'address mask (was: packet filter metalanguage)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    address mask (was: packet filter metalanguage)
From:       Bob Sutterfield <bob () MorningStar ! Com>
Date:       1992-12-12 0:48:05
[Download RAW message or body]

   Date: Fri, 11 Dec 92 17:35:53 -0800
   From: Brent Chapman <brent@greatcircle.com>
   To: Firewalls@greatcircle.com

   By "address mask", he means a mask to apply to determine how many
   bits to look at when comparing an address from a packet to the
   address in a filtering table.  I.e., on a NetBlazer, if you wanted
   to examine the top 24 bits of an address in a rule, you'd express
   the address as 123.45.67/24; on a Cisco, it would be 123.45.67.0
   0.0.0.255 (I like the NetBlazer syntax much better, by the way;
   it's much shorter and simpler).

If you can only count 1-bits from the left, you eliminate any
possibility of handling noncontiguous masks, which are allowed (though
not encouraged) in both RFC-950 and RFC-1122.  A mask notation that
describes the arrangement of the bits is more general than one that
only allows their enumeration.

   Ideally, I think you'd like to have three actions and an option to
   choose from.  The actions would be "pass", "reject" (i.e., return
   to sender with an appropriate ICMP error message), and "drop" ...

Do you mean something like the new "unreachable" codes described in
RFC-1122 section 3.2.2.1?  What routers do those now?  All I've ever
seen them do is to just drop the packet on the floor.

   For dialup routers, another thing that I've wished for is the ability
   to log the first N packets (where N is set by the user) received or
   sent after the modems connect.  This would help you figure out why
   your PPP boxes keep connecting every 10 minutes for no apparent
   reason, for instance.

By default, ours shows the packet that caused the action, like

12/11-22:08:05-88 tcp 137.175.6.7/1718 -> 137.175.2.11/domain 44 syn bringup

which indicates that my home machine's in.named wanted to refresh its
cache.  We've never needed to see any more than N=1 outgoing packets
to figure out why the link became active, but I suppose we could add
the ability to log the first N packets on an incoming connection too,
in case the calling machine's log was inaccessible.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic