Pktfilter usage reference

Pktfilter usage reference

Created:
Article attributes: Sorting
Article submission: tombkeeper (tombkeeper_at_126.com)

Pktfilter usage reference

Tombkeeper@whitecell.org

/*
This document is mainly based on the pktfilteriterator attached to the pktfilter, corrected some original errors, and added
Added some of my own experience.

I like this firewall mainly because it consumes less resources, has a UNIX style, has no graphical interface, and does not hate it.
System Tray Icon.

Like IP Filter, this firewall is not designed for anyone who knows nothing about security or has little knowledge about it.
If you use it, please be sure you have basic knowledge such as TCP/IP protocol. If you have any questions about the program, please write a letter to ask the program
WHO: Jean-Baptiste.Marchand@hsc.fr. If you have any questions, please write to the author. On this
No support is provided for documents, rule generation scripts, and modified programs.
*/

Pktfilter is a packet filtering Firewall running on Windows 2000/XP/2003.

Pktfilter does not implement the network filter driver. In fact, it is a configuration of the system's packet filtering mechanism.
Interface. Windows 2000 and later operating systems all have an ipfilterdriver service, but the system itself does
No easy-to-use configuration interface is provided.

Because it calls the system's own mechanism, pktfilter works very stably and consumes less resources
Because of this, the implementation of the pktfilter function is also limited by the system.

The rule Syntax of pktfilter is actually a subset of IP filter4. See http://www.ipfilter.org /.

----------
Installation and use:
----------

Create a directory for pktfilterand copy pktfltsrv.exeand pktctl.exe.

Create a rule file. You can write rules by yourself according to the syntax described below. If you install pktfilter on
On a machine that acts as a gateway and writes corresponding rules, the pktfilter can be used as a network
Network firewall.

If you only want to protect your PC and do not need to set too complex rules, you can use the script I wrote.
Rulesbuild. cmd. You can quickly create a rule by setting variables starting with the file.

Install and start the service:
C:/pktfilter> pktfltsrv-I "C:/pktfilter. conf" C:/pktfilter. log"

C:/pktfilter> Net start pktfilter

-------------
Filter rules:
-------------

Global Options
Option
Small_frags: reject small part packages. The default value of small_frags is smaller than 16 bytes.
Multipart package. This value can be used to create a registry
HKLM/system/CurrentControlSet/services/ipfilterdriver/fragmentthreshold
.
Strong_host, which is not mentioned in this document, but is supported by the program. The msdn explanation is:
"Causes a check of the destination address of incoming packets ."
Check_frags, which is not mentioned in this document, but is supported by the program. The msdn explanation is:
"Causes a check of the fragments from the cache ."
Filter action
Pass, allow
Block, blocking

Direction
In, come in
Out

Protocol
PROTO, including:
TCP and TCP Protocols
UDP and UDP protocols
ICMP and ICMP protocols
[Number], specify other IP protocol numbers
[Empty], all protocols

Source Address
From [ADDR], specifying an IPv4 address
From [subnet/mask], specifying a network

Source Port (TCP/UDP protocol only)
Port [expression] [port number]
Expressions include:
=
> =
>
<=
<
> <Port range

Target address
To [ADDR], specifying an IPv4 address
To [subnet/mask], specify a network

Target Port (TCP/UDP protocol only)
Port [expression] [port number]
Expressions include:
=
> =
>
<=
<
> <Port range

ICMP type and code
ICMP-type [type]
ICMP-code [Code]

TCP connection Establishment
Established: blocks TCP packets with only SYN flags and without ACK flags. It is indicated at the end of the rule.
Only TCP packets established after connection are allowed to pass.

