h11990 s 00001/00001/01518 d D 1.19 96/05/07 06:51:06 dhd 19 18 c e s 00002/00002/01517 d D 1.18 96/05/06 22:43:26 dhd 18 17 c e s 00006/00000/01513 d D 1.17 96/05/06 20:45:10 dhd 17 16 c e s 00004/00004/01509 d D 1.16 96/05/06 20:36:39 dhd 16 15 c e s 00007/00001/01506 d D 1.15 96/02/26 21:17:10 dhd 15 14 c e s 00002/00001/01505 d D 1.14 96/02/26 20:54:33 dhd 14 13 c e s 00005/00005/01501 d D 1.13 96/02/26 20:52:21 dhd 13 12 c e s 00068/00006/01438 d D 1.12 96/02/26 20:50:07 dhd 12 11 c e s 00017/00015/01427 d D 1.11 96/02/26 20:46:46 dhd 11 10 c e s 00018/00012/01424 d D 1.10 96/02/26 20:43:44 dhd 10 9 c e s 00084/00040/01352 d D 1.9 96/02/26 20:41:07 dhd 9 8 c e s 00009/00001/01383 d D 1.8 96/02/26 20:29:24 dhd 8 7 c e s 00022/00014/01362 d D 1.7 96/02/26 20:25:35 dhd 7 6 c e s 00025/00015/01351 d D 1.6 96/02/26 20:22:03 dhd 6 5 c e s 00158/00052/01208 d D 1.5 96/02/26 20:11:28 dhd 5 4 c e s 00191/00195/01069 d D 1.4 96/02/26 19:58:21 dhd 4 3 c e s 00079/00079/01185 d D 1.3 96/02/26 19:40:06 dhd 3 2 c e s 00000/00000/01264 d D 1.2 96/02/26 19:36:47 dhd 2 1 c e s 01264/00000/00000 d D 1.1 96/02/26 19:36:01 dhd 1 0 c date and time created 96/02/26 19:36:01 by dhd e u U f e 0 t T I 1 D 16 ExFilter V1.1.3 Manual E 16 I 16 ExFilter V1.1.4 Manual E 16 D 7

Introduction

E 7 I 7

ExFilter

D 16 This is the documentation for V1.1.3 of ExFilter, the packet filter for E 16 I 16 This is the documentation for V1.1.4 of ExFilter, the packet filter for E 16 Sun-based firewall hosts. Contact ExFilter@exnet.com for more details and for pricing.

Introduction

E 7 ExFilter has one main role: protecting your network from another (untrusted) network, often the Internet.

You can use ExFilter to protect parts of your network from one another, for example to protect your personnel department's computers and files from other parts of your organisation to help keep sensitive data secure while still allowing the personnel department to benefit from your corporate IT investment.

ExFilter can be used in conjunction with other commercial and PD software to produce a very secure but highly usable connection to another untrusted network.

As well as protection, ExFilter can improve the perceived performance of your links.

To do this ExFilter helps you limit how much of each type of traffic (eg mail, FTP, news, telnet) you want on your link to fairly share the link between its users. ExFilter tries to prevent the packet traffic jams that can build up on slower links that destroy interactive performance.

ExNet itself uses ExFilter to regulate and filter its connections to the Internet.

D 3 ExFilter V1.1.3 runs on Sun-3s or Sun-4s under SunOS~4.1.x (Solaris~1). E 3 I 3 D 16 ExFilter V1.1.3 runs on Sun-3s or Sun-4s under SunOS 4.1.x E 16 I 16 ExFilter V1.1.4 runs on Sun-3s or Sun-4s under SunOS 4.1.x E 16 (Solaris 1). E 3 D 6

Overview

E 6 I 6 D 7

Overview

E 7 I 7

Overview

E 7 E 6 You now need to do the following things to use ExFilter:

Acquire your firewall machine and configure it as per our instructions D 3 in Chapter~\ref{C-FirewallConfig}. E 3 I 3 D 4 in Chapter \ref{C-FirewallConfig}. E 4 I 4 in the firewall configuration section. E 4 E 3
Check the distribution media you were sent, disc or tape.
Untar it into a temporary directory (say D 4 /tmp) and check that you have the following files: E 4 I 4 /tmp) and check that you have at least the following files: E 4
D 3
\TOK{ExFilter.O.sun3-SunOS-4}:
the Sun-3 executable. E 3 I 3 D 6
ExFilter.O.sun3-SunOS-4:
the Sun-3 executable. E 6 I 6
ExFilter.O.sun3-SunOS-4:

the Sun-3 executable.
E 6 E 3 D 3
\TOK{ExFilter.O.sun4-SunOS-4}:
the Sun-4 executable. E 3 I 3 D 6
ExFilter.O.sun4-SunOS-4:
the Sun-4 executable. E 6 I 6
ExFilter.O.sun4-SunOS-4:

the Sun-4 executable.
E 6 E 3 D 3
\TOK{ExFilter.G.sun4-SunOS-4}:
the Sun-4 executable compiled with \TOK{gcc}; we do not officially support this but you may find it runs a little faster than the \TOK{.O.} E 3 I 3 D 6
ExFilter.G.sun4-SunOS-4:
the Sun-4 executable E 6 I 6
ExFilter.G.sun4-SunOS-4:

the Sun-4 executable E 6 compiled with gcc; we do not officially support this but you may find it runs a little faster than the .O. E 3 D 6 version. E 6 I 6 version.
E 6 D 3
\TOK{README}:
a very quick (plain ASCII) guide to E 3 I 3 D 4
README:
a very quick (plain ASCII) guide to E 3 ExFilter. E 4 I 4 D 6
README:
a very quick (plain ASCII) guide to ExFilter. E 6 I 6
README:

a very quick (plain ASCII) guide to ExFilter.
E 6 E 4 D 3
\TOK{tinyeg.conf}:
a very small example config file for E 3 I 3 D 6
tinyeg.conf:
a very small example config file for E 3 ExFilter. E 6 I 6
tinyeg.conf:

a very small example config file for ExFilter.
E 6 D 3
\TOK{spec.dvi}:
the {\TeX} `device-independent' version E 3 I 3 D 4
spec.dvi}:
the {\TeX `device-independent' version E 4 I 4 D 6
manual.html}:
the HTML version E 6 I 6
manual.html:

the HTML version E 6 E 4 E 3 of this documentation; you can view it with a program such D 4 as \MITOK{xdvi}. E 4 I 4 D 6 as Lynx, Netscape or Mosaic. E 6 I 6 as Lynx, Netscape or Mosaic.
E 6 E 4 D 3
\TOK{unsupported/dp-2.3-patchlevel2-DamonMods.tar.Z}:
E 3 I 3
unsupported/dp-2.3-patchlevel2-DamonMods.tar.Z:
E 3 D 6 the source of the publicly-available Dialup-PPP package, E 6 I 6
the source of the publicly-available Dialup-PPP package, E 6 with some of our modifications to make it work better with ExFilter. This is not supported by us but you may find it D 6 useful. We use it for our own IP WAN connections. E 6 I 6 useful. We use it for our own IP WAN connections.
E 6 D 3
\TOK{unsupported/sping}:
a simple shell script we use to E 3 I 3 D 6
unsupported/sping:
a simple shell script we use to E 6 I 6
unsupported/sping:

a simple shell script we use to E 6 E 3 monitor link performance; set it to ping a host on the other side of a link you wish to monitor and it will provide a simple round-trip-time histogram on any terminal. I 6
E 6 D 3
\TOK{unsupported/100359-06.tar.Z}:
Sun's jumbo STREAMS patch for SunOS~4.1.x. You may wish to see if they have a E 3 I 3 D 6
unsupported/100359-06.tar.Z:
Sun's jumbo STREAMS E 6 I 6
unsupported/100359-06.tar.Z:

Sun's jumbo STREAMS E 6 patch for SunOS 4.1.x. You may wish to see if they have a E 3 later version or if it is unnecessary for your release of D 4 the OS. It may be unnecessary for 4.1.3\_U1 and later E 4 I 4 the OS. It may be unnecessary for 4.1.3_U1 and later E 4 D 3 releases of Solaris~1---please check with the supplier of E 3 I 3 releases of Solaris 1---please check with the supplier of E 3 your OS. I 6
E 6
D 4 To untar it you will need to type a command such as: E 4 I 4 To untar it you will need to type a command such as:
E 4 D 3 \TOK{tar xvf - /dev/rst8} E 3 I 3 D 4 tar xvf - /dev/rst8 E 4 I 4 tar xvf - /dev/rst8
E 4 E 3 D 4 for tape, or, for floppy disc: E 4 I 4 for tape, or, for floppy disc:
E 4 D 3 \TOK{tar xvf - /dev/rfd0} E 3 I 3 D 4 tar xvf - /dev/rfd0 E 4 I 4 tar xvf - /dev/rfd0
E 4 E 3
Make sure you have designed, implemented and understand your security policy. You may need help from an external consultant, at least initially. There are many good books on firewall security available now, too.
Load ExFilter onto your firewall machine and configure it and the D 3 machine as described in Chapter~\ref{C-ExFilterConfig}. E 3 I 3 D 4 machine as described in Chapter \ref{C-ExFilterConfig}. E 4 I 4 machine as described here. E 4 E 3
Back up your firewall machine and reboot.
Ensure the configuration doesn't let through traffic you don't want it to, and conversely that it does let through what you do want it to.
Periodically check the logs for refused traffic, and recheck that your firewall is stopping what you expect it too---don't just trust the logs on the firewall since the first things a cracker will do is tamper with the logs and logging. I 15
We will be happy to provide a cursory overview of your system configuration before you go live for the first time, or you may hire us for a more thorough investigation. E 15

