ANNOUNCING FIREWALL-STYLE PACKET FILTERING FOR dp-2.3 -- infilt-0.6 Enclosed is a package named "infilt-0.6" that is a patch to DialupPPP dp-2.3. (It may also work on other SunOS/BSD streams-based PPP drivers.) The package does two things: 1. It implements firewall-style filtering on packets coming into a host over a PPP connection. 2. It adjusts the packets slightly to improve interactive latency on a slow PPP link containing some batch traffic as well. Please give me feedback if you attempt to use this package; let me know of both success and failure. I'm particularly interested in what platforms and drivers it works with. This is the second release, named version "0.6", and you should consider it beta quality. The first release was out for a month before this one, and worked rather well, but had problems with fragmented packets. This release adds the second item above, fixes the fragementation problem from before, and has support for configuring dynamically-loaded kernel modules (thanks to Brett Lymn ). strick@yak.net Henry Strickland strick@netcom.com Tue Oct 4 1994 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Here is an excerpt from "infilt.doc". The package itself is small, so it is enclosed at the end, gzip'ed and uuencoded. ------------------------------------------------------------------------ FIREWALL-STYLE FILTERING FOR INPUT PPP PACKETS This package provides simple firewall-style packet filtering. It is designed for a local network that is connected to the big internet through a single PPP link. It runs inside the operating system kernel on the "local host", the machine in the local network that has the PPP interface to the big internet: ----------------- --------------------- | | | | (filtered) | local | the | incoming-> | | | -------- network | big <======PPP=link========> local| | | | host | | internet | <-outgoing -------- | | (undisturbed) | | | | | ----------------- --------------------- The package looks at packets coming into the local network though this PPP link ("incoming packets"), and it quietly drops packets that it deems to be evil, using some simple criteria. Packets leaving the local network through the PPP link ("outgoing packets") are unaffected and are never dropped. TCP WINDOW AND MSS CLAMPING (New feature in version 0.6) TCP packets, both incoming and outgoing, will have their "window" field and "MSS" options examined and possibly tweaked. Maximum values for these two fields can be configured, and any TCP packet with these values greater than the maximum values will be altered to have the maximum value. The benefit of keeping the "window" small is that it keeps batch packets from piling up on a slow PPP link and causing a lot of latency for small, interactive packets. The benefit of keeping the "MSS" small is that it will avoid IP fragmentation, which is messy an not very reliable (at least on my sun3 running SunOS4.1.1) and commonly causes file transfers to freeze up. ------------------------------------------------------------------------ ------------------------------------------------------------------------ SEVEN ACTIONS The infilt package may be configured to do any or all of these seven different things to packets: 1. Drop selected incoming TCP packets, based on destination port. 2. Drop selected incoming UDP packets, based on destination port. 3. Drop selected incoming ICMP packets, based on icmp_type. 4. Drop incoming packets containing IP header options. 5. Write zeros over IP header options on incomfing packets, rendering the header options impotent. 6. Clamp the TCP "window" field on incoming or outgoing packets to a maximum value 7. Clamp the TCP "MSS" option field on incoming or outgoing packets to a maximum value ------------------------------------------------------------------------ ------------------------------------------------------------------------