-----
Example:
-----

# Drop packets composed of small fragments
Option small_frags on eth0
# Default behavior = deny everything
Block in on eth0 all
Block out on eth0 all
# Allow DNS resolution to our nameserver
Pass out on eth0 proto UDP from 192.168.1.1 port> 1023 to 192.168.1.254 Port = 53
Pass in on eth0 proto UDP from 192.168.1.254 Port = 53 to 192.168.1.1 port> 1023
# Allow inbound ICMP traffic (Ping)
Pass in on eth0 proto ICMP from any to 192.168.1.1 ICMP-type echo
Pass out on eth0 proto ICMP from 192.168.1.1 type echo-rep to any
# Allow RDP (Terminal Services) administration from our administration Subnet
Pass in on eth0 proto TCP from 10.42.42.0/24 port> 1024 to 192.168.1.1 Port = 3389
Pass out on eth0 proto TCP from 192.168.1.1 Port = 3389 to 10.42.42.0/24 port> 1024 established

-------------
Filter rule reference:
-------------

A filter rule consists of global-option and normal-rule.

Syntax of Global Options:
"Option" global_option iface

Currently, only "small_frags" is supported for global-option ".

Syntax of common rules:
Action [in-out] iface [proto_spec] IP [proto-options]

Action = "pass" | "Block"
In-out = "in" | "out"
Iface = "on" ifname Digit
Ifname = "ETH *" | "PPP" | "SL" | "Lo" | "TR" | "FD"
Proto_spec = "Proto" [proto]
PROTO = "TCP" | "UDP" | "ICMP" | "any" | ip_proto
Ip_proto = decnumber
Decnumber = digit [decnumber]
IP = "all" | "from" IP-ADDR [port-comp | Port-Range] "to" IP-ADDR
[Port-comp | Port-Range]
IP-ADDR = "any" | IP-dotted-ADDR [IP-mask]
IP-dotted-ADDR = Host-num "." Host-num
Host-num = digit [digit [digit]
IP-mask = "/" IP-ADDR | decnumber
Port-comp = "Port" comparator decnumber
Comparator = ">" | "> =" | "<" | "<=" | "="
Port-range = "Port" decnumber "> <" decnumber
Proto-Options = "ICMP-type" ICMP-type ["code" ICMP-code] | "established"
ICMP-type = "echorep" | "unreach" | "squench" | "redir" | "Echo" | "router_adv" |
"Router_sol" | "Timex" | "paramprob" | "timest" | "timestrep" |
"Inforeq" | "inforep" | "maskreq" | "maskrep"
ICMP-code = decnumber

-----------------
Pktctl command usage:
-----------------

Pktctl can be used in command line mode or interactive mode. Pktctl-I enters the interaction mode.

List Network Interfaces:
C:/> pktctl-I
Eth0: (3Com etherlink PCI): 192.168.0.1

Load rule file:
C:/> pktctl-F rules.txt
Pktctl> source rules.txt

First clear all loaded rules and then load the rule file:
C:/> pktctl-F rules.txt
Pktctl> reload rules.txt

Manually add a rule temporarily:
C:/> pktctl-a "Pass in on eth0 from 10.0.0.42 to any"
Pktctl> pass in on eth0 proto UDP from 10.0.0.42 to any

Lists the rules on a specified interface:
C:/> pktcl-l eth0
Pktcl> list on eth0

Lists the rules and rule numbers on a specified interface:
Option:
C:/> pktcl-l eth0
Pktcl> list on eth0
When deleting a rule, you must specify the rule number.

Delete rule:
C:/> pktctl-D 2 eth0

Delete all rules on the specified interface:
C:/> pktctl-fa eth0
Pktctl> flush on eth0

Delete all rules on all interfaces:
C:/> pktctl-Fa all
C:/> pktctl-fa
Pktctl> flush on all

Display the statistical data for filtering:
C:/> pktctl-s eth0
Pktctl> stats on eth0

Displays detailed statistics of the filtering condition:
C:/> pktctl-s eth0
Pktctl> stats on eth0

----------------------
Command line options of pktfltsrv:
----------------------
-I "path_to_rules_file" "path_to_log_file"
-U: uninstallthe service.

