Weblog

Sunday June 10, 2007

DNS proxy for IPFilter

There seem to be a few DNS proxies out there but all seemed aimed at doing proxy+cache without being seemingly easy to control what is accepted or denied. Plus none of them work with rdr rules in ipnat. And I got tired of bind being so big and hard to make work and I didn't want to dabble with the other main alternative (there would be more work trying to get it architected right to do the transparent stuff, I'm sure.)

So this was my weekend project. Oh, it does no caching (yet.) There are man pages in the .tgz.

Configuration goes something like this:

port fred 192.168.1.1 5053 transparent;
forwarders { 2.2.2.1, 2.2.2.3; };
acl all port fred { block *.xxx;};
acl all port fred { allow .cnn.com; reject cnn.com; };

To be used with rules like:

rdr fxp0 0/0 port 53 -> 192.168.1.1 port 5053 udp

Also, seperate to this, there will be a dns proxy in IPfilter 5 that allows similar things to be done. That can be used on the outbound side of a firewall hosting named with map rules :)

Darren

IPFilter 4.1.23

In the never ending quest for perfection and chasing platform changes, this latest update fixes some bugs that are new and some that are old.

I've also added this extra line to "ipfstat -s" output:

        82% hash efficiency

The routing header problem is perhaps the most serious from a security perspective - if you weren't (or aren't) blocking these packets explicitly, e.g

block in quick with v6hdrs routing

then the presence of the routing header would cause ipf to not find the next (TCP/UDP) header in the correct place. A regression test (ipv6.5) has been added to check for dealing with IPv6 routing header packets.

Darren

• http://coombs.anu.edu.au/~avalon/ip_fil4.1.23.tar.gz MD5 (ip_fil4.1.23.tar.gz) = f770ab22be017ccd9547c59f21dbbb11
• http://coombs.anu.edu.au/~avalon/patch-4.1.23.gz MD5 (patch-4.1.23.gz) = bb64bd7102622dbea98a872a7b53ec90

4.1.23 - Released 31 May 2007

• NAT was not always correctly fixing ICMP headers for errors
• some TCP state steps when closing do not update timeouts, leading to them being removed prematurely.
• fix compilation problems for netbsd 4.99
• protect enumeration of lists in the kernel from callout interrupts on BSD without locking
• fix various problems with IPv6 header checks: TCP/UDP checksum validation was not being done, fragmentation header parsed dangerously and routing header prevented others from being seen
• fix gcc 4.2 compiler warnings
• fix TCP/UDP checksum calculation for IPv6
• fix reference after free'ing ipftoken memory

4.1.22 - Released 13 May 2007

4.1.21 - Released 12 May 2007

• show the number of states created against a rule with "-v" for ipfstat
• fix build problems with FreeBSD
• make it possible to flush the state table by idle time and TCP state
• fix flushing out idle connections when state/NAT tables fill
• print out the TCP state population with ipfstat/ipnat
• stop creation of state table orphans via return-*/fastroute
• fix printing out of rule groups - they now only appear once

4.1.20 - Released 30 April 2007

• adjust TCP state numbers, making 11 closed (was 0) to better facilitate detecting closing connections that we can wipe out when a SYN arrives that matches the old
• make it compile on Solaris10 Update3
• structures used for ipf command ioctls weren't being freed in timeout fashion on solairs
• use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions
• adjust TCP timeout values and introduce a time-wait specifc timeout
to get a better TCP FSM emulation and one that can hopefully do a better job of cleaning up in a speedy fashion than previous
• refactor the automatic flushing of TCP state entries when we fill up, but use the same algorithm as before but now it hopefully works
• only 2 out of 4 interface names were being changed by ipfs when interface renaming was being used for state entries
• add ipf_proxy_debug to ipf-T
• matching of last fragments that had a number of bytes that wasn't a multiple of 8 failed
• some combinations of TCP flags are considered bad aren't picked up as such, but these may be possible with T/TCP

4.1.19 - Released 22 February 2007

• Fix up compilation problems with NetBSD and Solaris.

4.1.18 - Released 18 February 2007

• fix compiling on Tru64
• fix listing out filter rules with ipfstat (delete token at end of the list and detect zero rule being returned.)
• fix extended flushing of NAT tables (was clearing out state tables)
• fix null-pointer deref in hash table lookup
• fix null-pointer deref in hash table lookup
• fix NAT and stateful filtering with to/reply-to on destination interface

4.1.17 - Released 20 January 2007

• make flushing pools that are still in use mark them for deletion and have attempting to recreate them clear the delete flag
• walking through the NAT tables with ioctls caused lock recursion
fix tracking TCP window scaling in the state code

4.1.16 - Released 20 December 2006

• allow rdr rules to only differ on the new port number
• when creating state entry orphans, leave them on the linked list but not attached to the hash table and mark them visible as orphans in "ipfstat -sl"
• log state removed when unloading differently to allow visible cues
• return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl
• abort logging a packet if the mbuf pointer is null when ipflog is called
• Some NetBSD's have a selinfo.h instead of select.h
• SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth
• listing accounting rules using ioctl interface wasn't possible
• fix leakage of state entries due to packets not matching up with NAT
• improve ICMP error packet matching with state/NAT
• fix problems with parsing and printing "-" as an interface name in ipnat.conf

4.1.15 - Released 03 November 2006