   .
   .
   .                                                            FILTER.TXT
   .                                              Packet Filter Plugin 1.4
   .                                                      February 1, 2000
   .                          
   .
   .
   .
   .
   .
   .       ____   _    ____ _  _______ _____
   .      |  _ \ / \  / ___| |/ / ____|_   _|
   .      | |_) / _ \| |   | ' /|  _|   | |
   .      |  __/ ___ \ |___| . \| |___  | |
   .      |_| /_/   \_\____|_|\_\_____| |_|
   .
   .
   .       _____ ___ _   _____ _____ ____
   .      |  ___|_ _| | |_   _| ____|  _ \
   .      | |_   | || |   | | |  _| | |_) |
   .      |  _|  | || |___| | | |___|  _ <
   .      |_|   |___|_____|_| |_____|_| \_\
   .
   .
   .
   .
   .
   .
   .                                                    F/X Communications
   .                                                       DK-4300 Holbaek
   .                                                               Denmark
   .                                                 E-mail: support@fx.dk
   .                                                      http://www.fx.dk
   .
   .
   .
   .     Copyright (c) 1999-2000, F/X Communications, All Rights Reserved.
   .
   .






==========================================================================
 C O N T E N T S
=======================================What's Where=======================



   o Description...............................................Simple
   o Installation................................................Easy
   o Filtering...........................................When & Where
   o Features................................................Powerful
   o Setup Guidance...........................................General
   o Filter Attributes.......................................Specific
   o Errors.........................................check filters.err
   o Sample Filters................................To Get You Started
   o On The Fly updates...............................Utility program




==========================================================================
 D E S C R I P T I O N
=================================================Simple===================



   This guide includes all you need to get started with the F/X Packet
   Filter Plugin.

   Packet filtering allows IP packets to be selectively discarded as 
   they flow through the plugin.

   The Packet Filter Plugin binaries operate seamlessly with the following
   F/X Communications products:

      o InJoy Internet Dialer
      o InJoy Connect PPP Server 
      o InJoy Firewall
      o Tunnel/2

   Configuration is by way of simple ASCII files.



==========================================================================
 I N S T A L L A T I O N
=================================================Easy=====================



   The Filter Plugin is delivered as part of professional/SOHO
   levels of the InJoy products. Simply unzip and register the
   host product and the filter plugin will be ready for use.

   After installation the new binary file is demand-loaded by the host
   application when needed.

   Please consult the host-application documentation for possible
   extra installation guidelines.



==========================================================================
 F I L T E R I N G
=================================================When & Where=============



   Filtering applies when an operator requires full control of the
   raw IP packet stream. The goal is to filter out packets in order
   to optimize network security and network utilization.


   o Filters

   A filter rule is a collection of terms.

   Filter rules to be used with the Filter Plugin are organized into a
   single text file. This file is called "FILTERS\FILTERS.CNF". 

   Each filter rule in this file has a unique name and carries a number of
   attribute/value pairs. These attributes and their possible values are
   defined in the "Filter Attributes" section. Filter rule samples are 
   available in the "Sample Filters" section of this document.


   o Filter operation

   Filter rules are evaluated for every single IP packet.

   When an IP packet matches the terms outlined in a filter rule,
   it's referred to as a "match". At a match, the action specified
   for the rule will be carried out. The typical actions of a filter
   rule is to either drop the matched packet or immediately forward it.

   The Filter Plugin allows the operator to check a packet using
   IP address checking, [hex-]string comparisons, bit checking,
   port/service checking and protocol checking. The various criteria
   may be combined in any way the operator desires. If all packet
   characteristics cannot be matched using one filter rule, then
   it's possible to link to other filters. This feature is referred
   to as compound filters and it's the filter action that defines
   if the filter is linked.


   o When to use filters

   The packet filtering is an extremely flexible technology that
   typically functions as a:

	1: Security device
	2: Traffic shaper

   Packet filtering is a powerful security tool, offering many of the
   same features that make up a firewall. Filtering is however not 
   intented to perform the same actions as a firewall. Instead filtering
   offers a simple packet intercepting technique that can help reduce the
   stress on the firewall. Filtering is implemented as close to the physical
   interfaces as possible, allowing the operator to filter packets
   before they result in loss of resources or cause unwanted actions.

