Author: James Blackmore.
This was a graduate project, supervised by Bob Eager
Homepage: http://www.tavi.co.uk/os2pages/
|
|
Series: Security Author: James Blackmore. This was a graduate project, supervised by Bob Eager Homepage: http://www.tavi.co.uk/os2pages/ |
|
The OS/2 Warp Server TCP/IP V4.21 stack includes Virtual Private Network (VPN) capability.
The actual implementation is based on the IP Security Architecture (IPSec) framework, which provides security at the network layer.
While most of the VPN functionality of IPSec is not of particular interest here, its packet filtering capabilities are, as these allow it to be used as a firewall on a multi-homed host.
IPSec consists of four device drivers (only two of which are essential here) and a number of configuration utilities, which will be looked at in the next section.
The author has provided the Firestarter utility - an OS/2 REXX program - that will take the user through basic configuration of the firewall.
To run Firestarter, open an OS/2 window and type
firestarter at the command prompt.
Alternatively, to manually configure the firewall, complete the
5 steps outlined below:
DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS (Note: FWIP.SYS is the filter driver device from IPSec. IPSEC.SYS provides the
framework for IPSec, and in this context is only needed to implement packet logging.)
[Editor:- if you have mislaid the necessary files, get them here -
these are from an Aurora beta installation]
Create the following configuration file:
Create the following configuration file (you will probably need to create the SECURITY
sub-directory first):
Reboot your computer, to allow the changes to update. You must do this, otherwise
the next step will not work.
Open an OS/2 window and, at the command prompt, type the following command:
Check your CONFIG.SYS file for the following lines and add them if they are not
present (the drive letter will be whichever drive you are running OS/2 on):
DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYS
\MPTN\ETC\FWSECAD.CNF
List the IP addresses (in dotted decimal form) of any interfaces you want to be secure
in this file, one per line. Any interfaces not listed will be non-secure.
\MPTN\ETC\SECURITY\FWFILTRS.CNF
This file is the firewall filter rules list.
It is not necessary to enter any rules
at this stage, as they will be explained later.
cfgfilt -u -i
This activates the filter support code. It also switches the firewall on,
by automatically issuing the inetcfg -s firewall 1
command.
To find out more about cfgfilt
go here
To find out more about inetcfg
go here
Basic configuration is now complete.
The firewall should be up and running and blocking all traffic.
There are 2 freely available utilities that can be used to define and administer
the firewall's filter rules.
They are both GUI-based applications that run on
the desktop, and provide a good way to keep track of the firewall's configuration.
Resources:
IBM Redbooks
(search for documentation on IBM products)
It is of course possible to manually configure the firewall rules.
To do so, complete the following 3 steps:
Open \MPTN\ETC\SECURITY\FWFILTRS.CNF in an editor.
For the format of the rules go here
Rules are entered one per line, with a single space between each field.
When you have finished entering rules and have saved the configuration, open an OS/2
window and type the following command:
cfgfilt -u
This will update the filter rules. If any of your rules use logging, you will need to
include the -d flag on the above command.
To check that your rules are correct, run
cfgfilt with no parameters. The rules should
now all be listed and numbered.
Notice that the last rule in the list is always the firewall's
default 'deny all packets' rule.
To find out more about how FWIP.SYS operates
go here
The information on this page shows how to configure rules for Telnet on the firewall.
| Scenario: | Telnet |
| Description: | Allows remote login across a network |
| Port Number: | 23 |
| Actions Required: | Permit Telnet from secure hosts to non-secure hosts |
| Deny Telnet from non-secure hosts to secure hosts |
| Rules: |
permit sh.sh.sh.sh. m.m.m.m sf.sf.sf.sf. m.m.m.m
tcp gt 1023 eq 23 secure local inbound |
|
(permits any secure host to Telnet the firewall's secure interface) | |
|
permit sf.sf.sf.sf m.m.m.m sh.sh.sh.sh. m.m.m.m
tcp/ack eq 23 gt 1023 secure local outbound | |
|
(permits the firewall's secure interface to Telnet ACK any secure host) | |
|
permit nf.nf.nf.nf m.m.m.m nh.nh.nh.nh m.m.m.m
tcp gt 1023 eq 23 non-secure local outbound | |
|
(permits the firewall's non-secure interface to Telnet any non-secure host) | |
|
permit nh.nh.nh.nh m.m.m.m nf.nf.nf.nf m.m.m.m
tcp/ack eq 23 gt 1023 non-secure local inbound | |
|
(permits any non-secure host to Telnet ACK the firewall's non-secure interface) | |
|
deny nh.nh.nh.nh m.m.m.m nf.nf.nf.nf m.m.m.m
tcp gt 1023 eq 23 non-secure local inbound | |
|
(denies Telnet from any non-secure host to the firewall's non-secure interface) |
IPSec on OS/2 Warp Server supports packet logging.
Typing cfgfilt, without any parameters,
runs the Packet Filter Rules Dump Facility.
This provides a summary of the firewall's current configuration.