D 4 \section{Basic Operation} E 4 I 4 D 7

Basic Operation

E 7 I 7

Basic Operation

E 7 E 4 D 4 ExFilter runs as a root d{\ae}mon process, and attaches itself to the E 4 I 4 ExFilter runs as a root daemon process, and attaches itself to the E 4 raw packet interface of each device you tell it about in its configuration file. It then looks at every packet that arrives on each interface and decides whether or not to route it, and if so to which other interface, depending on the packet's source and destination addresses, protocol type, etc. You must configure the kernel not to route any packets since with would short-cut ExFilter's filtering mechanisms that are used to screen out harmful packets. D 4 ExFilter uses the \MITOK{NIT} (Network Interface Tap) connection, and E 4 I 4

ExFilter uses the NIT (Network Interface Tap) connection, and E 4 so can attach to any device (eg Ethernet, PPP, SLIP) device which carries IP packets and provides an NIT interface. D 5 %============================================================================== E 5 D 3 \chapter{Setting Up Your Firewall System}\label{C-FirewallConfig} E 3 I 3 D 4

Setting Up Your Firewall System}\label{C-FirewallConfig

E 4 I 4 D 7

Setting Up Your Firewall System

E 7 I 7

Setting Up Your Firewall System

E 7 E 4 E 3 To make a working firewall machine you need to strip down the kernel to contain the minimum for speed and to provide the smallest possible number of loop-holes and flaws for a hacker to break in through. You will need to turn off kernel routing so that ExFilter can choose what to allow through and what to block. I 5

E 5 You will also need to load and configure trusted software to provide any application-level gateways you want to provide on the gateway, for example an SMTP email gateway and proxy versions of programs such as D 4 Telnet and FTP\@. You may also want to provide (for example) a public E 4 I 4 Telnet and FTP. You may also want to provide (for example) a public E 4 FTP service from the gateway. I 5

E 5 You should not provide any user accounts other than a non-root administrator account and root itself, and you should not allow remote access to the machine over Telnet or a similar service---once entry is gained via any unprivileged account root access can usually be obtained fairly quickly by an experienced cracker (or UNIX sysadmin). You should also turn off services such as NIS that may induce a firewall machine to believe false information supplied form an external source. ExFilter, for example, uses static routing and avoids services such as NIS as far as possible to prevent remote tampering with its configuration. I 5

E 5 Finally, you should turn off any non-essential services, such as D 4 d{\ae}mons running from \MITOK{inetd}. E 4 I 4 daemons running from inetd. E 4 D 4 \section{Modifying Your Kernel} E 4 I 4 D 7

Modifying Your Kernel

E 7 I 7

Modifying Your Kernel

E 7 E 4 D 8 You will almost certainly need to build a stripped down kernel to E 8 I 8 You will almost certainly need to build a stripped-down kernel to E 8 D 4 remove the most hackable bits (such as \MI{NFS}, which you should not E 4 I 4 remove the most hackable bits (such as NFS, which you should not E 4 need anyway since a firewall must be stand-alone), and to make your systems as small and efficient as possible. I 5

E 5 In general do not configure into the OS kernel module, or load or enable any OS software from the distribution, that you do not D 4 absolutely need (you don't {\em need} NFS or NIS for example, life is E 4 I 4 absolutely need (you don't need NFS or NIS for example, life is E 4 somewhat tiresome without them, but only experienced administrators should be on the firewall host anyway). In particular, avoid all software that makes your host in anyway dependent on externally-provided information that may compromise your security. Again, avoid NIS and NFS (and RFS, etc), server and client, don't use D 3 \TOK{inetd}, etc. DNS is fine if you configure it properly, and E 3 I 3 inetd, etc. DNS is fine if you configure it properly, and E 3 preferably make it a primary or secondary for the network you are protecting so that it will only get data about your network directly from authoritative sources. I 5

E 5 D 4 It is {\em vital} that you completely disable packet forwarding in the E 4 I 4 It is vital that you completely disable packet forwarding in the E 4 kernel of your firewall machine else the ExFilter will be short-circuited and no filtering or protection will be provided at all. I 5

I 8 You should try to keep an eye on the security mailing lists and on Sun's current lists of publicly-available security patches (eg at Imperial College in the UK), and apply relevant patches to security holes that might otherwise allow D 15 ExFilter to be bypassed or disabled. E 15 I 15 ExFilter to be bypassed or disabled. In particular, beware of source-routing tricks that can be used to bypass ExFilter. E 15

E 8 E 5 D 4 An example \MI{firewall kernel configuration} for running ExFilter on, E 4 I 4 An example firewall kernel configuration for running ExFilter on, E 4 in this case for a Sun-3, is: D 4 \begin{verbatimlisting} E 4 I 4

E 4
# @(#) FW 1.13@(#) 94/03/06 #
#
# FIREWALL KERNEL.
#   * Minimum disc-bootable kernel for Sun-3/50, Sun-3/60 or Sun-3/110.
#   * Loadable PPP 2.3 is used instead and loaded at runtime.
#   * IP forwarding is turned off here with IPFORWARDING=-1.
#   * We can also configure udp_checksum = 1 (in_proto.c).
#   * We can also expand the udp_ttl to 120 in in_proto.c.
#
# EDIT ../../netinet/in_proto.c IN ../FW BY HAND BEFORE BUILDING THE KERNEL.
#
# We allocate a little more space for file handles, etc, as we will be
# running a lot of networking daemons.
#
machine         "sun3"
cpu             "SUN3_50"       # Sun-3/50
cpu             "SUN3_60"       # Sun-3/60
cpu             "SUN3_110"      # Sun-3/110

#
# Name this kernel:
#
ident           "FW1.13"

# Expanded kernel for lots of UUCP/Sendmail/etc sessions.
maxusers        32

# Turn off all kernel IP forwarding.
options "IPFORWARDING=-1"

#options        QUOTA           # disk quotas for local disks
D 5
#options        SYSACCT         # process accounting, see acct(2) & sa(8)
E 5
I 5
#options        SYSACCT         # process accounting, see acct(2) & sa(8)
E 5
#options        TCPDEBUG        # TCP debugging, see trpt(8)
options CRYPT           # software encryption
options INET            # basic networking support - mandatory
options OLDSCSI         # Old SCSI architecture - mandatory
options TMPFS           # tmp (anonymous memory) file system
options UFS             # filesystem code for local disks
options VDDRV           # loadable modules

config  vmunix  root on sd0 swap on sd0

pseudo-device   pty             # pseudo-tty's, also needed for SunView
pseudo-device   ether           # basic Ethernet support
pseudo-device   loop            # loopback network - mandatory
pseudo-device   win64           # window devices, allow 64 windows
pseudo-device   dtop2           # desktops (screens), allow 2
pseudo-device   ms              # mouse support
pseudo-device   kb              # keyboard support
pseudo-device   snit            # streams NIT
pseudo-device   pf              # packet filter
pseudo-device   nbuf            # NIT buffering module
pseudo-device   clone           # clone device

# connections for machine type 2 (SUN3_50)
controller      virtual 2 at nexus ?
controller      obmem 2 at nexus ?
controller      obio 2 at nexus ?

# connections for machine type 7 (SUN3_60)
controller      virtual 7 at nexus ?
controller      obmem 7 at nexus ?
controller      obio 7 at nexus ?

# connections for machine type 4 (SUN3_110)
controller      virtual 4 at nexus ?
controller      obmem 4 at nexus ?
controller      obio 4 at nexus ?
controller      vme16d16 4 at nexus ?
controller      vme24d16 4 at nexus ?
controller      vme32d16 4 at nexus ?
controller      vme16d32 4 at nexus ?
controller      vme24d32 4 at nexus ?
controller      vme32d32 4 at nexus ?

controller      si0 at obio ? csr 0x140000 priority 2
tape            st0 at si0 drive 040 flags 1
disk            sd0 at si0 drive 000 flags 0
device          zs0 at obio ? csr 0x20000 flags 3 priority 3
device          zs1 at obio ? csr 0x00000 flags 0x103 priority 3
device          le0 at obio ? csr 0x120000 priority 3
device          cgfour0 at obmem 7 csr 0xff300000 priority 4    # 3/60
device          cgfour0 at obmem 7 csr 0xff400000 priority 4    # 3/60
#device         cgsix0 at obmem 7 csr 0xff000000 priority 4     # 3/60
device          bwtwo0 at obmem 2 csr 0x100000 priority 4       # 3/50
device          bwtwo0 at obmem 7 csr 0xff000000 priority 4     # 3/60
device          bwtwo1 at obmem 7 csr 0xff300000 priority 4     # 3/60
#device         bwtwo1 at obmem 7 csr 0xff400000                # 3/60