   Filtering is ideal for handling the trivial security aspects that
   doesn't require logging, a state, port-mapping, accounting or other
   firewall features. The rule of thumb is to concentrate the main 
   security policy in the firewall and let the filtering take care of
   everything else.

   One of the most secure and simple security approaches can actually
   be set up using nothing but filtering. This method is known as 
   the ACK filtering technique and it works by simply rejecting
   all incoming TCP packets, except those carrying the ACK bit.
   Sample filters for this technique can be found among the sample
   filters in in filters.cnf.

   Filter based traffic shaping is mainly used to keep Internet connections
   clean from certain protocols, services, IP addresses or specific contents.
   The goals vary, but often the objective is to fine-tune demand dialing
   or simply optimize bandwidth utilization. Rejecting known spammers
   or using filtering to reject pings are also common usages.

   Refer to the sample section for more typical filter applications.


   o Filter evaluation

   Filter rules are evaluated top-down, exactly as they are listed in 
   the file. For example, if a filter rule at the top matches a packet,
   then a filter rule below cannot reverse the decision of the top rule.


   o Filter actions

   When a filter rule matches an IP packet, an action must be taken.
   The Packet Filter Plugin allows the filter to either drop
   the packet, immediately forward the packet or pass on the packet
   for further checking by compound filters.


   o Traffic and interface distinction

   An Internet connectivity product has an external and an internal
   interface. The external interface can be a modem and the internal
   interface is the IP stack (i.e. the internal LAN).

   The Filter Plugin makes a distinction of the data flow. Traffic going
   out through the external interface is "outgoing traffic", whereas
   traffic coming from the external interface is "incoming traffic".
   Incoming traffic is checked at the external interface and outgoing
   traffic is checked at the internal interface.


   o Filter scope

   Filtering is unique by the fact that it operates as close to the
   the physical interfaces as possible. For example, incoming packets are
   passed to the filtering before they are evaluated by any other software
   components. Outgoing packets are equally checked before they are 
   prepared for the journey to the Internet.
   
   On difference between filtering and firewall rules is that filtering
   is performed as soon as the packet is available (and decrypted),
   whereas firewall checking is performed in the "kernel" of the software.
   There are many advantages to this approach, e.g. filtering can remove
   bogus packets, attack packets or demand trigger packets before those
   packets result in extensive firewall checking or actions.

   o Monitoring

   The host application provides monitoring of the list of active filter
   rules. Each rule in the list has a usage count next to it, telling 
   how many times the filter was matched. You should use this feature
   to assure that your filters are used when you expect it.



==========================================================================
 F E A T U R E S
=================================================Powerful=================



   o The Packet Filter Plugin allows all attributes in a packet to be used 
     as a filtering trigger to selectively discard packets when presented.
     These packet attributes (and others listed in Guidance, below) can be 
     used to cause filtering:

     - Incoming traffic
     - Outgoing traffic
     - Source and Destination IP numbers (via netmask match)
     - Protocol match (TCP, UDP, ICMP)
     - Service match (FTP, WWW, TELNET, GOPHER, etc)
     - Source port match
     - Bit-match (e.g. FIN or SYN bit of TCP)
     - Byte pattern match at specified offset
     - Byte pattern search


   o The Plugin supports compound Boolean filters for complex filtering
     with great flexibility.

   o There are three possible filter states: 

     - Always active
     - Active when product is off-line
     - Inactive (but easily activated)

   o The plugin reports errors to the file FILTERS.ERR in the home 
     directory of the host-application.

   o Filters are easily identified by linkable names.

   o Filters may have human readable comments attached.

   o Filter usage report at the touch of a key. This feature 
     depends on the host product.

   o Filtering plugs in as a separate loadable component, maintaining
     a modular design.

   o Supports new filters on the fly



==========================================================================
 S E T U P    G U I D A N C E
=================================================General==================



   o Configuration Files

     Filters are specified in an ASCII configuration files. Each
     configuration file can contain one or more filters, each identified 
     by a name and a set of attribute/parameter values.

