Wednesday July 26, 2006 Weblog
Wednesday July 26, 2006 Packet Filter Hooks Code Review
Over in the OpenSolaris networking forum, I've posted a notice for code review of the Packet Filter Hooks project.
This indicates two things:
- we're getting close to being able to merge our code into OpenSolaris and then a Solaris 10 update
- we'd like to hear from you if you spot any bugs or problems with the implementation as it is
Thursday April 06, 2006 If you're looking for information on how to implement packet filtering for Solaris using an interface similar to Linux's, the place to start is here:
Packet Filtering Hooks design document 9-3-2006 ( Apr 06 2006, 01:55:51 AM PDT ) Permalink Comments [1]
Tuesday April 04, 2006 I've been busy at home, working on the open source IPFilter project in the last couple of months and earlier today uploaded the latest version, 4.1.13. After creating a fouled up .12 (through lack of testing on my behalf), I'm hoping that 13 won't be an unlucky number for me.
Also, in following up on some earlier work to use IPFilter in defense against spam, I've been experimenting with port knocking. I'll update my blog later in the week when I've made a last few changes there and uploaded it onto Internet.
( Apr 04 2006, 02:18:10 AM PDT ) Permalink Comments [2]
Wednesday March 22, 2006 Packet Filter Hooks Project approved!
Today marked us achieving another milestone with this project: agreement on the design put forward from PSARC (platform software architectural review committee.)
The team has some extra work to do as a result of the agreement but nothing that could be considered a show stopper.
( Mar 22 2006, 05:05:12 PM PST ) Permalink Comments [2]
Saturday March 18, 2006 New version of IPFilter and using it to defend against spam.
Earlier today I uploaded version 4.1.11 of IPFilter and along with it a new program to work with "auth" rules in controlling TCP connections. Consequently I put a lot of imagination into the name of this program and called it ipfauth.
My take on spam is I'm sick of the box I use for receiving email having to actually accept the spam it gets sent. I don't want it to even talk to the other end unless I think they're going to send me legitimate email that I want.
So for Mr Spammer, I don't pretend that my mail server doesn't like him by sending back a 450 or 550 SMTP error, rather, I pretend that my mail server isn't there at all. This works on the idea that real mail servers will retry email during very specific windows so that while the initial delivery of mail is impeded, it will get through eventually. Of course this all starts to fall apart when spammers start doing queuing of email that fails in their software.
So to try and counter this I've added in a very simple feedback mechanism that I'll be doing some more investigations with. The feedback mechanism allows for my mail server software to pass the email through spamassassin while it is being dequeued and if it is spam, send a vote back to ipfauth saying that an email from that IP address is to be rejected. If an email gets all the way through, it will receive a different kind of vote saying that the sender's email address supplied me with an OK email.
This is all pretty much in its infancy and at some point I should stop using a very heavily modified smap/smapd and write my own SMTP receiver.
o-o ( Mar 18 2006, 06:01:29 PM PST ) Permalink Comments [1]
Monday March 13, 2006 On the weekend, I came close to finishing off a project to develop anti-spam software to work intimately with IPFilter. It's probably about 90% done, although the man page is 0% done. I'm at a point where I'm tuning the width of the more common syslog messages and looking for those kinds of bugs. Sometime later this week I'll send an email out to the IPFilter list with a URL to download it from. The only catch is that due to some bugs in IPFilter, you can't just add it to an existing system and have it work :( More on this later.
( Mar 13 2006, 03:35:46 PM PST ) Permalink Comments [0]
Sunday March 05, 2006 Open review of Packet Filter Hooks project
The main project that is soaking up my time here at Sun is one to deliver packet filtering hooks into the operating system. We're currently heading towards the final stages of this project and the discussion about the design review can be found here:
Packet Filtering Hooks Design Review ( Mar 05 2006, 03:35:40 PM PST ) Permalink Comments [0]
Tuesday February 14, 2006 Have a look over at the blog to whom I report:
New Features For IPFilter ( Feb 14 2006, 11:03:13 AM PST ) Permalink
Wednesday July 20, 2005 Using IPFilter between zones for firewalling.
As many people may have become aware, since the release of Solaris10, it is currently not possible to perform firewalling between zones running on the same host, whether it be using IPFilter or Firewall-1 or some other product.
I'm happy to say that as of the 13th of July, the group I'm working with got the green light from the first review committee to proceed with a project to remedy this situation.
Unfortunately while the code to achieve this isn't a lot, there is still a lot of work we need to do (design review, testing, code review, etc) that when put together will turn the project into something that could easily take more than 6 months on the calendar. With this project we're looking to solve some more of the related, abstract, problems that need to be delt with in order for us to provide the best possible solution.
We're acutely aware of the need for this project to be completed yesterday and we're working feverishly to make sure it gets delivered ASAP, so in the mean time, please be patient.
When there's more progress to report, I'll update this blog, but for a while, it's likely to be just about successes in jumping through loops.
( Jul 20 2005, 01:49:35 PM PDT ) Permalink Comments [1]
Wednesday April 20, 2005 IPv6 support for Solaris IPFilter... ...has finally been approved. While most of the code for IPv6 support has been there for some time, prior to this project it hasn't been enabled at compile time, tested or debugged internally. In addition to the IPv6 support found in IP Filter 4.1.x will be changes in ippool to add support for parsing IPv6 addresses. As part of the requirements for this, the use of ipf6.conf for IPv6 filter rule has been accepted as an obsolete interface, with the aim to have a single merged configuration file in the future - see the discussion in this thread IPFilter and IPv6. ( Apr 20 2005, 08:17:36 PM PDT ) Permalink Comments [2]