# 3/110 stuff not in 3/50 or 3/60 config.
# comment out the sc0 lines to save memory if you don't have a SCSI-2 board
controller      sc0 at vme24d16 ? csr 0x200000 priority 2 vector scintr 0x40
tape            st0 at sc0 drive 040 flags 1
disk            sd0 at sc0 drive 000 flags 0
disk            sd1 at sc0 drive 001 flags 0
# comment out the si0 lines to save memory if you don't have a SCSI-3 board
controller      si0 at vme24d16 ? csr 0x200000 priority 2 vector siintr 0x40
device          ie0 at obio ? csr 0xc0000 priority 3
device          cgfour0 at obmem 4 csr 0xff000000 priority 4    # 3/110
#device         bwtwo0 at obmem 4 csr 0xff000000                # 3/110
D 4
\end{verbatimlisting}
E 4
I 4

E 4 A feature of this configuration is that it is short, because not much is configured in. I 5

E 5 The setup for a Sun-4 is very similar. Start with a ``Generic'' or ``Generic Small'' configuration and cut away options from that, such as NFS server and client support. D 5 %============================================================================== E 5 D 3 \chapter{Designing Your ExFilter Configuration}\label{C-ExFilterConfig} E 3 I 3 D 4

Designing Your ExFilter Configuration}\label{C-ExFilterConfig

E 4 I 4 D 7

Designing Your ExFilter Configuration

E 7 I 7

Designing Your ExFilter Configuration

E 7 E 4 E 3 D 4 An example \MITOK{/etc/ExFilter.conf} \MI{ExFilter configuration} file E 4 I 4 An example /etc/ExFilter.conf ExFilter configuration file E 4 is provided below. For an explanation of the syntax, see D 3 Chapter~\ref{C-Ref}. E 3 I 3 D 4 Chapter \ref{C-Ref}. E 4 I 4 here. E 4 E 3 I 5

E 5 This example is constructed for the following, realistic, configuration: I 5 E 5 D 4 \begin{itemize} E 4 I 4

E 4 You have an internal Class-C network number 1.2.3 (this is not a valid Class-C network) that you wish to connect to the Internet through ExFilter. D 4 \item E 4 I 4
E 4 D 4 This network is an Ethernet on interface \MITOK{le0}, and the E 4 I 4 This network is an Ethernet on interface le0, and the E 4 firewall's address on this network is 1.2.3.1. D 4 \item E 4 I 4
E 4 You make the ExFilter program appear to be at address 1.2.3.254 piggybacked on all interfaces, with standard gateway options. D 4 \item E 4 I 4
E 4 You have a dial-up or permanent PPP link to the Internet on D 3 interface \MITOK{dp2}, via a~14k4bps (V.32b) modem. Your address for \TOK{dp2} is~2.3.4.5. E 3 I 3 D 4 interface \MITOK{dp2}, via a 14k4bps (V.32b) modem. Your address E 4 I 4 interface dp2, via a 14k4bps (V.32b) modem. Your address E 4 for dp2 is 2.3.4.5. E 3 D 4 \item E 4 I 4
E 4 D 3 The raw, uncompressed bandwidth available through your~V.32b modem with V.42 (error correction alone) is a little short of~1700cps; to E 3 I 3 The raw, uncompressed bandwidth available through your V.32b modem with V.42 (error correction alone) is a little short of 1700cps; to E 3 keep average delay across the link down you should `throttle' bandwidth to somewhat less than this (delay increases sharply as the throughput approaches the available bandwidth). Note that the `throttle' mechanism in ExFilter pretends that each packet takes up about the same number of bits as if passing across an Ethernet, which is roughly true though sometimes an underestimate and sometimes an overestimate, even ignoring the effects of any modem compression. Turning on (V.42b) modem compression will usually give somewhat higher available bandwidth in return for a longer round-trip delay, which usually manifests itself as poorer interactive performance. D 4 \item E 4 I 4
E 4 You are running an SMTP gateway for inbound and outbound traffic on the firewall machine, but allow direct connections for incoming D 4 traffic to the internal mailserver (\MITOK{mailhost}, 1.2.3.4) for E 4 I 4 traffic to the internal mailserver (mailhost, 1.2.3.4) for E 4 efficiency. This is reasonable since only the SMTP port is reachable from outside your net and you have decided your SMTP mailer is fairly secure. D 4 \item E 4 I 4
E 4 D 4 You wish to allow access to Internet facilities such as \MI{WWW}, \MI{Telnet}, \MI{FTP}, \MITOK{whois}, and \MITOK{finger} from a single host, \MITOK{safehost}, 1.2.3.5, whose security you control E 4 I 4 You wish to allow access to Internet facilities such as WWW, Telnet, FTP, whois, and finger from a single host, safehost, 1.2.3.5, whose security you control E 4 more tightly than most hosts so you can watch for and forestall potential security breaches. D 4 \item E 4 I 4
E 4 You want to block and monitor any attempts by external hosts to pretend to be one of our external hosts, and a few other potential horrors. D 4 \item E 4 I 4
E 4 You are initially debugging the link and want to monitor ExFilter activity fairly closely. D 4 \end{itemize} E 4 I 4

E 4 D 4 Note that a comment is a hash (\verb|#|) at the start of a line, E 4 I 4 Note that a comment is a hash (#) at the start of a line, E 4 followed by a space and then arbitrary text. Comments cannot be added to the end of other lines. D 4 \begin{verbatimlisting} E 4 I 4

E 4
# Set verbosity at just high enough to watch throttle activity, etc.
verbosity 5

# # Set verbosity just above zero; only important things will be reported.
# verbosity 1

# Throttle data to dp2 to 1100--1400B/s including all IP and other headers.
# This does not allow for (for example) TCP header compression for
# outgoing PPP/SLIP links, nor all the link-level framing overhead (though
# it does include enough to cover all the Ethernet link-level headers
# and any padding), nor does it allow for retries done at the link level
# due to corruption, etc.
#
# Raw uncompressed bandwidth available on V.32b/V.42 link is about
# 1700Bps; V.42b compression should improve this marginally.
#
# To try to avoid huge delays make around 1000--1450
throttleto dp2 1300

# Try to prevent traffic to/from our Ethernet getting out of hand!
throttleto le0 200000

# We are interested in interfaces le0 and dp2.
if le0
if dp2

# This gateway appears at address 1.2.3.254.
#
# This gateway should behave itself and decrement TTLs on all packets
# passing through it, generate ICMP error packets where appropriate,
# and discard (not route) all incoming packets addressed directly
# to the underlying interfaces on the assumption that servers on the
# host will deal with any application-level routing necessary.
# The gateway will check and generate IP header checksums for packets
# in transit and generated locally, and will not route packets with IP
# header options.
#
# We do not run in `trace' mode unless we want to debug all traffic
# through the gateway for some reason.
#
gateway 1.2.3.254 decttl icmperrs parallel chksum noopts notrace

# -----------------------------------------------------------------------------
# ROUTING DIRECTIVES
# ==================

# Drop all packets arriving for our own interface addresses or for
# broadcast addresses, etc.
# That includes ignoring all packets arriving on our Ether interfaces
# for any machines on those nets.
#
# Beware of us getting output packets getting fed back on our input
# by nit and counted as input traffic.  This will distort throttling.
# (Some packet devices do this and some don't.  Sun's le0 Ethernet
# interface and out modified dp2.3 PPP drivers don't.)
#
# With the `parallel' option some of these rules are redundant and the rest
# should be logged in case of nasty surprises.
#
# route deny le0 any any from any any any to 1.2.3.0 255.255.255.0 any log
#
# Remember not to route packets destined for any of the other interfaces
# since SunOS will reply for all of them on any interface, generating
# double replies potentially in some cases.
#
route deny any any any between any any any and 1.2.3.1 only any
route deny any any any between any any any and 2.3.4.5 only any
#
# Log strangely-addressed packets.
#
route deny any any any between any any any and 127.0.0.0 255.0.0.0 any log
route deny any any any between any any any and 0.0.0.0 only any log
#
# Ignore discless-client reboot attempts.
#
route deny any any any between any any any and 255.255.255.255 only any
#
# Ignore attempts to talk to our broadcast addresses.
#
route deny any any any between any and any and 1.2.3.0 only any log
route deny any any any between any and any and 1.2.3.255 only any log

# ---------
# Spoofing attempts
# =================
#
# Block packets apparently from internal hosts on our subnet coming
# in from the connected Internet and log such packets.  It may be
# attempts by crackers to cripple or steal data from some of our
# machines by pretending to be our hosts.
#
route deny dp2 any any from 1.2.3.0 255.255.255.0 any to any any any log

# ---------
# NFS and other holes
# ===================
#
# Block all attempts to reach non-privileged NFS ports on our internal hosts.
#
# Log any traffic denied this way.
#
route deny dp2 le0 udp between any any any and 1.2.3.0 255.255.255.0 2049 log 

# ---------
# WWW
# ===
#
# Allow WWW packets to/from safehost for calls originated on safehost,
# ie allow hhtpd packets to or from port 80 on any external machine to
# any non-priv port on safehost.
#
# Limit to 50% of traffic when throttled.
route allow dp2 le0 tcp between any any 80 and 1.2.3.5 only nonpriv throttle50