Some questions:

1. Logs cannot be logged on Windows XP + SP1.
This is an XP issue. The pfsetlogbuffer function of Sp1 iphlpapi. dll does not work properly. (This problem occurs on the pktfilter email list)

2. Service crashes when some rules with incorrect format are added.

3. Only sdk winbase. h defines invalid_set_file_pointer. Therefore, when compiling pktfltsrv, you must
In tools -- options of Vs, put the include directory of the SDK at the beginning. The SDK is not installed on my current machine,
It is used to copy the previous installation directory, so you need to set it manually. I don't remember whether the VC file will be overwritten directly with the SDK file after the SDK is directly installed,
If that is the case, you may not need to do so.

4. Windows 2000 pro may not be able to run. I did not test it, But msnd always said when talking about those functions:
"Supported ded in Windows 2000 Server and windows. NET Server ."

There is no space between the adapter and the protocol fields when the command column rule is 52.16pktctl.exe-L. I added one. Filter_stats.c/70 rows.
The author may have missed a sentence, so the ICMP type and Status Code cannot be recorded. Logging. c/187 rows.
You cannot record information such as TTL and TCP Window values.
I am not used to the format of some records.

6. For program implementation principles, refer:
Http://msdn.microsoft.com/library/default.asp? Url =/library/en-US/RRAS/packet_filtering_reference.asp

Appendix: Rule Generation script:

@ Echo off

Echo # The rule is generated by the pktfilter rule generation script rulesbuild. CMD v0.1.
Echo # tombkeeper@whitecell.org
Echo.

Setlocal

REM will leave the variable empty without entering the content,

Rem specifies the network interface for which you want to set rules:
Set interface = eth0

Rem specifies the rule file to be generated:
Set rules_file = pktfilter. conf

Rem specifies the local IP address. Only one IP address is considered here:
Set local_ip = 192.168.0.1

Rem specifies the trusted IP address. Note that! Access from these IP addresses will be completely out of firewall control. Separate multiple IP addresses with commas:
Set trust_ip = 192.168.0.2, 192.168.0.3

Rem specifies the gateway. Some gateways are set to regularly ping the Host:
Set gateway = 192.168.0.254

Rem specifies the QQ server. Multiple IP addresses are separated by commas:
Set qq_server = 219.133.40.15

Whether or not REM needs to use the active mode FTP:
Set ftp_active = true

Whether Rem wants to access DNS:
Set DNS = true

Whether REM needs to access TFTP:
Set TFTP = true

Whether Rem wants to access SNMP:
Set SNMP = true

Does REM need to use MSN for direct file transfer:
Set MSN = true

Do REM want to use QQ:
Set QQ = true

Whether REM uses Kingsoft drug overlord for online upgrade:
Set Kav = true

Whether REM uses NETBIOS:
Set NetBIOS = true

Other TCP ports to be opened by REM are separated by commas:
Set other_tcp =

Echo ####################################### ######################################## ######
Echo # global rules
Echo ####################################### ######################################## ######
Echo.

Echo # discard a small part package
Echo Option small_frags on % interface %
Echo.

Echo # by default, all inbound and outbound data is blocked.
Echo block in on % interface % All
Echo block out on % interface % All
Echo.

Echo # Allow % local_ip % to initiate a TCP connection to any address
Echo Pass Out On % interface % proto TCP from % local_ip % Port 1 ^> ^ <65535 to any port 1 ^> ^ <65535
Echo Pass in on % interface % proto TCP from any port 1 ^> ^ <65535 to % local_ip % Port 1 ^> ^ <65535 established
Echo.

: Trust_ip
If "% trust_ip %" = "" Goto TCP
Echo # Set trusted host % trust_ip % to fully access % local_ip %
For % I in (% trust_ip % ,) do Echo Pass in on % interface % from % I to % local_ip % & echo pass out on % interface % from % local_ip % to % I
When REM % trust_ip % is followed by a comma, only one % trust_ip % is considered.
Echo.

: TCP
Echo ####################################### ######################################## ######
Echo # TCP rules
Echo ####################################### ######################################## ######
Echo.

: Ftp_active
If not "% ftp_active %" = "true" Goto msn
Echo # Enable TCP 20 and FTP Active Mode
Echo Pass in on % interface % proto TCP from any port = 20 to % local_ip % port ^ & gt; 1023
Echo.

