network buffers used for holding packets for later
reassembly. WARNING: this may crash or cause serious performance degradation
to the target host.
.TP
.B \-7
Run IP test group #7. This test generates 1024 random IP packets with only
the IP version, checksum, length and IP offset field correct.
.TP
.BR \-d \0<interface>
Set the interface name to be the name supplied.
.TP
.BR \-g \0<gateway>
Specify the hostname of the gateway through which to route packets. This
is required whenever the destination host isn't directly attached to the
same network as the host from which you're sending.
.TP
.BR \-m \0<MTU>
Specify the MTU to be used when sending out packets. This option allows you
to set a fake MTU, allowing the simulation of network interfaces with small
MTU's without setting them so.
.TP
.B \-p <test>
Run a...
.DT
.SH SEE ALSO
ipsend(1), ipresend(1), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
Only one of the numeric test options may be given when \fIiptest\fP is run.
.PP
Needs to be run as root.
.SH BUGS
.PP
If you find any, please send email to me at darrenr@cyber.com.au

12
usr.sbin/ipf/rules/Makefile Normal file
View File

@ -0,0 +1,12 @@
# $NetBSD: Makefile,v 1.1.1.1 1997/09/21 16:49:25 veego Exp $
FILESDIR= /usr/share/samples/ipf
FILES= example.1 example.2 example.3 example.4 example.5 example.6 example.7 \
example.8 example.9 example.10 example.sr firewall ftp-proxy ftppxy \
nat-setup nat.eg server tcpstate
all:
.include <bsd.own.mk>
.include <bsd.files.mk>

4
usr.sbin/ipf/rules/example.1 Normal file
View File

@ -0,0 +1,4 @@
#
# block all incoming TCP packets on le0 from host "foo" to any destination.
#
block in on le0 proto tcp from foo/32 to any

12
usr.sbin/ipf/rules/example.10 Normal file
View File

@ -0,0 +1,12 @@
#
# pass ack packets (ie established connection)
#
pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
#
# block incoming connection requests to my internal network from the big bad
# internet.
#
block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
# to block the replies:
block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA

26
usr.sbin/ipf/rules/example.11 Normal file
View File

@ -0,0 +1,26 @@
#
# allow any TCP packets from the same subnet as foo is on through to host
# 10.1.1.2 if they are destined for port 6667.
#
pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
#
# allow in UDP packets which are NOT from port 53 and are destined for
# localhost
#
pass in proto udp from fubar port != 53 to localhost
#
# block anything trying to get to X terminal ports, X:0 to X:9
#
block in proto tcp from any to any port 5999 >< 6010
#
# allow any connections to be made, except to BSD print/r-services
# this will also protect syslog.
#
block in proto tcp/udp all
pass in proto tcp/udp from any to any port 512 <> 515
#
# allow any connections to be made, except to BSD print/r-services
# this will also protect syslog.
#
pass in proto tcp/udp all
block in proto tcp/udp from any to any port 511 >< 516

17
usr.sbin/ipf/rules/example.12 Normal file
View File

@ -0,0 +1,17 @@
#
# get rid of all short IP fragments (too small for valid comparison)
#
block in proto tcp all with short
#
# drop and log any IP packets with options set in them.
#
block in log all with ipopts
#
# log packets with BOTH ssrr and lsrr set
#
log in all with opt lsrr,ssrr
#
# drop any source routing options
#
block in quick all with opt lsrr
block in quick all with opt ssrr

17
usr.sbin/ipf/rules/example.13 Normal file
View File

@ -0,0 +1,17 @@
#
# Log all short TCP packets to qe3, with "packetlog" as the intended
# destination for the packet.
#
block in to qe3:packetlog proto tcp all with short
#
# Log all connection attempts for TCP
#
pass in dup-to le0:packetlog proto tcp all flags S/SA
#
# Route all UDP packets through transparently.
#
pass in fastroute proto udp all
#
# Route all ICMP packets to network 10 out through le1, to "router"
#
pass in to le1:router proto icmp all

4
usr.sbin/ipf/rules/example.2 Normal file
View File

@ -0,0 +1,4 @@
#
# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
#
block out on le0 proto tcp from any to bar/32 port != 23

40
usr.sbin/ipf/rules/example.3 Normal file
View File

@ -0,0 +1,40 @@
#
# block all inbound packets.
#
block in from any to any
#
# pass through packets to and from localhost.
#
pass in from 127.0.0.1/32 to 127.0.0.1/32
#
# allow a variety of individual hosts to send any type of IP packet to any
# other host.
#
pass in from 10.1.3.1/32 to any
pass in from 10.1.3.2/32 to any
pass in from 10.1.3.3/32 to any
pass in from 10.1.3.4/32 to any
pass in from 10.1.3.5/32 to any
pass in from 10.1.0.13/32 to any
pass in from 10.1.1.1/32 to any
pass in from 10.1.2.1/32 to any
#
#
# block all outbound packets.
#
block out from any to any
#
# allow any packets destined for localhost out.
#
pass out from any to 127.0.0.1/32
#
# allow any host to send any IP packet out to a limited number of hosts.
#
pass out from any to 10.1.3.1/32
pass out from any to 10.1.3.2/32
pass out from any to 10.1.3.3/32
pass out from any to 10.1.3.4/32
pass out from any to 10.1.3.5/32
pass out from any to 10.1.0.13/32
pass out from any to 10.1.1.1/32
pass out from any to 10.1.2.1/32