# ---------
# TELNET/FTP
# ==========
#
# Allow telnet packets to/from safehost for calls originated on safehost,
# ie allow tcp packets to or from port 23 on any external machine to
# any non-priv port on safehost.
#
# Limit to 50% of traffic when throttled.
#
route allow dp2 le0 tcp between any any 23 and 1.2.3.5 only nonpriv throttle50
#
# Similarly for ftp on port 21 (and ftp-data on port 20)
#
# Limit to 50% of traffic when throttled.
route allow dp2 le0 tcp between any any 20 and 1.2.3.5 only nonpriv throttle50
route allow dp2 le0 tcp between any any 21 and 1.2.3.5 only nonpriv throttle50

# ---------
# FINGER/WHOIS
# ============
#
# Limit to 10% of traffic when throttled.
#
# Allow users on safehost to finger any remote host.
#
route allow dp2 le0 tcp between any any 79 and 1.2.3.5 only nonpriv throttle10
#
# Similarly for whois on port 43.
#
route allow dp2 le0 tcp between any any 43 and 1.2.3.5 only nonpriv throttle10

# ---------
# MAIL
# ====
#
# Allow mail directly to the SMTP mailer on mailhost (tcp->port 25).
#
# Mail does not have to be super-high-speed and so is limited to a lowish
# bandwidth.
#
# Limit to 15% of traffic when throttled.
#
route allow dp2 le0 tcp between any any any and 1.2.3.4 only 25 throttle15

# ---------
# PING
# ====
#
# This should be nearly last on the list so as to measure worst-case
# performance from the network and ExFilter.
#
# Allow pings to and from anywhere.
#
# Note that ICMP traffic cannot be throttled.
#
route allow dp2 le0 icmp between any any nonpriv and 1.2.3.0 255.255.255.0 nonpriv

# -----------------------------------------------------------------------------
# THINGS THAT SHOULDN'T GO THROUGH...

# Block attempts to contact our internal DNS name servers.
#
route deny any any any between any any any and 1.2.3.0 255.255.255.0 53 nothrottle

# Ignore attempts to get to one interface from another; these attempts
# arise from our listing all (or most of) our external addresses for each
# application-level gateway on the firewall.
#
route deny any any any between any any any and 1.2.3.1 only any
route deny any any any between any any any and 2.3.4.5 only any

# These are packets that shouldn't be getting here at all.
#
# Log them.
#
route deny any any any between any any any and any any any log
D 4
\end{verbatimlisting}
E 4
I 4

E 4 D 5 E 5 D 4 \section{Installing and Starting ExFilter} E 4 I 4 D 7

Installing and Starting ExFilter

E 7 I 7

Installing and Starting ExFilter

E 7 E 4 First, you will need to select the appropriate binary and copy it to the firewall's local disc; suitable candidate locations might be D 4 \MITOK{/usr/local/bin} or \MITOK{/usr/etc}. E 4 I 4 /usr/local/bin or /usr/etc. E 4 I 5

E 5 D 4 You should then start up ExFilter from \MITOK{/etc/rc.local} after all E 4 I 4 You should then start up ExFilter from /etc/rc.local after all E 4 interfaces are in place (ie after any loadable interface drivers have D 4 been loaded and configured). ExFilter has to be run as root ({\em not} E 4 I 4 D 9 been loaded and configured). ExFilter has to be run as root (not E 9 I 9 been loaded and configured). ExFilter has to be run as root (not E 9 E 4 set-uid root which might be a security hazard) to bind to the low-level interfaces. I 5

E 5 D 4 Suitable lines in \MITOK{rc.local} might be: \begin{verbatimlisting} E 4 I 4 Suitable lines in rc.local might be:

E 4
EXFILTER=/usr/local/bin/ExFilter.O.sun4-SunOS-4
if [ -f $EXFILTER ]; then
        echo 'Starting Exfilter.'
D 5
        ($EXFILTER &)   > /dev/console
E 5
I 5
        ($EXFILTER &)   > /dev/console
E 5
fi
D 4
\end{verbatimlisting}
E 4
I 4

E 4 D 4 Note that the initial \MITOK{verbosity} (debugging level) of the d{\ae}mon can be set with the optional \MITOK{-v} flag, and the location of the configuration file with the optional \MITOK{-f} flag. E 4 I 4 Note that the initial verbosity (debugging level) of the daemon can be set with the optional -v flag, and the location of the configuration file with the optional -f flag. E 4 I 5
E 5 So you might start ExFilter with a configuration file of D 3 \TOK{/etc/altExFilter.conf} rather than the default \TOK{/etc/ExFilter.conf}, and with a verbosity level of~50\% rather than the default~1\%, with: E 3 I 3 /etc/altExFilter.conf rather than the default D 4 /etc/ExFilter.conf, and with a verbosity level of 50\% rather than the default 1\%, with: E 3 \begin{verbatimlisting} E 4 I 4 /etc/ExFilter.conf, and with a verbosity level of 50% rather than the default 1%, with:
E 4 EXFILTER=/usr/local/bin/ExFilter.O.sun4-SunOS-4 if [ -f $EXFILTER ]; then echo 'Starting Exfilter in an alternative way.' D 5 ($EXFILTER -v 50 -f /etc/altExFilter.conf &) > /dev/console E 5 I 5 ($EXFILTER -v 50 -f /etc/altExFilter.conf &) > /dev/console E 5 fi D 4 \end{verbatimlisting} E 4 I 4
E 4 D 5 %============================================================================== E 5 D 3 \chapter{ExFilter Reference Guide}\label{C-Ref} E 3 I 3 D 4
ExFilter Reference Guide}\label{C-Ref
E 4 I 4 D 7
ExFilter Reference Guide
E 7 I 7
ExFilter Reference Guide
E 7 E 4 E 3 D 4 \section{The Format and Meaning of the Configuration File} E 4 I 4 D 7
The Format and Meaning of the Configuration File
E 7 I 7
The Format and Meaning of the Configuration File
E 7 E 4 This section describes the format of the ExFilter configuration file, D 4 by default found in the file \MITOK{/etc/ExFilter.conf}, which should E 4 I 4 by default found in the file /etc/ExFilter.conf, which should E 4 be owned by, and only writable by, root. I 5
E 5 The file consists of a series of one-line records with whitespace-separated fields. The order of records and fields is important. I 5
E 5 Completely blank lines are ignored. I 5
E 5 The first field on a line (which must start in column one) determines the type of the record that that line is. I 5
E 5 Case of alpha characters is significant. I 5
E 5 Records are of unlimited length, but exceeding 256 bytes is inadvisable. I 5
E 5 The following initial fields (ie, record types) are valid: D 4 \begin{description} E 4 I 4
E 4 D 4 \item[\#] (starts a comment record) E 4 I 4
#
(starts a comment record) E 4 I 9
E 9 The content of such records is ignored. I 9

E 9 D 4 \item[throttleto] (starts a traffic throttle record) E 4 I 4
throttleto
(starts a traffic throttle record) E 4 I 9
E 9 Specifies the maximum amount of traffic in bytes per second that may flow out through an interface. This is also taken to be the maximum data rate of traffic coming in through the interface to keep traffic roughly symmetrical and keep interactive response of (for example, telnet) sessions across the link good. I 5
E 5 The aim of the mechanism invoked by this record is to avoid saturating slow connections like PPP links to ensure reasonable responsiveness for interactive traffic. Excess traffic is quenched where possible. I 5
E 5 D 4 Records referring to interfaces not mentioned in an \MITOK{if} E 4 I 4 Records referring to interfaces not mentioned in an if E 4 record are invalid. I 9

E 9 D 4 \item[verbosity] (starts a verbosity record) E 4 I 4
verbosity
(starts a verbosity record) E 4 I 9
E 9 Says how verbose the filter program should be as a percentage. I 9

E 9 D 4 \item[if] (starts an interface-name record) E 4 I 4
if
(starts an interface-name record) E 4 I 9
E 9 Names an interface we want to route packets to/from. I 5
E 5 D 4 The interface names \MITOK{none} and \MITOK{quench} are reserved. E 4 I 4 The interface names none and quench are reserved. E 4 I 9

E 9 D 4 \item[route] (starts a routing record) E 4 I 4
route
(starts a routing record) E 4 I 9
E 9 An ordered list (order in the file is significant---the first matching rule for an incoming packet is used) of instructions to route or drop packets with selection by protocol, source and destination address/mask/port, etc. Packets can be specified to bypass any throttle. I 5
E 5 The port component is ignored for which it is meaningless, eg EGP. It is mainly intended for UDP and TCP. I 9

E 9 D 4 \item[gateway] (starts a gateway record) E 4 I 4
gateway
(starts a gateway record) E 4 I 9
E 9 Sets overall parameters for the gateway. I 9

