PktFilter : a Win32 service to configure the IP filtering driver of Windows 2000 --[Introduction]---------------------------------------------------------------- Windows 2000 has a builtin device driver for IP filtering (ipfltdrv.sys). This device driver can be configured via a Win32 API, documented in the Microsoft Platform SDK, under the reference 'Packet Filtering'. In Windows 2000, you can manage IP filters via the RRAS (Routing and Remote Access) service, either using the mmc (Microsoft Management Console) RRAS plugin or via the 'netsh' text-mode program. The problem is that you may don't want to run the whole RRAS service just to have the IP filtering functionnality. Moreover, the RRAS service is only present in server versions of Win2k. The software distributed in this archive is a small Win32 service that configures IP filters, described by rules written in an ipfilter-like syntax. *Important* : Please note that our service will start if RRAS is running, but filters managed by RRAS and our service may conflict with inpredictable result. However, an event will be logged to the System eventlog. --[Installation]---------------------------------------------------------------- This distribution is composed of two programs : - pktfltsrv.exe is a Win32 service that configures the filters trough the Packet Filtering API. - pktctl.exe is a command-line utility that communicates with the Win32 service to manage filters. To install : - Unzip the 'PktFilter.zip' archive in a directory, for example under 'Program Files'. - In a terminal, install the 'pktfltsrv' Win32 service with the '-i' option followed by the path of the file that will contain the rules loaded when the service starts (the path must be absolute, not relative). Ex: C:\Program Files\PktFilter\> pktfltsrv.exe -i C:\Program Files\PkFilter\pktctl\rules.txt The 'pktfltsrv' service will be launched at next startup. If you want to start it immediately, you can start it manually from the 'Services' list in the MMC (the service appear under the name 'Stateless Packet Filtering'). You can then control the service trough the 'pktctl' program (see next section). _Note_: If you want to modify the path of the rules filename, you can edit in the registry the value 'RulesFile' under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PktFilter\. --[Usage]---------------------------------------------------------------------- The 'pktfltsrv' service is normally launched at startup. Filtering rules are loaded from the file indicated under the 'RulesFile' value in the registry service's key. 'pktctl' is the control program. It communicates with the 'pktfltsrv' service through a named pipe. 'pktctl' can be used in two ways : - with command-line switches - in interactive mode (when launched with '-i' option) Most of the command-line switches have their counterpart commands in interactive mode. --[pktctl]--------------------------------------------------------------------- This section lists all the possibles commands of pktctl, both in command-line mode and interactive mode. Interactive mode is invoked with the '-i' command-line option. The 'pktctl>' prompt will wait for interactive commands ('help' will list possible interactive commands). Note: Before writing rules, you have to know the mapping betweem your Ethernet adapters and our interface naming convention. Use the '-I' command-line option to list this mapping. We need this mapping because Windows 2000 provides no easy way to refer to a network interface (a GUID is not really human friendly!) We decided to name the Ethernet interface 'eth*', where '*' starts at 0. The commands permit the following actions : - adding filters (loading a file or entering a filter manually) - listing current filters - deleting filters (possibly all) - getting filtering statistics --[Adding filters]-- - load a filters file. Command-line: C:\> pktctl.exe -f rules.txt Interactive mode: source rules.txt - load a filters file, flushing all filters on *all* interfaces before. Command-line: C:\> pktctl.exe -F rules.txt Interactive mode: reload rules.txt - add manually a filter on a given interface, with the '-a' option. Command-line: C:\> pktctl.exe -a "pass in on eth0 proto udp from x.y.z.0/24 port = XX to any port > YY" Interactive mode: pass in on eth0 proto udp from x.y.z.0/24 port = XX to any port > YY --[Listing filters]-- - list the current filters on a given interface, with the '-l' option. Command-line: C:\> pktcl.exe -l eth0 Interactive mode: list on eth0 Note: You can redirect the output of this command to a file, to reload the current filters later. --[Deleting filters]-- - delete a filter on a given interface, giving the number affected to the filter, as reported by the 'list' command, with the '-d' option : Ex: C:\> pktctl.exe -i pktctl> list on eth0 option small_frags on eth0 block in on eth0 all block out on eth0 all rule 1: pass in on eth0 proto tcp from 192.168.1.254 port = 3128 to 192.168.1.1 port > 1024 rule 128: pass out on eth0 proto tcp from 192.168.1.1 port > 1024 to 192.168.1.2 54 port = 3128 You can then delete the first input filtering rule with : Command-line: C:\> pktctl.exe -d 1 eth0 Interactive mode: delete 1 on eth0 Note: input filtering rules are numbered from 1 to 127 and output