Drawbridge Filter Compiler 4.0
The Filter Compiler
-------------------
Usage: dbfc [-v] input-file [output-file]
Switches:
-v Displays the version and copyright notice.
The dbfc program is the filter compiler portion of the Drawbridge package.
It takes input from the text filter configuration file 'input-file' and
generates the binary filter description file 'output-file'. If 'output-file'
is not specified, then the output is written to the file 'db_filters'. The
output file may then be loaded into Drawbridge using the Drawbridge Manager
dbmgr.
The Filter Configuration Language
---------------------------------
o Comments
A comment starts with a '#' and extends to the end of the line. Comments
can appear anywhere within the filter config file.
o Filter Flags
There are several flags which may be used to alter global filtering rules.
The flags are: Multicast, NonIP, OtherIP, SuspectOffset, FragmentedICMP,
and AttackICMP and are explained in the Drawbridge Manager documentation.
These flags may be set in the filter configuration file with the 'set'
command. The possible values for the flags are 'forward' or 'discard'. If
a flag is not set in the filter configuration file or set by the manager,
it defaults to 'forward'.
Examples:
set Multicast = forward;
set FragmentedICMP = discard;
set NonIP = discard;
o Service Specification
The basic element of the language is the service specification. A service
specification is enclosed by the symbols '<' '>' and contains up to four
pieces of information in the following order:
The port to test (optional)
Specifies which port to check within the packet. The keyword
"src=" causes the source port to be checked and the keyword "dst="
causes the destination port to be checked. The destination port is
the implied default.
The service
Can be a symbolic entry from /etc/srvices or a number. Service
ranges can also be specified by using a '-' between a pair of
services. The specified service port is compared to the
destination or source (see above) port within the packet.
The protocol (optional)
Can be 'TCP', 'UDP', or 'ICMP' and is separated from the service
by a '/'. Other valid protocols can be specified but will be
silently ignored by the compiler. If not specified, TCP is the
default.
The traffic direction
Indicates whether this specification is for outbound packets,
inbound packets, or both. Outbound is specified by 'out',
inbound by 'in', and both by 'in-out'.
Examples:
# Allow smtp connections, either direction.
<0-65535 out> # Allow all outbound TCP connections.
# Allow UDP based network time protocol in
# Allow data connect for outbound ftp
<3/icmp in> # Allow in ICMP type 3 in (dest unreachable)
Prefacing the service specification with an exclamation mark, '!',
indicates that this service is not allowed. The '!' can not be overridden.
Look at the section on 'Combining Service Specifications' below for more
details.
Examples:
# Do not allow tftp in
# Do not allow rlogin in
# Do not allow NFS in
# Do not allow icmp echo requests in (ping)
o Tcpreset
By default, Drawbridge will discard filtered packets without sending any
indication back to the source host. For TCP connections, Drawbridge now
supports the ability to send back a packet which has the reset flag set
when an ackless syn packet is discarded. This tells the sender that the
TCP connection which it is trying to establish is not allowed. By
sending back a TCP reset packet, the TCP connection is immediately shut
down and the sender will not have to wait for it to time out. This will
usually result in a "connection refused" message to the user.
The TCP reset packet is generated by Drawbridge but it will appear to the
sender as if it was generated by the destination host. This way, the
Drawbridge firewall remains invisable to the sender.
The ports which will generate a reset packet when a TCP packet is
filtered may be configured with the 'tcpreset' command. For example:
tcpreset , , ;
This command will cause a reset packet to be sent back to the sender if
an incomming smtp, outgoing telnet, or any ftp packet gets filtered. The
'tcpreset' command is global in nature so, in this example, when an
incomming smtp packet is filtered to any inside host, Drawbridge will
always send back a tcp reset packet.
o Groups
Groups of service specifications may be defined to prevent having to
repeatedly enter the same data and possibly introducing errors. Groups can
also be used to quickly change the access characteristics of an entire set
of machines. A group is a list of comma-separated service specifications
or other previously defined groups, terminated by a semicolon (';'). For
example:
define normal , ;
This example creates a group called 'normal' which includes inbound SMTP
and inbound GOPHER. This group can be used to build larger groups:
define server normal, ;
In this example, the new group 'server' includes SMTP, GOPHER and TELNET
in.
The special group 'default' is used to define access class 0, which is the
default access for any machine not explicitly defined in the config file.