     The plugin expects no more than 3 different configuration files. They
     are:

     - FILTERS.CNF

       This file is in the base directory of the host application. It 
       contains default values used in all user created filters. This 
       means that any attribute value you specify in your own filters will
       override the default values specified in this file.


     - .\FILTERS\FILTERS.CNF
   
       This file contains the actual user crafted filters. The file is 
       usually located in the FILTERS subdirectory of the host 
       application but may be setup differently, depending on the host's
       capabilities.  See the following Filter Attribute section for 
       syntax information.


     - FILTERS.DCT

       This file is in the base directory of the host application. It is a
       descriptor file that instructs the Filter Plugin about allowable
       attributes in the FILTER.CNF files.

       This file should NOT be modified. However, if you take the time to 
       become familiar with it, you will be able to use it as a quick
       reference when writing/modifying filters. Otherwise the following
       specific attributes be of interest.



==========================================================================
 F I L T E R   A T T R I B U T E S
=================================================Specific=================

-----------------    ---------------       ------------------------------      
ATTRIBUTE            POSSIBLE VALUES       DESCRIPTION
-----------------    ---------------       ------------------------------

Filter-Status        Passive               Tells when the filtering is 
                     Offline               active. 'Passive' means the
                     Always                filter is not active at all.

                                           'Offline' means the filter is 
                                           active when the host 
                                           application is not connected. 
                                           This could be (for example) 
                                           the InJoy dialer that is 
                                           offline, waiting for a packet 
                                           to trigger Dial On Demand.

                                           'Always' means that the filter 
                                           is active at all times,
                                           disregarding the connect state 
                                           of the host application.


-----------------    ---------------       ------------------------------
Filter-Scope         Incoming-Packets      Defines which packets that are 
                     Outgoing-Packets      exposed to the filter. Outgoing 
                                           or incoming.


-----------------    ---------------       ------------------------------
Filter-Root          Yes                   Only filters that have 
                     No                    'Filter-Root' set to 'Yes' are 
                                           loaded by the host application 
                                           and used.

                                           Filters not carrying this flag 
                                           are only used if specifically 
                                           addressed by other filters as 
                                           part of a compound filter.

-----------------    ---------------       ------------------------------
Source-IP            An IP address         The source IP address in the 
                                           packet is compared to the 
                                           value of this attribute. Please 
                                           keep the 'Source-Netmask' in 
                                           mind.

                                           Leave field empty if you do not 
                                           wish to filter using the 
                                           source IP address as criteria.


-----------------    ---------------       ------------------------------
Source-Netmask       Netmask               The 'Source-IP' address, 
                                           together with the 
                                           'Source-Netmask' denote a mask 
                                           with which  source IP addresses 
                                           from the IP packets are 
                                           compared.


-----------------    ---------------       ------------------------------
Destination-IP       IP address            The 'Destination-IP' address, 
                                           together with the 
                                           'Destination-Netmask' denote a 
                                           mask with which destination IP 
                                           addresses from the IP packets 
                                           are compared.

                                           Leave field empty if you do not 
                                           wish to filter using the 
                                           destination IP address as 
                                           criteria.


-----------------    ---------------       ------------------------------
Destination-Netmask  Netmask               The 'Destination-IP' address, 
                                           together with the 
                                           'Destination-Netmask' denote a 
                                           mask with which destination IP 
                                           addresses from the IP packets 
                                           are compared.