rules from 128 to 255. - delete all filters on a given interface, with the '-Fa' option. Command-line: C:\> pktctl.exe -Fa eth0 Interactive mode: flush on eth0 - delete all filters on all interface : Command-line: C:\> pktctl.exe -Fa all or, simpler C:\> pktctl.exe -Fa Interactive mode: flush on all --[Getting statistics]-- - get the filtering statistics on a given interface, with the '-s' option. Command-line: C:\> pktctl.exe -s eth0 Interactive mode: stats on eth0 --[pktfltsrv]------------------------------------------------------------------ The 'pktfltsrv' program is manually invoked for only two task : - installing the service - uninstalling the service Installation of the service is accessible with the '-i' option, followed by the absolute path to the file containing the filtering rules. Uninstallation of the service is possible with the '-u' option. --[Rules]---------------------------------------------------------------------- The syntax used to specify filtering rules is (mostly) a subset of the grammar used when writing Ipfilter rules (see http://coombs.anu.edu.au/ipfilter/ for more informations about Ipfilter software, a very powerful IP filtering running on most Unix systems). You should always start rules with global options (these are filtering options that are global to a given interface) : option small_frags on eth0 option anti_spoof on eth0 option check_frags on eth0 These options respectively specify to drop small fragments (the fragments with a size equal or inferior to 8 bytes), to check consistency of IP source address and to activate a counter of fragmentation check. You should always specify 'option small_frags', as it prevents attacks on small fragments. It is not very clear what is the anti-spoofing protection in the packet filter driver... 'option check_frags' doesn't seem to be very useful, don't use it if you specify 'option small_frags'. You should then specify default rules, i.e. rules with the following form : block in on eth0 all or pass in on eth0 all block out on eth0 all or pass out on eth0 all Then, you can specify only rules that modify the default behavior (you'll receive an error if you try to bypass this rule). For example, if you specified a default policy of dropping packets on input (with 'block in on eth0 all'), input rules can only start with the 'pass' keyword. This is a limitation of the Windows 2000 packet filter driver. Example of rules: ------------------------------------------------------------------------------- # toggle invalid small fragments checks option small_frags on eth0 # default behavior = deny everything block in on eth0 all block out on eth0 all # only allow traffic from our machine (192.168.1.1) to a HTTP proxy pass out on eth0 proto tcp from 192.168.1.1 port > 1024 to 192.168.1.254 port = 3128 pass in on eth0 proto tcp from 192.168.1.254 port = 3128 to 192.168.1.1 port > 1024 established ------------------------------------------------------------------------------- The filtering rules can be described using the following grammar in BNF: filter-rule = global-options | normal-rule global-options = "option" global_option iface global-option = "small_frags" | "anti_spoof" | "check_frags" normal-rule = action [in-out] iface [proto] ip [proto-options] action = "pass" | "block" | "stats" | "list" | "flush" in-out = "in" | "out" iface = "on" ifname ifname = "eth" digit proto = "tcp" | "udp" | "icmp" | "any" | ip_proto ip_proto = decnumber decnumber = digit [decnumber] ip = "all" | "from" ip-addr [port-comp | port-range] "to" ip-addr [port-comp | port-range] ip-addr = "any" | ip-dotted-addr [ip-mask] ip-dotted-addr = host-num "." host-num "." host-num "." host-num host-num = digit [digit [digit]] ip-mask = "/" ip-addr | decnumber port-comp = "port" comparator decnumber comparator = ">" | ">=" | "<" | "<=" | "=" port-range = decnumber "><" decnumber proto-options = "icmp-type" icmp-type ["code" icmp-code] | "established" icmp-type = "echorep" | "unreach" | "squench" | "redir" | "echo" | "router_adv" | "router_sol" | "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | "inforep" | "maskreq" | "maskrep" icmp-code = decnumber --[Limitations / Warnings]----------------------------------------------------- - You can only specify Ethernet interfaces (eth*). - You *must not* specify identical rules more that once. This will *break* the filtering statistics. - the service won't start immediately when lauched at startup. The function call to PfCreateInterface() is blocking for about 2 minutes after the service startup. This problem does not affect manual startup of the service. --[Miscellanous]--------------------------------------------------------------- This software is distributed under a BSD license (the license is present at the top of each source file). Thanks go to : - Ghislaine Labouret : ideas, coding and debugging - Hervé Schauer Consultants : support Feel free to contact me if you have any questions about this software, using the following email : Jean-Baptiste.Marchand@hsc.fr --[History]-------------------------------------------------------------------- 2001/05/30 First public version : 0.01 2001/09/08 Version 0.02 (better documentation + small bugs fixes) 2001/10/02 Version 0.03 (add display of netmask when printing rules)