For example:
define default <0-65535 out>, <0-65535/udp out>,
<0-18/icmp out>, <0-4/icmp in>,
<6-18/icmp in>, , ;
Allows all outbound connections, all inbound ICMP except redirects, smtp
(email) in, and ftp's data connections in for all machines which do not
appear in the config file. Normally, all machines in the config file will
want the default services as well, therefore, group 'default' should be
added to the machines in the config file.
o Defining Host Access
To define the access for a particular host, simply give the hostname and a
comma-separated list of service specifications and/or group names.
host myserver default, server;
host nyhost default, ;
Using the previous definitions for server, normal and default, host
'myserver' will have:
<0-65535 out>, <0-65535/udp out>, <0-18/icmp out>,
<0-4/icmp in>, <6-8/icmp in>, ,
, , ;
and host 'myhost' will have:
<0-65535 out>, <0-65535/udp out>, <0-18/icmp out>,
<0-4/icmp in>, <6-8/icmp in>, ,
, ;
If the host address was previously defined by another 'host' command, then
a "duplicate host" compiler warning will be generated and the second host
statement will be ignored.
o Defining Network Access
To specify the access for a full range of addresses, you should use the
'network' command. An address range may be specified one of three ways:
"start address" - "end address", "address" "subnet mask", or "address" /
"mask bits".
network 123.45.66.0 - 123.45.67.255 ; # Example 1
network 123.45.66.0 255.255.254.0 ; # Example 2
network 123.45.66.0 / 23; ; # Example 3
These three examples are equivalent. All three define no TCP connections
in or out for the addresses 123.45.66.0 through 123.45.67.255.
network 123.45.66.12 - 123.45.66.19 ;
This example shows that when you define a starting and ending address, any
arbitrary range may be specified.
Some information to consider: The 'network' command will silently override
any previously defined addresses. Therefor, network definitions should be
placed at the top of the configuration file. If a 'host' command later
defines an address which was previously defined by a 'network' command,
then the service specifications for that address (and only that address)
will be silently overridden by the host command.
o Combining Service Specifications
When multiple service specifications appear in a group definition, a host,
or a network command, they are merged. Service specifications are merged
by 'or'ing the allowed services, then removing those which are explicitly
disallowed by any '!'. For example:
define group1 , , ;
define group2 , , ;
define group3 group1, group2, ;
The group 'group3' will have , . It is important
to note that even though 'group2' allows and 'group3' allows
, it is not possible to override the and
specified in 'group1'. 'group3' also inherits the negative
service specifications. So the actual value of 'group3' is:
, , ,
Also notice that the and in the combined group are
equivalent to .
o Generation of Filter Classes
As a host's access capability is specified, either by use of a 'host' or
'network' command, classes of hosts are generated. All the members of a
specific filter class have the same access allowed to them. It doesn't
matter in what order the accesses were given, only that in the end, they
have the exact same access. There can be up to 65536 different classes,
with class 0 reserved for those hosts which are not explicitly specified in
the config file. Class 0's capabilities are defined by the special group
'default'. Each class can have up to 32 port ranges for each category
of filter (incoming TCP, outgoing TCP, incoming TCP srcport, etc.). The
filter compiler automatically merges adjacent service specifications into
a single range.
o Address Tables
Address tables can be used to selectively filter or allow, on a global
basis, sepcific ranges of addresses. There are three address tables:
reject, allow, and override. The reject table filters incoming packets and
the accept table filters outgoing packets. Both tables filter packets
based on their source IP address. The override table is a little
different. It allows otherwise filtered outgoing packets through based on
the packet's destination IP address.
Each entry in a table defines a range of addresses. The filter action of a
given entry may be inverted by placing a '~' in front of the address.
Reject Table
Syntax:
reject [~]address - address;
- or -
reject [~]address netmask;
- or -
reject [~]address / bits;
Example:
Reject all incoming packets coming from a specified network.
reject 18.23.45.0 / 24;
This will reject incoming IP packets with an address in the range
of 18.23.45.0 through 18.23.45.255. One specific host may be
specified by using '/ 32' or '255.255.255.255'.
This table can be used for a variety of things but is primarily
provided to block IP packets from the outside that have a source
address of a host on the inside network. The only time this could
occur is when an outside host is trying to masquerade as a host
on the inside. This is commonly known as address 'spoofing'.
Accept Table
Syntax:
accept [~]address - address;
- or -
accept [~]address netmask;
- or -
accept [~]address / bits;
Example:
Accept all outgoing packets coming from a specified network.
accept 18.23.45.0 / 24;
This will allow outgoing IP packets with an address in the range of
18.23.45.0 through 18.23.45.255.
This table is provided to prevent IP address 'spoofing' from hosts
on the local (inside) network(s). If the table is empty, it has
no influence. However if the table is not empty, only IP packets
with a source address included by an entry in the table will be
allowed - all other packets will be discarded.