: MSN
If not "% MSN %" = "true" Goto other_tcp
Echo # Open TCP 6890-6900, allowing MSN to directly transmit files
Echo Pass in on % interface % proto TCP from any port ^> 1023 to % local_ip % port 6890 ^> ^ <6900
Echo.

: Other_tcp
If "% other_tcp %" = "" Goto UDP
Echo # other TCP ports to be opened: % other_tcp %
For % I in (% other_tcp %,) Do Echo Pass in on % interface % proto TCP from any port ^> 1023 to % local_ip % Port = % I
Echo.

: UDP
Echo ####################################### ######################################## ######
Echo # UDP rules
Echo ####################################### ######################################## ######
Echo.

: DNS
If not "% DNS %" = "true" Goto SNMP
Echo # access DNS
Echo Pass Out On % interface % proto UDP from % local_ip % port ^> 1023 to any port = 53
Echo Pass in on % interface % proto UDP from any port = 53 to % local_ip % port ^> 1023
Echo.

: SNMP
If not "% SNMP %" = "true" Goto TFTP
Echo # access the SNMP service
Echo Pass Out On % interface % proto UDP from % local_ip % port ^> 1023 to any port = 161
Echo Pass in on % interface % proto UDP from any port = 161 to % local_ip % port ^> 1023
Echo.

: TFTP
If not "% tftp %" = "true" Goto Netbios
Echo # access the TFTP service
Echo Pass Out On % interface % proto UDP from % local_ip % port ^> 1023 to any port = 69
Echo Pass in on % interface % proto UDP from any port = 69 to % local_ip % port ^> 1023
Echo.

: Netbios
If not "% NetBIOS %" = "true" Goto Kav
Echo # access NetBIOS-NS (UDP 137) NetBIOS-DGM (UDP 138) Service
Echo Pass Out On % interface % proto UDP from any port = 137 to any port = 137
Echo Pass in on % interface % proto UDP from any port = 137 to any port = 137
Echo Pass Out On % interface % proto UDP from any port = 138 to any port = 138
Echo Pass in on % interface % proto UDP from any port = 138 to any port = 138
Echo.

: Kav
If not "% Kav %" = "true" Goto QQ
Echo # access KingSoft Antivirus service to upgrade the verification Port
Echo Pass Out On % interface % proto UDP from % local_ip % port ^> 1023 to any port = 6868
Echo Pass in on % interface % proto UDP from any port = 6868 to % local_ip % port ^> 1023
Echo.

: QQ
If not "% QQ %" = "true" Goto ICMP
Echo # access QQ through UDP
For % I in (% qq_server % ,) do echo pass out on % interface % proto UDP from % local_ip % Port = 6000 to % I Port = 8000 & Echo Pass in on % interface % proto UDP from % I Port = 8000 to % local_ip % Port = 6000
Add a comma after REM % qq_server % to consider the situation where only one % qq_server % is used.
Echo.

: ICMP
Echo ####################################### ######################################## ######
Echo # ICMP rule
Echo ####################################### ######################################## ######
Echo.

: Ping
Echo # % local_ip % can ping any address
Echo Pass Out On % interface % proto ICMP from % local_ip % to any ICMP-type echo
Echo Pass in on % interface % proto ICMP from any to % local_ip % ICMP-type echorep
Echo.

: Gateway
If "% Gateway" = "" Goto write
Echo # The Gateway can ping % local_ip %
Echo Pass in on % interface % proto ICMP from % gateway % to % local_ip % ICMP-type echo
Echo Pass Out On % interface % proto ICMP from % local_ip % to % gateway % ICMP-type echorep

: Write
Call % 0 1> % rules_file % 2> NUL
@ Echo off
Rem writes a file using this method without having to redirect the lines behind each line and performs write operations multiple times, which is fast and easy to maintain.
REM can use call or CMD/C. Once written, it will exit due to an error because the file is occupied by another cmd process.
If REM is called directly in batch without calling, the command is executed in the same cmd process and an endless loop occurs.
In fact, this method is more suitable for specifying the files to be written in the interactive script,
For example, you can use set/P to obtain the preceding variables from the console.

Endlocal

@ Echo on