To see an example of what should appear on your screen,
go here
After basic configuration, any secure interfaces should now be listed and the status
of the filter support code should be 'active'.
Rule 1 is the firewall's default rule (it is always present as the last rule in
the list). It blocks all traffic through the firewall. Having this as default (and
setting individual 'permit' rules to allow specific services) is the safest possible
configuration.
The following table summarises the possible parameters for
cfgfilt:
There are other parameters, but they are used by IPSec in its tunnelling capacity,
and are not relevant here.
Typing this command, without any parameters, runs the Interactive TCP/IP Stack
Parameters' Configuration Utility.
To see an example of what should appear on your screen,
go here
The only relevant usage here, involves the
firewall parameter:
Filter rules contain the following fields (each separated by a single space):
Rule action Value Description permit Packets matching the rest of the fields in the rule definition will be allowed through the firewall deny Packets matching the rest of the fields in the rule definition will be blocked by the firewall Source / Destination IP address Value Description x.x.x.x A valid IP address in dotted decimal format, e.g. 192.168.42.50 Source / Destination address mask Value Description x.x.x.x Applied as bitwise AND to match address, e.g. 255.255.255.0 Value Description all Matches all protocols icmp Matches ICMP packets udp Matches UDP packets tcp Matches TCP packets tcp/ack Matches TCP packets with acknowledgement bit set ipsp Matches IPSP packets Source / Destination port Value Description any 0 Matches any port number eq (port no.) Matches specified port number, e.g. eq 301 neq (port no.) Matches any port number other than that specified lt (port no.) Matches any port number less than that specified gt (port no.) Matches any port number greater than that specified le (port no.) Matches any port number less than or equal to that specified ge (port no.) Matches any port number greater than or equal to that specifed Value Description secure Matches packets flowing through a secure interface non-secure Matches packets flowing through a non-secure interface both Matches all packets Value Description local Matches packets flowing to or from the firewall route Matches packets flowing through the firewall both Matches all packets Value Description inbound Matches packets flowing to the specified interface outbound Matches packets flowing from the specified interface both Matches all packets Log control (optional) Value Description l=yes Logs packets if set (default for denied packets) l=no Does not log packets if set (default for permitted packets) Fragmentation control (optional) Value Description f=yes Matches headers, fragments and non-fragmented packets if set f=no Matches only non-fragmented packets if set f=only Matches only headers and fragments if set Tunnel ID (optional) Value Description t=(tunnel id) Identifies tunnel through which packet must be sent if set
FWIP.SYS works in the following manner:
While, strictly speaking, it is not necessary to define specific rules to deny packets (as the firewall's default
rule will catch them) it is advisable to do so, as a precaution against mis-configured 'permit' rules later in the list.
Because FWIP.SYS stops searching through the list when it finds a match, a specific deny rule will catch a
prohibited packet before it has a chance to be matched against any mis-configured rules in the rest the list.
To configure packet logging, complete the following 5 steps.
Create the following file:
\MPTN\ETC\FWLOG.CNF
This is the firewall log configuration file, where the level of packet logging is defined.
The file contains a single line, of the form:
level=(value)
where the value
parameter can be one of the following:
10(Debug
-All messages are logged)
20(Informational
-Information, warning, error and alert messages are logged)
30(Warning
-Warning, error and alert messages are logged)
40(Errors
-Error and alert messages are logged)
50(Alert
-Only alert messages are logged)
so to log all packets, enter the line:
level=10
Open an OS/2 window and type the following command:
fssd
This runs the packet filter syslog daemon. A log file with today's date will
be created in \MPTN\ETC. For example:
fw0824
would be the name of the file created on the 24th of August. The file will now be open.
Open \MPTN\ETC\SECURITY\FWFILTRS.CNF in an editor and add:
l=y
to the end of any rules that need to be logged.
Open another OS/2 window (you will need to, as fssd
will still be running) and type:
cfgfilt -u -d
This updates the filter rules and enables packet logging. You should notice
this being added to the log file in the other window.
To view the log file, change to the \MPTN\ETC directory and type:
fwlslog file=(filename)
where the filename parameter is the name of the log file.
This is the only way to access the log file while it is still running.
So to continue the example from above, type:
fwlslog file=fw0824
Any packets that match the rules with logging enabled will now be logged.
(Default = denied packets are logged, permitted packets are not logged)
Appendices
cfgfilt
-u
update filter rules-i
initialise filter device
(must use with -u)-f (file)
check a set of rules (default is \MPTN\ETC\SECURITY\FWFILTRS.CNF)-c
deactivate filters and use default rules-d (start|stop)
start | stop packet logging
inetcfg
-s firewall (1|0)
set the status (on | off) of the firewall-g firewall
get the current status of the firewall
Filter Rule Format
Rule Action
Source IP Address
Source Address Mask
Destination IP Address
Destination Address Mask
Protocol
Source Port
Destination Port
Interface
Routing
Direction
Log Control (optional)
Fragmentation Control (optional)
Tunnel ID (optional)
Click the links to see the possible values for each field.
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
Back to top of Ruleform appendix
FWIP.SYS