Modification of Pktfilter tool Brad Baker CS 591
Modification of Pktfilter tool Brad Baker CS 591 Spring 2007 Term project 12/20/2021 Pktfilter modification - Brad Baker 1
The Pktfilter tool Open source project listed on sourceforge (http: //sourceforge. net/projects/pktfilter/) Developed by Jean-Baptiste Marchand, project inactive since February 2003 Uses the Win 32 filtering API (Windows 2000 packet filtering) Runs as a service, configures filtering API on start Provides command line utility 12/20/2021 Pktfilter modification - Brad Baker 2
Pktfilter basics Filtering is controlled through a rules file Rules define a default action, then exceptions – For example, block everything then pass each allowed connection – Rule mixing isn't allowed, you can't block a connection after you have created a pass exception Example of rule setup: – – block in on eth 0 all block out on eth 0 all pass out on eth 0 proto tcp from any to 128. 198. 1. 212 port = 80 pass in on eth 0 proto tcp from 128. 198. 1. 212 port = 80 to 192. 168. 1. 100 Rules require numeric IP addresses Rules can specify ports and ranges, protocols, and use the “any” keyword. 12/20/2021 Pktfilter modification - Brad Baker 3
Pktfiler Usage • Installation is a manual process • Copy the Pktfilter folder to program files or the desired directory • From command prompt, run “pktfltsrv. exe -i” followed by the path to three files – Rules file, log file, DNS log file – This command installs as service • Configure service to run automatically • Configure the rules file as desired – Restrict access to the rules file 12/20/2021 Pktfilter modification - Brad Baker 4
My project goals • In order of priority: – Research why the tool doesn't work on Windows Vista and Windows XP x 64 version – Research and include rule mixing • For example, after creating an exception for HTTP we would like to block a specific website – Research and fix the logging problem – Research and implement performing DNS IP resolution from the rules file – Research and implement localhost IP resolution 12/20/2021 Pktfilter modification - Brad Baker 5
Goal #1 – Windows Vista & x 64 Windows Vista doesn't include this API The “Windows Filtering Platform” replaces the packet filtering API WFP is a much more robust filtering solution WFP allows application based filtering, boot time filtering, and packet inspection Moving Pktfilter to x 64 just requires building with the correct platform Conclusion: Save WFP for future, x 64 was success 12/20/2021 Pktfilter modification - Brad Baker 6
Goals #2/#3 – Mixing & Logging Mixing is not possible based on the design of the underlying API The filtering engine is specifically designed to provide only the default and exception actions Logging works with a fresh Windows XP installation Changes to iphlpapi. dll in Service Pack 1 broke the logging function Conclusion: Mixing and logging aren't possible due to larger system issues 12/20/2021 Pktfilter modification - Brad Baker 7
Goals #4/#5 – IP resolution • Modified program to use brackets for DNS lookup “[www. uccs. edu]” • Modified program to use “me” keyword for localhost lookup • Looked at several DNS query methods • First used: Dns. Query_A() in <Windns. h> • Then used: gethostbyname() in <winsock 2. h> • Finally: getaddrinfo() in <winsock 2. h> • Tool Produces a log file to document translation 12/20/2021 Pktfilter modification - Brad Baker 8
Example of IP resolution • Log file output: --------------------------Begin rule file parsing, GMT: 2007 -05 -06 04: 43: 25 > local 'me' symbol resolved : ( 192. 168. 1. 100 > Remote DNS lookup resolved : ( 66. 35. 250. 150 > Remote DNS lookup resolved : ( 209. 131. 36. 158 > Remote DNS lookup FAILED : ( > Remote DNS lookup resolved : ( 128. 198. 1. 212 > Remote DNS lookup resolved : ( 72. 14. 253. 147 END, GMT: 2007 -05 -06 04: 43: 30 : : : : artos ) slashdot. org ) www. yahoo. com ) test. my. blah ) http: //www. crh. noaa. gov/fo) www. uccs. edu ) www. google. com ) • Corresponding input configuration: # input rules rule 1: pass in rule 2: pass in rule 3: pass in rule 4: pass in rule 5: pass in rule 6: pass in rule 7: pass in rule 8: pass in 12/20/2021 on on eth 0 proto eth 0 proto udp tcp tcp tcp udp from any port = 53 to any from 66. 35. 250. 150 port = 80 to 192. 168. 1. 100 from 209. 131. 36. 158 port = 80 to 192. 168. 1. 100 from 127. 0. 0. 1 port = 80 to 192. 168. 1. 100 from 128. 198. 1. 212 port = 80 to 192. 168. 1. 100 from 72. 14. 253. 104 port = 80 to 192. 168. 1. 100 from any port = 67 to any port = 68 Pktfilter modification - Brad Baker 9
Summary The tool will remain effective until Windows Vista is a common platform Several goals were not met, however the IP resolution will provide a benefit Protected the application from long URLs and blank URLs – The rules file won't compromise the filtering configuration Future enhancements can involve port information, fixing DNS timeout, etc Security concerns with relying on DNS query – For example, the current Windows DNS server bug 12/20/2021 Pktfilter modification - Brad Baker 10
References • Original Pktfilter project source – http: //sourceforge. net/projects/pktfilter/ • Information about filtering API – http: //www. ndis. com/papers/winpktfilter. htm – http: //www. library. uow. edu. au/adt-NWU/uploads/approved/adt. NWU 20041108. 142435/public/02 Whole. pdf • WFP summaries – http: //www. microsoft. com/whdc/device/network/WFP. mspx – http: //msdn 2. microsoft. com/en-us/library/aa 363967. aspx • DNS lookup information – http: //msdn 2. microsoft. com/en-us/library/ms 738524. aspx – http: //msdn 2. microsoft. com/en-us/library/ms 738520. aspx • Pf. Create. Interface, references other filtering API functions – http: //msdn 2. microsoft. com/en-gb/library/aa 376646. aspx 12/20/2021 Pktfilter modification - Brad Baker 11
- Slides: 11