4
usr.sbin/ipf/rules/example.4 Normal file
View File

@ -0,0 +1,4 @@
#
# block all ICMP packets.
#
block in proto icmp from any to any

25
usr.sbin/ipf/rules/example.5 Normal file
View File

@ -0,0 +1,25 @@
#
# test ruleset
#
# allow packets coming from foo to bar through.
#
pass from foo to bar
#
# allow any TCP packets from the same subnet as foo is on through to host
# 10.1.1.2 if they are destined for port 6667.
#
pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
#
# allow in UDP packets which are NOT from port 53 and are destined for
# localhost
#
pass proto udp from fubar port != 53 to localhost
#
# block all ICMP unreachables.
#
block from any to any icmp unreach
#
# allow packets through which have a non-standard IP header length (ie there
# are IP options such as source-routing present).
#
pass from any to any with ipopts

5
usr.sbin/ipf/rules/example.6 Normal file
View File

@ -0,0 +1,5 @@
#
# block all TCP packets with only the SYN flag set (this is the first
# packet sent to establish a connection) out of the SYN-ACK pair.
#
block in proto tcp from any to any flags S/SA

12
usr.sbin/ipf/rules/example.7 Normal file
View File

@ -0,0 +1,12 @@
# block all ICMP packets.
#
block in proto icmp all
#
# allow in ICMP echos and echo-replies.
#
pass in on le1 proto icmp from any to any icmp-type echo
pass in on le1 proto icmp from any to any icmp-type echorep
#
# block all ICMP destination unreachable packets which are port-unreachables
#
block in on le1 proto icmp from any to any icmp-type unreach code 3

10
usr.sbin/ipf/rules/example.8 Normal file
View File

@ -0,0 +1,10 @@
#
# block all incoming TCP connections but send back a TCP-RST for ones to
# the ident port
#
block in proto tcp from any to any flags S/SA
block return-rst in quick proto tcp from any to any port = 113 flags S/SA
#
# block all inbound UDP packets and send back an ICMP error.
#
block return-icmp in proto udp from any to any

12
usr.sbin/ipf/rules/example.9 Normal file
View File

@ -0,0 +1,12 @@
#
# drop all packets without IP security options
#
block in all
pass in all with opt sec
#
# only allow packets in and out on le0 which are top secret
#
block out on le1 all
pass out on le1 all with opt sec-class topsecret
block in on le1 all
pass in on le1 all with opt sec-class topsecret

61
usr.sbin/ipf/rules/example.sr Normal file
View File

@ -0,0 +1,61 @@
#
# log all inbound packet on le0 which has IP options present
#
log in on le0 from any to any with ipopts
#
# block any inbound packets on le0 which are fragmented and "too short" to
# do any meaningful comparison on. This actually only applies to TCP
# packets which can be missing the flags/ports (depending on which part
# of the fragment you see).
#
block in log quick on le0 from any to any with short frag
#
# log all inbound TCP packets with the SYN flag (only) set
# (NOTE: if it were an inbound TCP packet with the SYN flag set and it
# had IP options present, this rule and the above would cause it
# to be logged twice).
#
log in on le0 proto tcp from any to any flags S/SA
#
# block and log any inbound ICMP unreachables
#
block in log on le0 proto icmp from any to any icmp-type unreach
#
# block and log any inbound UDP packets on le0 which are going to port 2049
# (the NFS port).
#
block in log on le0 proto udp from any to any port = 2049
#
# quickly allow any packets to/from a particular pair of hosts
#
pass in quick from any to 10.1.3.2/32
pass in quick from any to 10.1.0.13/32
pass in quick from 10.1.3.2/32 to any
pass in quick from 10.1.0.13/32 to any
#
# block (and stop matching) any packet with IP options present.
#
block in quick on le0 from any to any with ipopts
#
# allow any packet through
#
pass in from any to any
#
# block any inbound UDP packets destined for these subnets.
#
block in on le0 proto udp from any to 10.1.3.0/24
block in on le0 proto udp from any to 10.1.1.0/24
block in on le0 proto udp from any to 10.1.2.0/24
#
# block any inbound TCP packets with only the SYN flag set that are
# destined for these subnets.
#
block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
#
# block any inbound ICMP packets destined for these subnets.
#
block in on le0 proto icmp from any to 10.1.3.0/24
block in on le0 proto icmp from any to 10.1.1.0/24
block in on le0 proto icmp from any to 10.1.2.0/24

