[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IP Filter 3.2beta4
From:       Darren Reed <darrenr () cyber ! com ! au>
Date:       1997-08-27 14:26:37
[Download RAW message or body]


Well, yet another beta!  Thanks to Marc for the Solaris patches, these have
all been merged in quite successfully.  I've updated the -L command line
option for ipsend to process IP and TCP options and to correctly generate
packets.  To get a feel for what this is all about, have a look at what's
in the iplang/iplang.tst file.  I'm wondering if perhaps it is worth adding
variables and for/while constructs so you can write half-open port scans
using it (and similar things).

This release also introduces a new filter rule extension.  This idea came
from reading about the "firewall chains" available for ipfw under Linux,
which was posted last week.  The idea is you specify a rule to be a "head"
for a group of other rules (which all must match that head besides anything
else).  Groups are identified by number and the default group for all rules
is 0, so if this feature isn't used, everything remains the same.  A rule
can be a member of a group and be a head of a new group.  For example,
you can do:

(A) pass in quick on le0 all head 1
(B) block in proto icmp group 1
(C) pass in proto icmp all
(D) block in proto udp all

Using the above rules, an ICMP packet coming in is passed by rule (A) but
then goes to group 1 and is blocked by (B).  If an ICMP packet comes in
on (say) ppp0, then it won't match rule (A) and is let through by rule (C).
In the case of rule (A), quick tells the filter to abort matching after the
group has been processed, so that if a UDP packet came in le0, it would
match (A) and be let through.  The "head" rules may only be deleted when
all their "children" in that group are deleted.  ipfstat has been modified
to recursively print groups of rules in order of their discovery as it
descends the "default" group.

The new beta is available at:
ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/ip_fil3.2beta4.tar.gz

Cheers,
Darren

p.s. would those attending AUUG'97 next week be interested in a BOF ?

[prev in list] [next in list] [prev in thread] [next in thread]