Override Table
Syntax:
override [~]address netmask ;
- or -
override [~]address / bits ;
Example:
Allow specified outgoing IP packets to the specified network or
host even if it is denied by the class table.
override 123.45.67.0 / 24 <80/tcp out>;
This will allow all inside hosts access to the outside http servers
in the address range 123.45.67.0 through 123.45.67.255 even if the
inside host's class contains .
The expected use of the 'override' table is to grant access to
specific services on specific outside hosts. For example, if a set
of lab PC's normally have access blocked to the Internet, the
'override' command can allow these machines access to a specific
service or services on a specific set of outside hosts/servers.
o Include Files
Any portion of the Drawbridge configuration file can be broken out and
stored in a seperate file. This seperate file can then be included in the
main filter config file with an include statement. Any number of files may
be included and nesting of files is allowed (up to memory capabilities).
Include loops are detected and prevented. An include statement has the
following syntax:
include filename
Example:
If you had two external files named 'part1' and 'part2', they could be
included in the main file with:
include part1;
include part2;
Example Filter Source File
--------------------------
#------------------------- Group Definitions ------------------------#
#
# Define global filter flags
#
set Multicast = forward;
set NonIp = forward;
set OtherIp = forward;
set SuspectOffset = discard;
set FragmentedICMP = discard;
set AttackICMP = discard;
#
# Define which filtered TCP ports will generate a TCP reset packet
# which will result in a "connection refused" message to the sender.
#
tcpreset ;
#
# Make some useful group definitions
#
# Allow all TCP out and no TCP in except:
# src=ftp-data, smtp, auth, gopher, and www
define tcpdefault <0-65535/tcp out>, ,
, ,
, ;
# Allow all UDP except inbound ports 7-19, tftp, sunrpc, snmp, xdmcp, and nfs
# Note: we don't use '!' to exclude ports because it can't be overridden
define udpdefault <0-65535/udp out>, <0-6/udp in>, <20-68/udp in>,
<70-110/udp in>, <112-160/udp in>, <162-176/udp in>,
<178-2048/udp in>, <2050-65535/udp in>;
# Allow all known ICMP except redirect in
define icmpdefault <0-18/icmp out>, <0-4/icmp in>, <6-18/icmp in>;
define telftp , ;
define popmail <109-110/tcp in>;
define blockall , ,
;
#
# The special name 'default' defines access for hosts not listed in this file
#
define default icmpdefault, udpdefault, tcpdefault;
#------------------------ Table Definitions -------------------------#
#
# Reject all incoming packets with a source address of localhost or broadcast.
#
reject 127.0.0.0 / 8;
reject 0.0.0.0 / 8;
reject 255.0.0.0 / 8;
#
# Reject all incoming packets with a source address that is within our
# class B network. Make an exception for our outside switch (123.456.78.9)
# and router (128.456.78.10).
#
reject 123.456.0.0 255.255.0.0;
reject ~123.456.78.9 - 128.456.78.10;
#
# Accept only outbound packets with a source address that is within our
# class B network.
#
accept 123.456.0.0 / 16;
#----------------------- Network Definitions ------------------------#
#
# Admin requested no access in/out for these addresses
#
# addresses defined with a mask
network 123.45.58.0 255.255.255.0 blockall
# addresses defined with a range
network 123.45.39.23-123.45.40.254 blockall
#---------------------- Broadcast Addresses -------------------------#
# Block all packets directed to the broadcast addresses within our network
host 123.45.1.0 blockall;
host 123.45.1.255 blockall;
host 123.45.2.0 blockall;
host 123.45.2.255 blockall;
#
#
#
host 123.45.255.0 blockall;
host 123.45.255.255 blockall;
# This would be a good use of an include file. We run a script every
# night that queries the nearest router for the list of our current
# broadcast addresses (around 450 addresses). The script writes a filter
# config file that is included in the main filter config file to block
# packets to the broadcast addresses. For example:
include bcast-hosts.config
#------------------------ Host Definitions --------------------------#
# The Drawbridge host - allow all outgoing, allow UDP with a source port
# of 53 so outbound DNS queries will work, allow TCP with a source port
# of ftp-data so ftp will work, allow ssh, block icmp echo request in.
host drawbridge.nowhere.edu <0-65535/udp out>, <0-65535/tcp out>,
, ,
, <0-18/icmp out>,
<0-7/icmp in>, <9-18/icmp in>;
# No access in/out
host bee.nowhere.edu blockall;
host g1.nowhere.edu blockall;
# Allow domain to hosts running dns for zone transfers
host dns.nowhere.edu default, ;
host mydns.cs.nowhere.edu default, ;
host bigadd.math.nowhere.edu default, ;
# NNTP host and CSO phonebook server
host mailnews.nowhere.edu default, telftp,
,
