TCP/IP v4.1 Security - First Step

By Vitaliy Tymchyshyn

So, TCIP 4.1 for OS/2 (to be correct MPTN 5.3) has firewall included without any documentation. But It was found that command system of firewall is very similar to AIX firewall one. The documentation for AIX can be found at hobbes.nmsu.edu (ipfwdocs.zip). Taking all this together you can get next steps to start the firewall:

1. Check the existence of the next lines in you config.sys: DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYS DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS DEVICE=C:\MPTN\PROTOCOL\CDMF.SYS DEVICE=C:\MPTN\PROTOCOL\MD5.SYS If you cant find them, then add them.

2. Create configuration files %ETC%\fwsecad.cnf - list of 'secure' interfaces (Firewall for OS/2 differ two types of network interfaces: secure and non-secure Put one IP address a line. IP addresses not in file are non-secure. %ETC%\security\fwfiltrs.cnf - firewall rules list. Here is example: deny 0.0.0.0 0.0.0.0 0 0 icmp any 0 any 0 both both inbound This line disable incoming ICMP packets

3. To enable firewall enter: cfgfilt -u -i inetcfg -s firewall 1 You may add this lines into you \MPTN\BIN\SETUP.CMD file to run your firewall each time the computer started.

4.File fwfiltrs.cnf

File fwfiltrs.cnf consist of lines, that represent 'rules'. After getting IP packet, firewall check the file up-to-down until it will find:

a) deny rule - packet skiped

b) permit rule - packet processed

c) EOF - packet skiped

Rule line consist of fields, divided with spaces:

1) Rule action.

Has the value permit or deny. Any IP packet that matches the other fields in the filter definition will either be passed or blocked depending on the value of this field.

2,3) Source address definition

Two dotted-decimal addresses. The first is the desired address, and the second is a mask. The filter uses these fields by applying the mask to the source address of the packet (the mask is applied as a bitwise AND - the same as for IP subnet address masks). If the result of the mask operation is equal to the desired address, the source is deemed to match. For example, to match any address beginning 192.3.4.0 you would specify "192.3.4.0 255.255.255.0".

4,5) Destination address definition

These fields are used in the same way as the source address definition to determine the allowable destination address(es) for the filter.

6)Protocol.

Defines the protocol type of the IP packet. It may have any of the following values: any - doesn't care what the protocol is icmp - matches ICMP requests only udp - matches UDP packets only tcp - matches TCP packets only tcp/ack - matches only TCP packets that have the acknowledgment bit on ipsp - matches only IPSP (IP security protocol, an IBM-specific protocol for the SNG secure tunnel) Note that as SNG can only refer to protocols by names, it can only have specific rules for the previous protocols, and it will not accept rules for other protocols (for example, protocol number 89 for OSPF).

7,8) Source port / ICMP Type

The first field specifies the type of operation, the second the desired port number (for ICMP packets it's the ICMP Type of message). The port operation field is an arithmetic operator field which can have values of: any, eq, neq, lt, gt, le or ge. The operator is applied to the desired port field, so, for example, if the two fields were gt 1023, we would only match packets with a source port number of 1024 or higher.

9,10) Destination port / ICMP Code

This pair of fields is used in the same way as the source port fields to define which destination port(s) we want the filter to match. For ICMP packets, it refers to the ICMP Code field.

11) Adapter

This defines which adapter the packet is flowing through: secure non-secure both (doesn't care which adapter its flowing through)

12) Routing

Defines whether the packet has a destination or source of the firewall, or whether the destination and source are both other machines, in which case the firewall is behaving as an IP router. Possible values are: local (coming to or from the firewall itself) route (going through the firewall) both (doesn't care about the packet's routing)

13) Direction

Defines whether the packet is coming into or going out of the specified adapter. Possible values are: inbound outbound both (doesn't care which way it is going)

Attention! Next optional fields must be set in the form of 'name=value'. Ex: deny 0.0.0.0 0.0.0.0 0 0 icmp eq 8 any 8 both both inbound l=yes f=only t=0

14) Log Control (l)

This packet decides if the packet should be logged or not. The default for permitted packets is no and for denied packets is yes. no yes

15) Fragmentation Control (f)

The possibilities are: yes - matches header, fragments and nonfragmented packets no - matches only nonfragmented packets only - matches only headers and fragments.

16) Tunnel ID(T)

Identifies the tunnel through which the packet must be sent. The value 0 means do not use a tunnel.