-----------------    ---------------       ------------------------------
Source-Port          Any number            The 'Source-Port' attribute
                     Or, one of these:     refers to the source port of
                       DNS                 and UDP or TCP port. You may 
                       FTP                 specify either the number or 
                       FTP-DATA            lettered value for the 
                       GOPHER              attribute.
                       SMTP                
                       SNMP                Leave the field empty if you do
                       SNMP-TRAP           not wish to filter using this 
                       TELNET              criteria.
                       TFTP
                       NETBIOS
                       NETBIOS-NS
                       NETBIOS-SSN
                       NNTP
                       POP2
                       POP3
                       WWW

-----------------    ---------------       ------------------------------
Port                 Any number            The 'Port' attribute defines 
                     Or, one of these:     the type of service that a 
                       DNS                 packet is carrying. You may 
                       FTP                 specify either the number or 
                       FTP-DATA            lettered value for the 
                       GOPHER              service.
                       SMTP                
                       SNMP                Leave the field empty if you do
                       SNMP-TRAP           not wish to filter using this 
                       TELNET              criteria.
                       TFTP
                       NETBIOS
                       NETBIOS-NS
                       NETBIOS-SSN
                       NNTP
                       POP2
                       POP3
                       WWW


-----------------    ---------------       ------------------------------
Protocol             Any number            Each IP header holds a protocol 
                     Or, one of these:     byte that can be addressed by 
                       ICMP                this attribute.
                       TCP
                       UDP                 Leave field empty if you do not 
                                           wish to filter using this 
                                           criteria.


-----------------    ---------------       ------------------------------
Bit-Offset           Packet-Start          This attribute is part of the 
                     TCP-Head-Start        bit matching criteria.
                     Data-Start
                                           Specifying an offset into an IP
                                           packet often doesn't make 
                                           sense, due to header options 
                                           that can be used on and off. 
                                           Accordingly this parameter 
                                           lets you define a certain point 
                                           within a packet from where the 
                                           Bit number is counted (refer to 
                                           the 'Bit-Number' attribute).

                                           Leave field empty if you do not 
                                           wish to filter using this
                                           criteria.

-----------------    ---------------       ------------------------------
Bit-Number           Positive number       This attribute is part of the 
                     Or, one of these:     bit field checking, allowing a 
                       FIN                 certain bit to be checked 
                       SYN                 within an IP packet (see the 
                       RST                 'Bit-Value' parameter).
                       PSH
                       ACK                 This is particularly useful for 
                       URG                 checking the bit flags in the 
                                           TCP header.
                     (above const values
                      are relative from    Leave field empty if you do not 
                      start of TCP pkt)    wish to filter using this 
                                           criteria.


-----------------    ---------------       ------------------------------
Bit-Value            Binary value 0 or 1   This attribute is part of the 
                                           bit field checking.

                                           When you check a certain bit 
                                           within a packet, then you 
                                           should use this attribute to 
                                           specify whether the bit should 
                                           have the value of 0 or 1.

                                           Leave field empty if you do not 
                                           wish to filter using this 
                                           criteria.


-----------------    ---------------       ------------------------------
Offset-Relativity    Packet-Start          This attribute is part of the 
                     TCP-Head-Start        hex string matching criteria.
                     Data-Start
                                           Specifying an offset into an IP
                                           packet often doesn't make 
                                           sense, due to header options 
                                           that can be used on and off. 
                                           Accordingly this parameter 
                                           lets you define a certain point 
                                           within a packet from where the 
                                           offset is used (refer to the 
                                           'Offset' attribute).

                                           Leave field empty if you do not 
                                           wish to filter using this
                                           criteria.


-----------------    ---------------       ------------------------------
Offset               Any number            This attribute is part of the 
                     Or 'Search-All'       hex string matching criteria,
                                           allowing you to specify an 
                                           offset into an IP packet
                                           for hex string checking (see 
                                           also the 'Offset-Relativity' 
                                           attribute).

                                           To search the entire packet, 
                                           simply specify the value 
                                           'Search-All'.

                                           Leave field empty if you do not 
                                           wish to filter using this
                                           criteria.


-----------------    ---------------       ------------------------------
Hex-String           A string              This attribute is part of the 
                     (See filter samples)  hex string matching criteria,
                                           Letting you specify a string to
                                           be searched for within a 
                                           packet. The string can contain 
                                           both normal characters and 
                                           hex notation.

                                           Leave field empty if you do not 
                                           wish to filter using this 
                                           criteria.