E 9 D 4 \end{description} E 4 I 4
E 4 D 4 \newcommand{\OR}{$|$} E 4 I 4 Valid record syntax, in EBNF, is (non-literal parameters are thus):
E 4 D 4 Valid record syntax, in EBNF, is (non-literal parameters are {\it thus}): \begin{sloppypar} \begin{description} E 4 I 4 D 5
#
any text E 5 I 5 D 9
#

any text
E 9 I 9
#

any text

E 9 E 5 E 4 D 4 \item[\#] {\it any text} E 4 I 4 D 5
throttleto
ifname Bps E 5 I 5 D 9
throttleto

ifname Bps
E 9 I 9
throttleto

ifname Bps

E 9 E 5 E 4 D 4 \item[throttleto] {\it ifname} {\it Bps} E 4 I 4 D 5
verbosity
percentage E 5 I 5 D 9
verbosity

percentage
E 9 I 9
verbosity

percentage

E 9 E 5 E 4 D 4 \item[verbosity] {\it percentage} E 4 I 4 D 5
if
ifname E 5 I 5 D 9
if

ifname
E 9 I 9
if

ifname

E 9 E 5 E 4 D 4 \item[if] {\it ifname} \item[route] E 4 I 4
route
E 4 D 5 (deny{\OR}allow) ({\it Iif}{\OR}any) ({\it Oif}{\OR}any) ({\it proto}{\OR}any) (from{\OR}between) ({\it FRaddr}{\OR}any) ({\it FRmask}{\OR}any{\OR}only) {\it FRport} (to{\OR}and) ({\it TOaddr}{\OR}any) ({\it TOmask}{\OR}any{\OR}only) {\it TOport} D 3 [~[no]fragment~] [~[no]log~] \pagebreak[3] [~[no]throttle[{\it maxthpc}]~] E 3 I 3 [ [no]fragment ] [ [no]log ] \pagebreak[3] [ [no]throttle[{\it maxthpc}] ] E 5 E 3 I 5
D 9 (deny|allow)
(Iif|any) (Oif|any)
(proto|any)
(from|between)
(FRaddr|any) (FRmask|any|only) FRport
(to|and)
(TOaddr|any) (TOmask|any|only) TOport
E 9 I 9 (deny | allow)
(Iif | any) (Oif | any)
(proto | any)
(from | between)
(FRaddr | any) (FRmask | any | only) FRport
(to | and)
(TOaddr | any) (TOmask | any | only) TOport
I 17 D 18 [ [no]ether[etheraddr] ]
E 18 I 18 D 19 [ [no]MACforce[etheraddr] ]
E 19 I 19 [ [no]MACforce[-etheraddr] ]
E 19 E 18 E 17 E 9 [ [no]fragment ]
[ [no]log ]
[ [no]throttle[maxthpc] ]

E 5 (default options: fragment nolog throttle) I 9
E 9 I 5
E 5 D 4 \item[gateway] IPaddr E 4 I 4
gateway
IPaddr E 4 D 3 [~[no]chksum~] [~[no]decttl~] [~[no]icmperrs~] [~[no]parallel~] [~[no]opts~] [~[no]trace~] E 3 I 3 D 5 [ [no]chksum ] [ [no]decttl ] [ [no]icmperrs ] [ [no]parallel ] [ [no]opts ] [ [no]trace ] E 5 E 3 I 5
[ [no]chksum ]
[ [no]decttl ]
[ [no]icmperrs ]
[ [no]parallel ]
[ [no]opts ]
[ [no]trace ]

E 5 (default options: chksum nodecttl noicmperrs parallel noopts notrace) I 9
E 9 I 5
E 5 D 4 \end{description} E 4 I 4
E 4 D 5 \end{sloppypar} E 5 D 5 Note that {\OR} indicates the item on the left {\rm or} the item on the E 5 I 5 D 9 Note that ``|'' indicates the item on the left or the item on the E 9 I 9 Note that ``|'' indicates the item on the left or the item on the E 9 E 5 right. Parentheses indicate grouping. Square brackets indicate optional items. I 5
E 5 The meaning of the various parameters to the record types is given below. D 4 \begin{description} E 4 I 4
I 17 D 18
etheraddr:
E 18 I 18
MACforce:
E 18
An Ethernet MAC address, in the form xx:xx:xx:xx:xx:xx, used to force traffic to be routed to a particular Ethernet adaptor.

E 17 E 4 D 4 \item[FRaddr, IPaddr, TOaddr:] a dotted-quad host or net IP address, E 4 I 4 D 9
FRaddr, IPaddr, TOaddr:
a dotted-quad host or net IP address, E 4 D 3 eg~1.2.3.4. E 3 I 3 eg 1.2.3.4. E 9 I 9
FRaddr, IPaddr, TOaddr:

A dotted-quad host or net IP address, eg 1.2.3.4.

E 9 E 3 D 4 \item[fragment:] do packet fragmentation if required. Also allow E 4 I 4 D 9
fragment:
do packet fragmentation if required. Also allow E 9 I 9
fragment:

Do packet fragmentation if required. Also allow E 9 E 4 fragments though, ie parts of packets that have already been fragmented, which means ignoring port checking (etc) on all but the D 9 first fragment. E 9 I 9 first fragment.

E 9 D 4 \item[FRmask, TOmask:] a dotted-quad mask in the style of a netmask; E 4 I 4 D 9
FRmask, TOmask:
a dotted-quad mask in the style of a netmask; E 4 non-zero bits are those that will be matched. E 9 I 9
FRmask, TOmask:

A dotted-quad mask in the style of a netmask; non-zero bits are those that will be matched.

E 9 D 4 \item[FRport, TOport:] port number; \MITOK{any} is any port, D 3 \MITOK{priv} is any port~$< 1024$ (privileged), and \MITOK{nonpriv} is any port~$>= 1024$. E 3 I 3 \MITOK{priv} is any port $< 1024$ (privileged), and \MITOK{nonpriv} E 4 I 4 D 9
FRport, TOport:
port number; any is any port, D 5 priv is any port $< 1024$ (privileged), and nonpriv E 4 is any port $>= 1024$. E 5 I 5 priv is any port <1024 (privileged), and nonpriv is any port >=1024. E 9 I 9
FRport, TOport:

Port number; any is any port, priv is any port <1024 (privileged), and nonpriv is any port >=1024.
E 9 E 5 E 3 I 5 D 9
E 9 E 5 For protocols other than TCP and UDP this field is ignored with the D 9 following exception. E 9 I 9 following exception.
E 9 I 5 D 9
E 9 E 5 For ICMP, if the FRaddr address matches then the FRport port value has the following meanings: D 4 * \MITOK{any} means any ICMP message is allowed from the given E 4 I 4 D 5 * any means any ICMP message is allowed from the given E 5 I 5

any means any ICMP message is allowed from the given E 5 E 4 host(s). D 3 * A port number allows ICMP messages of that type through, eg~4 E 3 I 3 D 5 * A port number allows ICMP messages of that type through, eg 4 E 5 I 5
A port number allows ICMP messages of that type through, eg 4 E 5 E 3 is Source Quench. D 4 * If \MITOK{nonpriv}, only Echo and Echo Reply packets from that E 4 I 4 D 5 * If nonpriv, only Echo and Echo Reply packets from that E 5 I 5
If nonpriv, only Echo and Echo Reply packets from that E 5 E 4 host are allowed. I 5
E 5 D 4 Note that when a \MITOK{between} routing record is used, the E 4 I 4 Note that when a between routing record is used, the E 4 corresponding TOport value is used for packets travelling in the reverse direction. D 4 \item[ifname, Iif, Oif:] an interface name, eg \MITOK{le0}; this must E 4 I 4 D 9
ifname, Iif, Oif:
an interface name, eg le0; this must E 9 I 9

ifname, Iif, Oif:

An interface name, eg le0; this must E 9 E 4 D 5 be an interface available to the router through \MI{NIT}, and must E 5 I 5 be an interface available to the router through NIT, and must E 5 D 4 be mentioned in an \MITOK{if} record. E 4 I 4 D 9 be mentioned in an if record. E 9 I 9 be mentioned in an if record.
E 9 E 4 I 5 D 9
E 9 E 5 D 4 The names \MITOK{none} and \MITOK{quench} are reserved and should E 4 I 4 The names none and quench are reserved and should E 4 D 9 not be declared as interface names in an ``if'' record. E 9 I 9 not be declared as interface names in an ``if'' record.

E 9 D 4 \item[log:] log every packet matching this rule, whether blocked or E 4 I 4 D 9
log:
log every packet matching this rule, whether blocked or E 4 routed. E 9 I 9
log:

Log every packet matching this rule, whether blocked or routed.

E 9 D 4 \item[maxthpc:] the maximum throttle percentage. If a link/route is E 4 I 4 D 9
maxthpc:
the maximum throttle percentage. If a link/route is E 9 I 9
maxthpc:

The maximum throttle percentage. If a link/route is E 9 E 4 being throttled (has a throttle in place and traffic is high enough to engage it) then this value (an integer in the closed (inclusive) D 3 range~0--100) determines the maximum percentage of link traffic E 3 I 3 range 0--100) determines the maximum percentage of link traffic E 3 that may be of this type, ie matching this rule. This value only D 4 makes sense if used with \MITOK{throttle} rather than \MITOK{nothrottle} since it is ignored if traffic routes with the E 4 I 4 makes sense if used with throttle rather than nothrottle since it is ignored if traffic routes with the E 4 rule this is part of is not marked for throttling. A rule marked for throttling but without a maxthpc value given is assumed to have D 3 a maxthpc of~100. E 3 I 3 D 9 a maxthpc of 100. E 9 I 9 a maxthpc of 100.