39
usr.sbin/ipf/rules/firewall Normal file
View File

@ -0,0 +1,39 @@
Configuring IP Filter for firewall usage.
=========================================
Step 1 - Block out "bad" IP packets.
------------------------------------
Run the perl script "mkfilters". This will generate a list of blocking
rules which:
a) blocks all packets which might belong to an IP Spoofing attack;
b) blocks all packets with IP options;
c) blocks all packets which have a length which is too short for
any legal packet;
Step 2 - Convert Network Security Policy to filter rules.
---------------------------------------------------------
Draw up a list of which services you want to allow users to use on the
Internet (e.g. WWW, ftp, etc). Draw up a separate list for what you
want each host that is part of your firewall to be allowed to do, including
communication with internal hosts.
Step 3 - Create TCP "keep state" rules.
---------------------------------------
For each service that uses TCP, create a rule as follows:
pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
where
* "int-a" is the internal interface of the firewall. That is, it is the
closest to your internal network in terms of network hops.
* "int-net" is the internal network IP# subnet address range. This might
be something like 10.1.0.0/16, or 128.33.1.0/24
* "ext-service" is the service to which you which to connect or if it doesn't
have a proper name, a number can be used. The translation of "ext-service"
as a name to a number is controlled with the /etc/services file.

40
usr.sbin/ipf/rules/ftp-proxy Normal file
View File

@ -0,0 +1,40 @@
How to setup FTP proxying using the built in proxy code.
========================================================
NOTE: Currently, the built-in FTP proxy is only available for use with NAT
(i.e. only if you're already using "map" rules with ipnat).
Lets assume your network diagram looks something like this:
[host A]
|a
---+-------------+----------
|b
[host B]
|c
---+-------------+----------
|d
[host C]
and IP Filter is running on host B. If you want to proxy FTP from A to C
then you would do:
map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp
int-c = name of "interface c"
ipaddr-a = ip# of interface a
ipaddr-c-net = another ip# on the C-network (usually not the same as the
interface).
e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
203.45.67.90, you would do:
map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp
where:
ipaddr-a = 10.1.1.1
int-c = vx0
ipaddr-c-net = 203.45.67.91

6
usr.sbin/ipf/rules/ftppxy Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# The proxy bit is as follows:
# proxy [port <portname>] <tag>/<protocol>
# the <tag> should match a tagname in the proxy table, as does the protocol.
# this format isn't finalised yet
echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -

77
usr.sbin/ipf/rules/nat-setup Normal file
View File

@ -0,0 +1,77 @@
Configuring NAT on your network.
================================
To start setting up NAT, we need to define which is your "internal" interface
and which is your "external" interface. The "internal" interface is the
network adapter connected to the network with private IP addresses which
you need to change for communicating on the Internet. The "external"
interface is configured with a valid internet address.
For example, your internal interface might have an IP# of 10.1.1.1 and be
connected to your ethernet, whilst your external interface might be a PPP
connection with an IP number of 204.51.62.176.
Thus your network might look like this:
<Internal Network>
[pc] [pc]
| |
+-+---------+------+
|
[firewall]
|
|
Internet
<External Network>
Writing the map-rule.
---------------------
When you're connected to the Internet, you will either have a block of IP
addresses assigned to you, maybe several different blocks, or you use a
single IP address, i.e. with dialup PPP. If you have a block of addresses
assigned, these can be used to create either a 1:1 mapping (if you have
only a few internal IP addresses) or N:1 mappings, where groups of internal
addresses map to a single IP address and unless you have enough Internet
addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
UDP port numbers.
For an N:1 situation, you might have:
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
where if you had 16 addresses available, you could do:
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
Or if you wanted to allocate subnets to each IP#, you might do:
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
*** NOTE: NAT rules are used on a first-match basis only!
Filtering with NAT.
-------------------
IP Filter will always translate addresses in a packet _BEFORE_ it checks its
access list for inbound packets and translates addresses _AFTER_ it has
checked the access control lists for outbound packets.
For example (using the above NAT rules), if you wanted to prevent all hosts
in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
with ipf:
block out on ppp0 from 10.1.2.0/24 to any
block in on ppp0 from any to 10.1.2.0/24
and use these with ipnat:
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap

14
usr.sbin/ipf/rules/nat.eg Normal file
View File

@ -0,0 +1,14 @@
# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
# port number to something between 10,000 and 20,000 inclusive. For all other
# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
# for each new user.
#
map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
map ed1 10.1.0.0/16 -> 240.1.0.0/24
#
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box, to the local ftp
# port, forcing them to connect through a proxy, you would use:
#
rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
#

11
usr.sbin/ipf/rules/server Normal file
View File

@ -0,0 +1,11 @@
#
# For a network server, which has two interfaces, 128.1.40.1 (le0) and
# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is
# connected to the majority of the network, whilst le0 is connected to a
# leaf subnet. We're not concerned about filtering individual services
# or
#
pass in quick on le0 from 128.1.40.0/24 to any
block in quick log on le0 from any to any
block in quick log on le1 from 128.1.1.0/24 to any
pass in quick on le1 from any to any

13
usr.sbin/ipf/rules/tcpstate Normal file
View File

@ -0,0 +1,13 @@
#
# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
# somewhere, waiting for it.
#
pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
block out on le0 proto tcp all
block in on le0 proto tcp all
#
# allow nameserver queries and replies to pass through, but no other UDP
#
pass out quick on le0 proto udp from any to any port = 53 keep state
block out on le0 proto udp all
block in on le0 proto udp all