Configuring packet filters and TCP Wrappers

Configuring packet filters and TCP Wrappers

In UnixWare^®, you can configure a packet filter on your Internet gateway(s) to control what types of packets are allowed access to your site's networks and also which packets are allowed to leave your site. This increases the security of your networks against unauthorized access from outside. For another method of controlling access to Internet services, see ``TCP Wrappers''.

If you want to protect portions of an organization's networks or intranet from unauthorized snooping or other forms of attack, or simply for the sake of privacy, you can also configure packet filters on the network interfaces of routers between networks, or on the network interfaces of individual hosts.

A packet filter can be configured on any LAN network interface that uses an MDI network adapter driver, and also on any WAN network interface that uses the version of the PPP serial line protocol provided by UnixWare. ``A packet filter applied to a gateway'' shows a packet filter that has been applied to the interface on a gateway machine that connects local networks to the Internet.

A packet filter applied to a gateway

Connections to the Internet are usually made using a PPP link to an Internet Service Provider (ISP). By placing the filter on the gateway interface, the network administrator can effectively control all network traffic between the local site and the external world. You can also apply a packet filter to the interface between the gateway machine and the local network to set up a ``tiered'' filtering system. By suitably configuring the filters on the external and internal interfaces of the gateway machine, you could allow access from outside to certain services such as FTP and HTTP on the gateway machine but prevent such access to your internal systems. To allow access from hosts on your internal networks to the gateway machine, you need only restrict access to the services for packets that originate from external addresses.

On LAN network interfaces, such as Ethernet and Token Ring LAN adapters, you can configure a filter that screens all packets, or you can configure separate filters for incoming or outgoing packets.

NOTE: Packet filtering on LAN network interfaces is only supported for MDI network adapter drivers.

Each interface has its own filter definition file which can contain several different filter definitions (see filter(4)). Only one packet filter can be loaded on the incoming stream or the outgoing stream of an interface at any time. The incoming and outgoing streams can use the same packet filters, or they can use different ones. If a packet filter is unloaded from a stream, the interface will pass all packets on that stream. ``How packet filters are applied to a LAN network interface'' shows how separate filters might be applied to the incoming and outgoing streams of one of a router's network interfaces.

How packet filters are applied to a LAN network interface

An SCO PPP interface can be configured with four types of packet filter as part of its Internet Protocol Control Protocol (IPCP) characteristics (see ppptalk(1M)):

passin: defines which incoming packets can pass through the interface
passout: defines which outgoing packets can pass through the interface
bringup: defines which packets can bring up a link automatically
keepup: defines which packets can reset the idle timer on a link and so prevent it being brought down

All PPP interfaces share the same filter definition file. The file can contain many filter definitions, each of which must be identified by a unique tag. Each PPP interface can use a different set of filters from the file.

There are two basic methods for constructing a packet filter:

``Restrictive packet filtering'' allows only certain packet types to pass through an interface and stops all other types from passing.
``Permissive packet filtering'' stops certain specified packet types from passing through an interface but allows all others to pass.

The simplest types of packet filter screen packets based on the service (defined by the combination of a port number and the protocol type) for which the packet is being used. They do not care about the direction in which the packets are crossing the interface, or their source or destination addresses. You can use the Packet Filter Manager to define separate packet filters for the incoming and outgoing streams of an interface. These filters can be used to control the delivery of IP packets based on the destination port number that is specified in their TCP or UDP header. For example, you could allow local users to establish outgoing telnet connections to external sites, but prevent incoming telnet connections from external hosts to your local systems.

Rather than blocking access to certain services for all external addresses, you may choose to restrict access to a specified subset of IP addresses. This is necessary, for example, if you want to restrict access to your internal DNS name servers but you need to be able to answer queries from root domain name servers.

NOTE: If you want to perform more sophisticated filtering, such as examining packet headers for both their source and destination port numbers, and screening ICMP messages, you can construct packet filters by editing the filter definition files as described on the filter(4) manual page. It is not possible, however, to modify these filters using the Packet Filter Manager.