Forum Replies Created
-
Posts
-
Internet connection can be identified by checking systems IP routing table (sample output from “route print”):
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e a6 a6 7c b6 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 20
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 20
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 20
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
NoneFirst line with the default route network 0.0.0.0 mask 0.0.0.0 gateway 192.168.1.1 interface 192.168.1.101 points that I’m currently connected to Internet thru the network interface with IP 192.168.1.101. I may have many Internet connection but this is the default one.
You can request routing information programmatically using IP helper API (GetIpForwardTable) and register the callback handler for any routing table changes (NotifyRouteChange) in order to be notified about changing the Internet connection.
На WinpkFilter здесь есть http://www.ntkernel.com/w&p.php?id=31
try to unload driver on smp-somputer and system gets bsod (in ExFreeMemoryWithTag), on uni-processor computer evererything is ok.
Probably syncronization problem…
but debuger gets that ExFreeMemoryWithTag couses BAD_POOL_CALLER
Memory was already released or your memory pointer was corrupted. Put the breakpoint on the pointer access and trace all operations with it during your driver unload.
SerpentFly – ты русский? Если да – то пиши по-русски)) А то я думал тут все из-за бугра.
Еще ethreal ом посмотрел – модифицированные http пакеты не выходят(( просто Ip(ping) telnet – нормально.Странно это все, разницы между телнетом и HTTP на этом уровне нет никакой, ты например можешь телнетом приконектится на 80 порт. Единственное, в HTTP GET запросе по хорошему нужно править еще и имя хоста, иначе сервер может не ответить.
Сам пакет разумеется никуда деться сам по себе не может. В сеть можно полный мусор слать при желании. Может быть стоит что-то (типа фаервола) что пакеты режет по каким-то своим таинственным критериям, в общем так посоветовать что-то сложно, нужно разбираться с данной конкретной системой. Могу посоветовать только попробовать все на чистой системе и сравнить.
When you change IP address in the TCP packet you must also recalculate TCP checksum (IP address is included in the pseudo header). Other things are similar to ICMP if you have managed to get it working already.
So, I tried hooking SendCompleteHandler inside NDIS_MNIPORT_BLOCK in MyMiniportInitialize just before I forward the call to the adapter, but, it does not seem to work. I mean my function is not invoked…
SendCompleteHandler seems to be initialized by NDIS after calling miniport InitializeHandler (and your MyMiniportInitialize), that is why your hook does not work.
P.S. You can apply your hook on first SendHandler invoked, an example.
Since you are using VPN to connect the Internet (VPN link usually have smaller MTU than LAN link) and small packets (ICMP echo/ICMP echo reply) are allowed to pass then I would suspect some problems with Path MTU Discovery.
Some information about Path MTU Discovery can be found here http://www.netheaven.com/pmtu.html
I would try to set smaller MTU on the client system to check this idea by altering (setting to 1492 or even less) the following registry key in the system registry (requires reboot after modification):
// This parameter specifies the Maximum Transmission Unit (MTU) for a network interface.
// By optimizing the MTU setting you can gain substantial network performance increases,
// especially when using dial-up modem connections.
// MTU stands for Maximum Transmission Unit and in basic terms, it defines the maximum
// size of a packet that can be transferred in one frame over a network.
// Recommended Values
// 576 – Dial-up Connections
// 1492 – PPPoE Broadband Connections
// 1500 – Ethernet, DSL and Cable Broadband Connections
// Note: IP datagrams may span multiple packets. Values larger than the default for the
// underlying network will result in the transport using the network default MTU. Values
// smaller than 68 will result in the tranport using an MTU of 68.
// System Key: [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters
// Interfaces[Adapter ID]]
// Name: MTU
// Type: REG_DWORD (DWORD Value)
// Value: Default = 0xffffffff ???
// Note Windows 2000 TCP/IP uses PMTU detection by default and queries the NIC driver to find
// out what local MTU is supported. Altering the MTU parameter is generally not necessary and
// may result in reduced performance. See the PMTU detection discussion in the TCP section
// of this document for more details.[Adapter ID] has a form of GUID, an example path to my LAN NIC registry key is the following HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces{1E79EC84-A8E9-4A2F-BB11-0FF68F46E5A9}
Hmmm… this should work, ndis.h defines the NdisMSendComplete() macro and it uses that member… strange… What do you think? I could also hook a SendCompleteHandler inside NDIS_OPEN_BLOCK, but, that would not be the earliest function… What do you think?
