SUMMARY: How to filter IP connections?

From: Andras Micsik (micsik@sztaki.hu)
Date: Mon Oct 05 1998 - 02:43:17 CDT


My original questions and the summary of answers:

> we are using Solaris 2.5, and I would like to filter/log all
> TCP/UDP port connections based on IP address or hostname.
>
> - I know that for ports handled by inetd there are several solutions (for
> example tcpd), but is there a built-in tool for this in Solaris (by
> accident ;-)?

Apparently there is no Solaris built-in tool. The use of tcp wrappers is
the solution.

> - What can I do with RPC-based services, for example mountd (for which
> there are pretty intruder codes available)? I could replace rpcbind to
> another variation which has filtering capability, but still one can
> connect directly to the port of mountd/nfsd/nisd (I do not know much about
> RPC, so maybe this is not true, please explain). I would like to avoid
> applying patches constantly for all RPC based services.

No answer addressed this question directly. IP-Filter could be a solution.
I know about Wietse Venema's rpcbind replacement, but I don't know if it
can also protect against direct connection to rpc services (as I know the
UDP port of some rpc services can be guessed).

> - Finally is there a way to filter out connections for other daemons? For
> example a user runs a WWW server on port 8000. How can I apply filtering
> for that port?

A firewall, or IP-Filter is the solution. It would be interesting to know
how big performance degradation is caused by IP-Filter?

Andras Micsik
http://www.sztaki.hu/~micsik

*********************************ANSWERS***********************************

Several people advised to use IP-Filter:

I would like to suggest the following product: IP-Filter It is a freeware
product. The install is fairly simple. Lots of documentation available:
This is what it can do for you:

1) Log any traffic that you wish
2) Provide network address translation for those unregistered internet
addresses
3) Block/Allow traffic based on ports used
4) Set up accounting so you can see how much traffic is used on a given
port. (in bytes)

This product is actually bundled with FreeBSD.

It is also available for Solaris 2.x
Goto http://coombs.anu.edu.au/~avalon/ip-filter.html for more information.

Hope this helps.
Marco Greene
cmgreene@netcom.ca

-------------------------
And tcp wrappers:

The easy answer is to install TCP Wrappers:

ftp://ftp.win.tue.nl/pub/security/tcp_wrappers.7.6.tar.gz

This will allow you to "wrap" daemons started by inetd. The "wrap" will
allow logging and access control by IP or hostname.

There's a good article on TCP Wrappers at:
http://www.performancecomputing.com/unixreview/backissu/9709/9709f1.htm

Steve Boyko

------------------------

You can log all connections to and from your machine by using the
commands 'snoop' or 'tcpdump' (which you have to compile yourself).

Look for traffic monitoring tools at
http://www.alw.nih.gov/Security/prog-network.html

> - Finally is there a way to filter out connections for other daemons? For
> example a user runs a WWW server on port 8000. How can I apply filtering
> for that port?
>
For filtering on a larger basis than tcp-wrappers, you need a firewall.
Again, look at the website above.
You can buid a cheap firewall for your whole network with a linux-system.
There is also commerical firewall software for Solaris available.

- Sebastian Benoit
- benoit@mathematik.uni-marburg.de
- http://www.mathematik.uni-marburg.de/~benoit

------------------------

A> we are using Solaris 2.5, and I would like to filter/log all TCP/UDP
A> port connections based on IP address or hostname.

   http://www.nswc.navy.mil/ISSEC/CID

   The early adopters of intrusion detection systems crafted their own
   unique tools, but now some of the pioneers in intrusion detection
   are joining forces to perfect a library of public domain, or freely
   available tools to protect sites. This toolset, called "CIDER"
   (for Cooperative Intrusion Detection Evaluation and Response),
   automates the process of information gathering and traffic analysis
   based intrusion detection.

-- 
Karl Vogel
ASC/YCOA, Wright-Patterson AFB, OH 45433, USA
vogelke@c17mis.region2.wpafb.af.mil

-------------------------

See:

ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.BLURB

The actual code is in the same directory.

I believe this is what you are looking for....

-- Rick Brashear-Unix/MCSE | The Collective Technologies KC Beach Head.... Collective Technologies | "The Power of Many Minds" A Pencom Company | work: rickb@colltech.com office: (312)781-6200 http://www.colltech.com | Pager: (800) 759-8888, Pin 249-2646 --

-------------------------

First of all, tcp wrappers supports access control lists. This can be done thru the /etc/hosts.allow and /etc/hosts.deny option. However you need to compile the m with the -DHOSTS option....RTFM on the wrappers.

As far as filtering out port 8000...depends on what server you are running. You can set up ACLs thru suitespot from Netscape. POssibly Apache.

-- Eric D. Pancer \ "I kissed my first girl and smoked my Outlook Technologies, Inc. \ first cigarette on the same day. eric@outlook.net \ I haven't had time for tobacco http://www.outlook.net/~eric \ since." -- Arturo Toscanini



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:50 CDT