1. Brad Baker CS591 Spring 2007 Term project 10/15/2015 1 Pktfilter modification - Brad Baker

2.  Open source project listed on sourceforge ( http://sourceforge.net/projects/pktfilter/) http://sourceforge.net/projects/pktfilter/  Developed by Jean-Baptiste Marchand, project inactive since February 2003  Uses the Win32 filtering API (Windows 2000 packet filtering)  Runs as a service, configures filtering API on start  Provides command line utility 10/15/2015Pktfilter modification - Brad Baker 2

3.  Filtering is controlled through a rules file  Rules define a default action, then exceptions For example, block everything then pass each allowed connection Rule mixing isn't allowed, you can't block a connection after you have created a pass exception  Example of rule setup: block in on eth0 all block out on eth0 all pass out on eth0 proto tcp from any to 128.198.1.212 port = 80 pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100  Rules require numeric IP addresses  Rules can specify ports and ranges, protocols, and use the “any” keyword. 10/15/2015Pktfilter modification - Brad Baker 3

4.  Installation is a manual process  Copy the Pktfilter folder to program files or the desired directory  From command prompt, run “pktfltsrv.exe -i” followed by the path to three files Rules file, log file, DNS log file This command installs as service  Configure service to run automatically  Configure the rules file as desired Restrict access to the rules file 10/15/2015Pktfilter modification - Brad Baker 4

5.  In order of priority: Research why the tool doesn't work on Windows Vista and Windows XP x64 version Research and include rule mixing  For example, after creating an exception for HTTP we would like to block a specific website Research and fix the logging problem Research and implement performing DNS IP resolution from the rules file Research and implement localhost IP resolution 10/15/2015Pktfilter modification - Brad Baker 5

6.  Windows Vista doesn't include this API  The “Windows Filtering Platform” replaces the packet filtering API  WFP is a much more robust filtering solution  WFP allows application based filtering, boot time filtering, and packet inspection  Moving Pktfilter to x64 just requires building with the correct platform  Conclusion: Save WFP for future, x64 was success 10/15/2015Pktfilter modification - Brad Baker 6

7.  Mixing is not possible based on the design of the underlying API  The filtering engine is specifically designed to provide only the default and exception actions  Logging works with a fresh Windows XP installation  Changes to iphlpapi.dll in Service Pack 1 broke the logging function  Conclusion: Mixing and logging aren't possible due to larger system issues 10/15/2015Pktfilter modification - Brad Baker 7

8.  Modified program to use brackets for DNS lookup “ [www.uccs.edu] ”  Modified program to use “me” keyword for localhost lookup  Looked at several DNS query methods  First used: DnsQuery_A() in  Then used: gethostbyname() in  Finally: getaddrinfo() in  Tool Produces a log file to document translation 10/15/2015Pktfilter modification - Brad Baker 8

9.  Log file output: ----------------------------------------------------- Begin rule file parsing, GMT: 2007-05-06 04:43:25 > local 'me' symbol resolved : ( 192.168.1.100 : artos ) > Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org ) > Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com ) > Remote DNS lookup FAILED : ( - : test.my.blah ) > Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo) > Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu ) > Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com ) END, GMT: 2007-05-06 04:43:30  Corresponding input configuration: # input rules rule 1: pass in on eth0proto udp from any port = 53 to any rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100 rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100 rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100 rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100 rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100 rule 8: pass in on eth0proto udp from any port = 67 to any port = 68 10/15/2015Pktfilter modification - Brad Baker 9

10.  The tool will remain effective until Windows Vista is a common platform  Several goals were not met, however the IP resolution will provide a benefit  Protected the application from long URLs and blank URLs The rules file won't compromise the filtering configuration  Future enhancements can involve port information, fixing DNS timeout, etc  Security concerns with relying on DNS query For example, the current Windows DNS server bug 10/15/2015Pktfilter modification - Brad Baker 10

11.  Original Pktfilter project source http://sourceforge.net/projects/pktfilter/  Information about filtering API http://www.ndis.com/papers/winpktfilter.htm http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt- NWU20041108.142435/public/02Whole.pdf http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt- NWU20041108.142435/public/02Whole.pdf  WFP summaries http://www.microsoft.com/whdc/device/network/WFP.mspx http://msdn2.microsoft.com/en-us/library/aa363967.aspx  DNS lookup information http://msdn2.microsoft.com/en-us/library/ms738524.aspx http://msdn2.microsoft.com/en-us/library/ms738520.aspx  PfCreateInterface, references other filtering API functions http://msdn2.microsoft.com/en-gb/library/aa376646.aspx 10/15/2015Pktfilter modification - Brad Baker 11