If miniport driver was compiled with BINARY_COMPATIBLE flag set (allows having same binary for Windows 9x and NT) then NdisMSendComplete called as NDIS export not as macro. May be this is the reason…
If every firewall were written as NetFirewall is, it would be possible to create a trojan horse using Winpcap and there would be no way to stop it.
Well, NeT Firewall is created to protect system from the external intrusion, not from the internal one. And trust me, it is not great problem to create a trojan which will bypass any firewall available on the market (such trojan still can be detected by analyzing infected system’s network traffic from another system). It requires strong skills in kernel development and not fast and easy to implement but still… It is 5 minutes to rebuild NeT Firewall to intercept winpcap, but it does not really makes sense. If you want to avoid installing trojan protocol just don’t work under admin account (without having admin rights non of the trojans can install a driver). In general don’t expect that if you install a firewall you can do anything and you are safe.
There is a separate set of products, so called kernel IDS targetted to protect your system from trojan software and system exploits. Firewall primary target is protecting your local network stack from external attacks and thats it. Implementing partial kernel IDS in the firewalls (like ZoneAlarm, an example) give you rather illusion of safety than real safety.
The issue comes up when I copy the packet and submit the newly created packet descriptor. _ndisMSendCompleteX@12 crashes trying to access something inside the packet, just after referencing _ndisPacketStackSize.
Well, as far as I can see without going deep into the problem the only difference is that original packet was preprocessed by NDIS send handler but your packet was not. You can analyze what fields were exactly referenced and fix it. I would not recommend this because internal NDIS packet processing may change from OS and SP.
Another way is intercepting NdisMSendComplete and checking if it is your packet descriptor passed to it and if yes then releasing your packet resource without passing it to NDIS. Also don’t forget to release packet descriptors for the original packets.
NeT Firewall puts its packet filter between TCP/IP protocol driver and network interfaces. Winpcap installs its own protocol driver which works at the same level as TCP/IP (in parallel) and not intercepted by NeT Firewall. Basically, if you expect high security you should avoid having any other protocls (like winpcap) installed on the system. Primary purpose of NeT Firewall is protecting TCP/IP stack (not winpcap or any other custom protocol).
In general it is possible to intercept other protocols (like winpcap, ndisuio and etc..) in addition to TCP/IP protocol however this approach has some serious disadvantages (may break third-party NDIS intermediate drivers functionality, custom protocols and etc.) and since NeT Firewall is oriented on users who know what happens on their systems it is implemented on the current way.
first of all I excuse for I’m late on answering you, I was busy with university: my porfessor Federico Simonetti of University of Milan says hello to you
My warm regards to Federico, I hope he is doing well 🙂
What I’d like to ask you is: is there any way to make NetFW look at the PORT command in the control connection on 21 TCP port to automatically open the port the server wants to use to transfer data? As an example, Netfilter/IpTables can do it, and other commercial firewalls as well.
Yes this is possible but, heh, not implemented yet and the only known solution is opening port 20 for everyone. 😕 Dynamic rules (temporary rules created under certain conditions) are planned to be implemented, but it still needs time. In the meantime only Stealth 3rd level takes into account FTP protocol realization details so outgoing FTP can work in active mode.
Please send your registration e-mail (registrtion name or any other information we could use) and approximate date of purchase to support@ntkernel.com so we could identify your order.
P.S. Some FTP relative information http://slacksite.com/other/ftp.html
With the FW on 3rd level security if I permit 21/TCP out and I block all the other outgoing traffic passive ftp doesn’t work.
FTP active mode uses two TCP sessions, one on server port 21 is a control channel and another data channel on server port 20. Control channel is established by client and data channel is established by server as a response on PORT command.
In passive mode both control and data channels are established by client. Data channel uses arbitrary ports >1024 on both server and client sides. In you case blocking all outgoig connections except port 21 does not allow client to establish data channel and FTP in passive mode does not work.