E 9 E 3 D 4 \item[proto:] a IP protocol number, or one of \MITOK{udp}, \MITOK{tcp} or \MITOK{icmp}. E 4 I 4 D 9
proto:
a IP protocol number, or one of udp, tcp or icmp. E 9 I 9
proto:

A IP protocol number, or one of udp, tcp or icmp.

E 9 E 4 D 4 \item[throttle:] include packets routed by this rule in any output E 4 I 4 D 9
throttle:
include packets routed by this rule in any output E 4 throttling. E 9 I 9
throttle:

Include packets routed by this rule in any output throttling.

E 9 D 4 \end{description} E 4 I 4
E 4 D 4 \section{Gateway Parameters} E 4 I 4 D 7
Gateway Parameters
E 7 I 7
Gateway Parameters
E 7 E 4 D 4 The \MITOK{gateway} record is used to set a number of general E 4 I 4 The gateway record is used to set a number of general E 4 parameters for ExFilter, and is, in effect, mandatory. I 5
E 5 The first parameter is the address ExFilter should use on outgoing packets it generates such as on ICMP error packets (when packets are denied passage through ExFilter, or when Source-quench messages are being sent to regulate traffic through ExFilter). You should allocate an otherwise unused address from the same subnet as the firewall on one D 5 of its interfaces for this, though you {\em may} get away with using E 5 I 5 of its interfaces for this, though you may get away with using E 5 one of the firewall's own addresses. ExFilter will appear as host piggybacking an all the firewall's IP connections with this address, so you might want to put up a DNS record for it for the benefit of remote network administrators. I 5
E 5 Then zero or more flags can be set to control gateway behaviour. Although there are defaults, it is recommended that you set explicit values for all the parameters. As an example, to allow ExFilter to generate ICMP error messages (eg for throttling), the parameter D 4 \MITOK{icmperrs} can be supplied. To turn it off \MITOK{noicmperrs} E 4 I 4 icmperrs can be supplied. To turn it off noicmperrs E 4 can be supplied instead. I 5
E 5 The meanings of the flags are: D 4 \begin{description} E 4 I 4
E 4 D 4 \item[\MITOK{decttl}:] ExFilter decrements the `Time-To-Live' counter E 4 I 4 D 10
decttl:
ExFilter decrements the `Time-To-Live' counter E 10 I 10
decttl:

ExFilter decrements the `Time-To-Live' counter E 10 E 4 for packets it forwards, and discards packets whose TTL count has reached zero. If ExFilter is a true gateway/firewall on you network, you should switch this on. The default is D 4 \MITOK{nodecttl}. E 4 I 4 D 10 nodecttl. E 10 I 10 nodecttl.

E 10 E 4 D 4 \item[\MITOK{icmperrs}:] ExFilter sends `not-reachable' ICMP error E 4 I 4 D 10
icmperrs:
ExFilter sends `not-reachable' ICMP error E 10 I 10
icmperrs:

ExFilter sends `not-reachable' ICMP error E 10 E 4 messages out to the source of a packet it discards due to a D 4 \MITOK{deny} routing rule. ExFilter also sends Source-quench ICMP E 4 I 4 deny routing rule. ExFilter also sends Source-quench ICMP E 4 error messages out to hosts sending too much traffic through ExFilter when the load on one or more connections is too high to be usable for interactive traffic. You must have set a sensible and unique gateway address before enabling this. The default is D 4 \MITOK{noicmperrs}. E 4 I 4 D 10 noicmperrs. E 10 I 10 noicmperrs.

E 10 E 4 D 4 \item[\MITOK{parallel}:] ExFilter discards any traffic sent to the E 4 I 4 D 10
parallel:
ExFilter discards any traffic sent to the E 10 I 10
parallel:

ExFilter discards any traffic sent to the E 10 E 4 network addresses of the host on which it is running, assuming that that host will deal with any such traffic itself. This can be D 4 turned off with \MITOK{noparallel}, letting ExFilter examine all E 4 I 4 turned off with noparallel, letting ExFilter examine all E 4 packets arriving at the interfaces, though this can be very CPU-intensive and require more complicated routing rules to handle D 10 properly. E 10 I 10 properly.

E 10 D 4 \item[\MITOK{chksum}:] makes ExFilter check and generate IP header E 4 I 4 D 10
chksum:
makes ExFilter check and generate IP header E 10 I 10
chksum:

Makes ExFilter check and generate IP header E 10 E 4 checksums in incoming and outgoing packets. This should never D 10 normally be turned off, and is on by default. E 10 I 10 normally be turned off, and is on by default.

E 10 D 4 \item[\MITOK{opts}:] lets ExFilter route packets with IP header options. In fact, this is hardwired to \MITOK{noopts} for safety E 4 I 4 D 10
opts:
lets ExFilter route packets with IP header E 10 I 10
opts:

Lets ExFilter route packets with IP header E 10 options. In fact, this is hardwired to noopts for safety E 4 D 10 in this version of ExFilter. E 10 I 10 in this version of ExFilter.

E 10 D 4 \item[\MITOK{trace}:] turns on logging of all packets seen by ExFilter, E 4 I 4 D 10
trace:
turns on logging of all packets seen by ExFilter, E 10 I 10
trace:

Turns on logging of all packets seen by ExFilter, E 10 E 4 and would only normally be wanted when debugging. It is by default D 4 \MITOK{notrace}. E 4 I 4 D 10 notrace. E 10 I 10 notrace.

E 10 E 4 D 4 \end{description} E 4 I 4
E 4 D 4 \section{Logging} E 4 I 4 D 7
Logging
E 7 I 7
Logging
E 7 E 4 D 4 ExFilter does most of its logging to the \MITOK{syslog} \MITOK{DAEMON} facility. It logs information at five different E 4 I 4 ExFilter does most of its logging to the syslog D 5 DAEMON facility. It logs information at five different E 4 internal levels (fatal, error, audit, information for tracing, and D 3 debugging) corresponding to the \TOK{syslog} levels \MITOK{ALERT}, E 3 I 3 debugging) corresponding to the syslog} levels \MITOK{ALERT, E 3 D 4 \MITOK{ERR}, \MITOK{WARNING}, \MITOK{INFO} and \MITOK{DEBUG}. E 4 I 4 ERR, WARNING, INFO and DEBUG. E 5 I 5 DAEMON facility. It logs information at five different internal levels (fatal, error, audit, information for tracing, and debugging) corresponding to the syslog levels ALERT, ERR, WARNING, INFO and DEBUG. E 5 E 4 I 5
E 5 ExFilter will log increasing amounts of information as its D 4 \MITOK{verbosity} level is increased. Information logged at \MITOK{WARNING} and above relates to security and potential system E 4 I 4 verbosity level is increased. Information logged at WARNING and above relates to security and potential system E 4 failures and should find its way into audit trails and logs inspected from time to time by a human operator. For example, warnings about packets that were `denied' transit by ExFilter are D 3 logged at \TOK{WARING} level. Hourly stats reporting is also done at \TOK{WARNING} level. E 3 I 3 logged at WARING level. Hourly stats reporting is also done at WARNING level. E 3 I 5
E 5 D 3 Information at \TOK{INFO} is of interest but not worth storing, so E 3 I 3 Information at INFO is of interest but not worth storing, so E 3 should probably go to the system console (throttling messages are D 3 logged at this level, for example), and \TOK{DEBUG} information E 3 I 3 logged at this level, for example), and DEBUG information E 3 will rarely be generated and you will probably want to make D 3 temporary changes to \TOK{syslog}'s configuration to capture it if E 3 I 3 temporary changes to syslog's configuration to capture it if E 3 you want it at all. I 5
E 5 D 3 The default level of \MITOK{verbosity} the system runs at is~1, E 3 I 3 D 4 The default level of \MITOK{verbosity} the system runs at is 1, E 4 I 4 The default level of verbosity the system runs at is 1, E 4 E 3 which reports most important events and little else. The level can be changes on the command line at start-up, in the configuration file, and with signals. I 5
E 5 D 3 In general, the volume of output increases as the \TOK{verbosity} increases. The minimum level is~0 and the maximum~100. Anything at~50 or above is really only for debugging the software, and~100 E 3 I 3 In general, the volume of output increases as the verbosity increases. The minimum level is 0 and the maximum 100. Anything at 50 or above is really only for debugging the software, and 100 E 3 will cripple the system with the amount of information generated, up to full dumps in hex of all packets seen. I 5
E 5 Although the exact levels may change in future, the following D 3 \TOK{verbosity} levels below~50 are currently implemented: E 3 I 3 verbosity levels below 50 are currently implemented: E 3 D 4 \begin{description} E 4 I 4
E 4 D 4 \item[0:] Silent about all but major problems. E 4 I 4 D 11
0:
Silent about all but major problems. E 11 I 11
0:

Silent about all but major problems.

E 11 E 4 D 3 \item[1:] All of~0 plus a few extra items. This is the E 3 I 3 D 4 \item[1:] All of 0 plus a few extra items. This is the E 4 I 4 D 11
1:
All of 0 plus a few extra items. This is the E 4 E 3 default. E 11 I 11
1:

All of 0 plus a few extra items. This is the default.

E 11 D 3 \item[2:] All of~1 plus description of interface configuration E 3 I 3 D 4 \item[2:] All of 1 plus description of interface configuration E 4 I 4 D 11
2:
All of 1 plus description of interface configuration E 4 E 3 at start-up. E 11 I 11
2:

All of 1 plus description of interface configuration at start-up.