-----------------    ---------------       ------------------------------
Action               Drop-Packet           Specifies the action taken when 
                     Next-Filter           a filter matches a packet.
                     Forward-Packet


-----------------    ---------------       ------------------------------
Next-Filter          Name of a filter      Specifies the name of a 
                                           compound filter that will be
                                           run when the filter is matched 
                                           and the action attribute is 
                                           set to 'Next-Filter'.


-----------------    ---------------       ------------------------------
Comment              A string              A free-text comment for easy 
                                           identifiable filters.



==========================================================================
 E R R O R S 
=================================================Check filters.err========



   The host product will inform you of severe faults, such as inability to
   load the plugin.

   Possible configuration and syntax errors are written to the file
   FILTERS.ERR, located in the working directory of the host application.



==========================================================================
 S A M P L E   F I L T E R S
=================================================To Get You Started=======



   o Turning off ICMP

     Some system administrators turn off all ICMP traffic to harden
     the job for hackers and possible flood pingers. A simple filter
     to turn off ALL ICMP traffic (including ping and tracerte) is
     found below:

     ICMP-FILTER	Filter-Status = Always,
			Filter-Root = Yes,
			Comment = "Remove ICMP using Protocol matching",
			Filter-Scope = Incoming-Packets,
			Protocol = ICMP,
			Action = Drop-Packet,


   o No incoming TCP connections

     The filters in this section offers maximum security by allowing users on
     the secure LAN to access any outside TCP resources, yet the filters 
     reject ALL incoming TCP connections.

     These filters specifically allow incoming TCP traffic that has the ACK
     bit set. Packets with the ACK bit are the result of requests from a
     client on the secure LAN. All other TCP traffic is specifically denied.

     To enable certain incoming TCP connections (e.g. Web, SMTP or POP3
     servers), filters specifically allowing these connections must be
     listed above the "DROP-PACKET" filter.

     Notice when using these filters, FTP will not work in active mode, as
     that requires an incoming ftp-data connection. An easy work-around is to
     set the FTP client in PASV mode prior to issuing other FTP commands.

	ALLOW-INCOMING-ACK	Filter-Status = Always,
				Filter-Root = Yes,
				Comment = "Allow ACK packets (reply tcp packets",
				Filter-Scope = Incoming-Packets,
				Protocol = TCP,
				Bit-Offset = TCP-Head-Start,
				Bit-Number = ACK,
				Bit-Value = 1,
				Action = Forward-Packet,

	DENY-INCOMING-TCP	Filter-Status = Always,
				Filter-Root = Yes,
				Comment = "Deny all incoming TCP",
				Filter-Scope = Incoming-Packets,
				Protocol = TCP,
				Action = Drop-Packet,


   o Only new connections cause Dial-on-Demand (DoD)

     When using the InJoy Dialer, it is often seen how just about
     any packet can trigger Dial-on-Demand. With filtering you have
     almost unlimited possibilities for fine-tuning DoD and below
     is a example that will allow only DNS-lookups and new TCP
     connections to trigger DoD. The three filters work together
     and the fact that filters are analyzed top-down helps us to
     simply allow the 2 special situations and then in the third
     filter reject everything else.

     DOD-ALLOW-DNS	Filter-Status = Offline,
			Filter-Root = Yes,
			Comment = "Allow DNS lookups",
			Filter-Scope = Outgoing-Packets,
			Protocol = UDP,
			Port = DNS,
			Action = Forward-Packet,

     DOD-ALLOW-SYN	Filter-Status = Offline,
			Filter-Root = Yes,
			Comment = "Allow SYN packets (new tcp connections)",
			Filter-Scope = Outgoing-Packets,
			Protocol = TCP,
			Bit-Offset = TCP-Head-Start,
			Bit-Number = SYN,
			Bit-Value = 1,
			Action = Forward-Packet,

     DOD-REJECT-ALL	Filter-Status = Offline,
			Filter-Root = Yes,
			Comment = "Reject everything...",
			Filter-Scope = Outgoing-Packets,
			Protocol = IGNORE,
			Port = IGNORE,
			Action = Drop-Packet,


   o Preventing access to an Internet site

     The below filter demonstrates how all people on the internal 10.2.*.*
     network are cut off from the porn site found at 207.126.124.139.