E 11 D 3 \item[3:] All of~2 plus logging of line throttling going on and E 3 I 3 D 4 \item[3:] All of 2 plus logging of line throttling going on and E 4 I 4 D 11
3:
All of 2 plus logging of line throttling going on and E 4 E 3 off. E 11 I 11
3:

All of 2 plus logging of line throttling going on and off.

E 11 D 3 \item[4:] All of~3 plus reporting of overlong frames being E 3 I 3 D 4 \item[4:] All of 3 plus reporting of overlong frames being E 4 I 4 D 11
4:
All of 3 plus reporting of overlong frames being E 4 E 3 dropped. E 11 I 11
4:

All of 3 plus reporting of overlong frames being dropped.

E 11 D 3 \item[5:] All of~4 plus logging of setting up of routing E 3 I 3 D 4 \item[5:] All of 4 plus logging of setting up of routing E 4 I 4 D 11
5:
All of 4 plus logging of setting up of routing E 11 I 11
5:

All of 4 plus logging of setting up of routing E 11 E 4 E 3 tables. This can be useful to ensure the machine D 11 interprets your routing instructions as you intended. E 11 I 11 interprets your routing instructions as you intended.

E 11 D 3 \item[6:] All of~5 plus logging of ICMP Source Quench messages E 3 I 3 D 4 \item[6:] All of 5 plus logging of ICMP Source Quench messages E 4 I 4 D 11
6:
All of 5 plus logging of ICMP Source Quench messages E 4 E 3 being sent. E 11 I 11
6:

All of 5 plus logging of ICMP Source Quench messages being sent.

E 11 D 3 \item[7:] All of~6 plus logging of each packet being routed. E 3 I 3 D 4 \item[7:] All of 6 plus logging of each packet being routed. E 4 I 4 D 11
7:
All of 6 plus logging of each packet being routed. E 11 I 11
7:

All of 6 plus logging of each packet being routed.

E 11 E 4 E 3 D 3 \item[8:] All of~7 plus logging of each ARP-table lookup. E 3 I 3 D 4 \item[8:] All of 7 plus logging of each ARP-table lookup. E 4 I 4 D 11
8:
All of 7 plus logging of each ARP-table lookup. E 11 I 11
8:

All of 7 plus logging of each ARP-table lookup.

E 11 E 4 E 3 D 4 \end{description} E 4 I 4
E 4 D 4 \section{Signals} E 4 I 4 D 7
Signals
E 7 I 7
Signals
E 7 E 4 One aim of the design of ExFilter is to allow it to run non-stop. I 5
E 5 To change its configuration you do not have to kill it, change the configurations files and restart it, you can just update the configuration files and send ExFilter a signal with the D 4 \MITOK{kill} command to get it to reconfigure itself internally, E 4 I 4 kill command to get it to reconfigure itself internally, E 4 dump statistics to the logs, etc. I 5
E 5 This causes minimal disturbance to the flow of data through ExFilter and thus to users of the filtered IP service. I 5
E 5 D 4 Those familiar with operation of the \MITOK{named} DNS/BIND E 4 I 4 Those familiar with operation of the named DNS/BIND E 4 D 5 d{\ae}mon will recognise the way that signals are used for E 5 I 5 daemon will recognise the way that signals are used for E 5 interaction with ExFilter. I 5
E 5 When ExFilter starts it reads its configuration information from a D 4 file called \MITOK{/etc/ExFilter.conf}, of a format described E 4 I 4 file called /etc/ExFilter.conf, of a format described E 4 D 5 above. The ExFilter d{\ae}mon writes its process ID to a file E 5 I 5 above. The ExFilter daemon writes its process ID to a file E 5 D 4 called \MITOK{/etc/ExFilter.pid}. This makes signaling the E 4 I 4 called /etc/ExFilter.pid. This makes signaling the E 4 D 5 d{\ae}mon relatively painless. E 5 I 5 daemon relatively painless. E 5 I 5
E 5 If you want to alter the configuration of ExFilter while it is D 3 running, edit the \TOK{/etc/ExFilter.conf} file appropriately, and E 3 I 3 running, edit the /etc/ExFilter.conf file appropriately, and E 3 D 5 send the ExFilter d{\ae}mon a `HUP' signal (see the UNIX manual E 5 I 5 send the ExFilter daemon a `HUP' signal (see the UNIX manual E 5 pages for a discussion of the different signals and their original meanings) by issuing the shell command: D 4 \begin{verbatimlisting} E 4 I 4
E 4 kill -HUP `cat /etc/ExFilter.pid` D 4 \end{verbatimlisting} E 4 I 4
E 4 The full list of signals and their effects is: D 4 \begin{description} E 4 I 4
E 4 D 3 \item[HUP] reloads the configuration file \TOK{/etc/ExFilter.conf}, E 3 I 3 D 4 \item[HUP] reloads the configuration file /etc/ExFilter.conf, E 4 I 4 D 12
HUP
reloads the configuration file /etc/ExFilter.conf, E 12 I 12
HUP

Reloads the configuration file /etc/ExFilter.conf, E 12 E 4 E 3 and gets ExFilter to reconfigure itself as if killed and restarted. I 12

E 12 D 4 \item[INT] causes ExFilter to exit gracefully, after tidying up a E 4 I 4 D 12
INT
causes ExFilter to exit gracefully, after tidying up a E 12 I 12
INT

Causes ExFilter to exit gracefully, after tidying up a E 12 E 4 little. Useful if ExFilter is being run in the foreground on the command-line during testing or debugging. I 12

E 12 D 4 \item[ABRT] causes ExFilter to dump some loading and throughput E 4 I 4 D 12
ABRT
causes ExFilter to dump some loading and throughput E 12 I 12
ABRT

Causes ExFilter to dump some loading and throughput E 12 E 4 statistics to the logs; ExFilter automatically does this every hour anyway. I 12

E 12 D 4 \item[TERM] causes ExFilter to exit immediately, with an error E 4 I 4 D 12
TERM
causes ExFilter to exit immediately, with an error E 12 I 12
TERM

Causes ExFilter to exit immediately, with an error E 12 E 4 status. I 12

E 12 D 4 \item[USR1] increments the verbosity (debugging) level by one. E 4 I 4 D 12
USR1
increments the verbosity (debugging) level by one. E 12 I 12
USR1

Increments the verbosity (debugging) level by one.

E 12 E 4 D 4 \item[USR2] sets the verbosity level to zero. E 4 I 4 D 12
USR2
sets the verbosity level to zero. E 12 I 12
USR2

Sets the verbosity level to zero.

E 12 E 4 D 4 \end{description} E 4 I 4
E 4 D 4 \section{Known Problems and Future Features} E 4 I 4 D 7
Known Problems and Future Features
E 7 I 7
Known Problems and Future Features
E 7 E 4 There is a small number of known problems and missing features we would like to provide in a future release. These, and workarounds, are listed below: D 4 \begin{description} E 4 I 4
E 4 D 4 \item[IP Packet Fragmentation] E 4 I 4
IP Packet Fragmentation
E 4 I 12
E 12 Packet fragmentation is not handled correctly, ie ExFilter cannot fragment outgoing packets going onto a connection with a smaller MTU than the packet. D 3 The solution it to ensure the MTU on all connections is either~$>= E 3 I 3 D 5 The solution it to ensure the MTU on all connections is either $>= E 3 536$ for WAN connections (since most hosts should stick to a E 5 I 5
The solution it to ensure the MTU on all connections is either >=536 for WAN connections (since most hosts should stick to a E 5 D 3 conservative MTU of~512 bytes plus IP header for non-local E 3 I 3 conservative MTU of 512 bytes plus IP header for non-local E 3 traffic), or ensure the MTU on all interfaces is the same (we D 3 ensure it is~1500 for all connections routed by ExFilter), so it E 3 I 3 ensure it is 1500 for all connections routed by ExFilter), so it E 3 need never fragment. I 5
E 5 Incoming fragments are handled correctly, but can be discarded if D 4 the `\MITOK{nofrag}' flag is used in the appropriate route E 4 I 4 the `nofrag' flag is used in the appropriate route E 4 description. I 12

E 12 D 4 \item[Hard Limits] E 4 I 4
Hard Limits
E 4 I 12
E 12 D 3 Currently ExFilter can handle a maximum of~256 \MITOK{route} routing directives and a maximum of~16 interfaces. This is because E 3 I 3 D 4 Currently ExFilter can handle a maximum of 256 \MITOK{route} E 4 I 4 Currently ExFilter can handle a maximum of 256 route E 4 routing directives and a maximum of 16 interfaces. This is because E 3 the underlying tables are not dynamically sized. A later release will fix this. In addition, an interface name may not be longer D 3 than~16 characters, though under Solaris~1 this is never a E 3 I 3 than 16 characters, though under Solaris 1 this is never a E 3 problem. I 12

E 12 D 3 \item[Quenching and \TOK{throttle}ing] E 3 I 3 D 4 \item[Quenching and throttleing] E 4 I 4
Quenching and throttleing
E 4 E 3 I 12
E 12 ExFilter relies on sending ICMP Source-Quench messages to hosts that are originating large volumes of traffic that are overloading D 4 \MITOK{throttle}d links. Some hosts (wrongly) ignore these messages and \MITOK{throttle}ing will not be able to regulate link E 4 I 4 throttled links. Some hosts (wrongly) ignore these messages and throttleing will not be able to regulate link E 4 traffic as well as it should. I 5
E 5 ExFilter keeps a small hashed table of hosts/ports to which it has recently sent quench messages to try to send a maximum of one such quench on each `connection' each second; this table may overflow with a large number of different end-points communicating. I 5
E 5 ExFilter cannot easily account for traffic originating to and from the firewall host itself, and such traffic will not be seen by the throttling mechanism and may allow the link to be more loaded than is desirable. Minimise the volume of traffic to/from processes on the firewall machine to minimise this problem. I 5
E 5 In a future release regulation by round-trip time (RTT) will be added to help overcome some of these difficulties. I 5
E 5 ExFilter does not specifically recognise and expedite `interactive' D 4 packets at the moment, but the \MITOK{throttle} feature should be E 4 I 4 packets at the moment, but the throttle feature should be E 4 used to keep interactive performance reasonable at all times. I 12

E 12 D 4 \item[Kernel-Directed Routing and ARP] E 4 I 4
Kernel-Directed Routing and ARP
E 4 I 12
E 12 ExFilter ignores all external routing information (is purely static) for security reasons. It would be useful to have kernel-based routes followed when specifically allowed by ExFilter rules for non-critical traffic or for load sharing. A copy of D 4 \MITOK{gated} or some other intelligent routing system can be run E 4 I 4 gated or some other intelligent routing system can be run E 4 on the firewall to set the kernel routes. A future release will allow this limited following of externally-supplied, dynamic routes. I 5
E 5 Note also that ExFilter relies on the kernel's ARP tables and broadcasts packets it cannot find and entry for in the host's ARP tables. I 5
E 5 Port-number range support will be added to the routing rules in a future release, in addition to the current fixed number, D 4 \MITOK{priv} and \MITOK{nonpriv} values. E 4 I 4 priv and nonpriv values. E 4 I 12

E 12 D 4 \item[Multicast IP] E 4 I 4
Multicast IP
E 4 I 12
E 12 ExFilter has not been tested for multicast IP. I 12

E 12 D 4 \item[SNMP] E 4 I 4
SNMP
E 4 I 12
E 12 SMNP monitoring is not provided, partly for reasons of security. I 12

E 12 D 4 \item[Copying and Efficiency] E 4 I 4
Copying and Efficiency
E 4 I 12
E 12 D 3 Under Solaris~1 we run the router entirely in user space, so E 3 I 3 Under Solaris 1 we run the router entirely in user space, so E 3 packets have to be copied into user space even to be discarded. A D 3 Solaris~2 version will move as much as possible of the routing into E 3 I 3 Solaris 2 version will move as much as possible of the routing into E 3 the kernel in a loadable module. I 12

E 12 D 4 \item[IP Header Checksum Generation] E 4 I 4
IP Header Checksum Generation
E 4 I 12
E 12 We do not currently use the RFC-recommended algorithm for checksum generation. In practice this has not proven to be a problem, but we will switch to the `official' algorithm in a future release. I 12

E 12 D 4 \item[IP Header Options] E 4 I 4
IP Header Options
E 4 I 12
E 12 ExFilter will not route packets with IP header options. This is a security measure to prevent circumvention of the filtering rules by non-obvious means. I 12

E 12 D 4 \item[ICMP Error Messages] E 4 I 4
ICMP Error Messages
E 4 I 12
E 12 Under certain rare circumstances ExFilter may generate ICMP error messages for the second and subsequent fragments of a large packet. This is an error but a fairly innocuous one. I 12

E 12 D 4 \item[NIT Interface Interaction] E 4 I 4
NIT Interface Interaction
E 4 I 12
E 12 ExFilter will best be able to monitor and modulate throughput with D 3 the \TOK{throttle} directive if the underlying interface does not E 3 I 3 the throttle directive if the underlying interface does not E 3 echo its output packets on the input side. The supplied (unsupported) PPP has been modified to work this way. Some Sun IP drivers work this way and some do not. I 12

E 12 D 4 \end{description} E 4 I 4
E 4 D 5 %============================================================================== E 5 D 3 \chapter{Licence and Warranty Terms, and Contact Details} E 3 I 3 D 7
Licence and Warranty Terms, and Contact Details
E 7 I 7
Licence and Warranty Terms, and Contact Details
E 7 E 3 This details the terms of the Right-To-Use (RTU) licence that you, the Customer, have purchased directly or indirectly from us, ExNet Systems D 3 Ltd for use of the software package called ExFilter~V1.1.3. E 3 I 3 D 16 Ltd for use of the software package called ExFilter V1.1.3. E 16 I 16 Ltd for use of the software package called ExFilter V1.1.4. E 16 E 3 D 5 \begin{enumerate} E 5 I 5
E 5 D 4 \item E 4 I 4
E 4 In case of trouble please refer first to the company you bought ExFilter from; they provide technical support and fixes and automatically forward to us those problems that we have to solve. D 4 \item E 4 I 4
E 4 If you do contact us you must provide us with details of where and when you bought the software, which version you are running and in what environment (host and OS versions) and your serial number. We will not provide technical assistance if you cannot provide us with a serial number, nor if your supplier or distributor can provide you with the assistance you require. D 4 \item E 4 I 4
E 4 This agreement can only be varied or superseded by explicit notice in writing from a Director of ExNet Systems Ltd to the Customer. D 4 \item E 4 I 4
E 4 When you purchase an RTU (Right-To-Use) licence, you purchase the right to execute at most one copy of the software for each RTU you purchase. The RTU licence is non-exclusive and non-transferable, though with our explicit written consent, which will not be unreasonably withheld, you may transfer your licence to a third party; this automatically terminates your own licence for the copy D 5 or copies you have transferred, and confers any {\em remaining} E 5 I 5 or copies you have transferred, and confers any remaining E 5 period of warranty (if any) to the new licence holder. Please note: you buy a licence to use the software, not the software itself, which remains the property of ExNet Systems Ltd. D 4 \item E 4 I 4
E 4 D 5 You may, {\em for purposes of backup only}, keep more than one copy E 5 I 5 You may, for purposes of backup only, keep more than one copy E 5 of the electronic and paper files and documentation provided; in no case will more than ten such copies be made of any file or document. D 4 \item E 4 I 4
E 4 If you do have to come directly to us for assistance and your warranty has not expired, we will, at our sole discretion, replace your software or refund the list price of the RTU licence or the price you paid, whichever is the lower. If your warranty has expired we will charge time and materials for any fixes you require, or offer you an upgraded version at a suitable discount where that will assist you and a suitable upgrade is available. D 4 \item E 4 I 4
E 4 ExNet Systems Ltd warrants that the product supplied to you will be free of defects and fit for the purposes described in the accompanying manual for a period of one year from the date of purchase from a distributor or supplier authorised by us. D 4 \item E 4 I 4
E 4 Our liability is strictly limited to the recommended retail (list) price of the software or the price you paid for it, whichever is the lower. WE ARE NOT LIABLE FOR CONSEQUENTIAL LOSSES UNDER ANY D 5 CIRCUMSTANCES\@. E 5 I 5 CIRCUMSTANCES. E 5 Your first redress is against the supplier you bought the software from. D 4 \item E 4 I 4
E 4 If you do not accept these terms, we do not allow you to use the software and you must return it immediately, unused, to your supplier. D 4 \item E 4 I 4
E 4 You agree to submit to this agreement when you remove the software from the packaging it was supplied to you in, or execute any component of the software on any computer or examine the contents of any of the paper and electronic files and documentation that is part of this software package. D 4 \item E 4 I 4
E 4 You may cancel this licence at any time by sending a notice to us and your suppliers (where possible) in writing confirming that you have destroyed all copies of the the software and related files and data. Your RTU for the appropriate copy or copies of the software is then terminated. D 4 \item E 4 I 4
E 4 If any clause of this agreement cannot be enforced in law it shall be deemed struck out and the other clauses shall still stand. D 4 \item E 4 I 4
E 4 If ExNet Systems Ltd cannot fulfill any part of this agreement due to circumstances beyond its reasonable control (including, but not limited to, industrial action, natural disasters and Acts of God) it shall not be liable in any way for those failures. D 4 \item E 4 I 4
E 4 This agreement is governed by the laws of England, and both parties agree to submit to the jurisdiction of the High Court of England, though ExNet Systems Ltd may enforce this agreement in any court of its choosing. D 5 \end{enumerate} E 5 I 5
E 5 D 4 \vfill E 4
D 13 ExNet Systems Ltd, London, UK,
tel: +44 181 244 0077,
fax: +44 181 244 0078,
email: ExFilter@exnet.com,
URL: http://www.exnet.com/.
E 13 I 13 ExNet Systems Ltd, London, UK
tel: +44 181 244 0077
fax: +44 181 244 0078
email: ExFilter@exnet.com
URL: http://www.exnet.com/
E 13
D 14 Document version V%I% %M% %E%. E 14 I 14 Copyright (c) ExNet Systems Ltd 1995--1996.
Document version V%I% %M% %E%.
E 14 E 1