     PORN-FILTER	Filter-Status = Always,
			Filter-Root = Yes,
			Comment = "Filter WWW using IP Address matching",
			Filter-Scope = Outgoing-Packets,
			Protocol = TCP,
			Port = WWW,
                        Source-IP = "10.2.0.0",
			Destination-IP = "207.126.124.139",
			Source-Netmask = "255.255.0.0",
			Destination-Netmask = "255.255.255.255",
			Action = Drop-Packet,


   o NETBIOS

     An intranet with many Windows computers will typically generate
     a large number of NETBIOS packets, keeping your network busy.

     Here are a selection of filters that will keep these packets 
     from hitting the ISP and the Internet.

     NETBIOS		Filter-Status = Always,
			Filter-Root = Yes,
			Comment = "Remove Outgoing UDP Netbios",
			Filter-Scope = Outgoing-Packets,
			Protocol = UDP,
			Port = NETBIOS,
			Action = Drop-Packet,

     NETBIOS-NS		Filter-Status = Always,
			Filter-Root = Yes,
			Comment = "Remove Outgoing UDP Netbios-NS",
			Filter-Scope = Outgoing-Packets,
			Protocol = UDP,
			Port = NETBIOS-NS,
			Action = Drop-Packet,

     NETBIOS-NS-S137	Filter-Status = Always,
			Filter-Root = Yes,
			Comment = "Source port 137, dest port 53 (also Netbios-NS)",
			Filter-Scope = Outgoing-Packets,
			Protocol = UDP,
			Source-Port = NETBIOS-NS,
			Port = DNS,
			Action = Drop-Packet,


   o NETBIOS-KEEP-ALIVE

     Demonstrates the use of hex string matching to remove Netbios Keep
     alive packets.

     Safe to filter out these packets, unless you have a specific reason
     to let them pass.

     NETBIOS-KEEPALIVE	Filter-Status = Always,
			Filter-Root = Yes,
			Comment = "Remove Keep-Alive via Hex-String match",
			Filter-Scope = Outgoing-Packets,
			Protocol = UDP,
			Port = NETBIOS,
			Offset-Relativity = Data-Start,
			Offset = 0,
			Hex-String = "\x00\x02\x0D\xF4\x0A\x03\x18\x61\x00\x8A\x00\xC6\x00\x00\x20",
			Action = Drop-Packet,



   o TCP session termination

     The tcp/ip stack has a habit of trying to kill tcp connections
     even after the IP connection is lost and the tcp application is
     dead. The below filters will remove these packets in the offline
     state, dramatically reducing the number of bogus packets in your
     network.

     FIN-PACKETS	Filter-Status = Offline,
			Filter-Root = Yes,
			Comment = "Remove FIN pkts using Bit matching",
			Filter-Scope = Outgoing-Packets,
			Protocol = TCP,
			Bit-Offset = TCP-Head-Start,
			Bit-Number = FIN,
			Bit-Value = 1,
			Action = Drop-Packet,

     RST-PACKETS	Filter-Status = Offline,
			Filter-Root = Yes,
			Comment = "Remove RST pkts using Bit matching",
			Filter-Scope = Outgoing-Packets,
			Protocol = TCP,
			Bit-Offset = TCP-Head-Start,
			Bit-Number = RST,
			Bit-Value = 1,
			Action = Drop-Packet,




==========================================================================
 O N   T H E   F L Y   U P D A T E S
=================================================Utility program==========



   Updating the filter configuration, e.g. with new filters, on the fly
   is done through the use of an external utility program.

   Below a step-wise procedure for updating your filter configuration
   without having to close or reconnect the host application.

	1. Update the filter configuration files with your desired changes.
	2. Open an OS/2 window and switch to the directory of the host
           application.
	3. In the OS/2 window, issue the command "sync -filter".

   The host product should then inform you that the filter config files 
   have been re-read and possible problems are written to FILTERS.ERR
   (in the same directory).






       Copyright (c) 1999-2000 F/X Communications.  All rights reserved.




