Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,231 through 1,245 (of 1,500 total)
  • Author
    Posts
  • in reply to: Net firewall is not statefull #6085
    Vadim Smirnov
    Keymaster

      P.S. Some FTP relative information http://slacksite.com/other/ftp.html

      in reply to: Net firewall is not statefull #6084
      Vadim Smirnov
      Keymaster

        With the FW on 3rd level security if I permit 21/TCP out and I block all the other outgoing traffic passive ftp doesn’t work.

        FTP active mode uses two TCP sessions, one on server port 21 is a control channel and another data channel on server port 20. Control channel is established by client and data channel is established by server as a response on PORT command.

        In passive mode both control and data channels are established by client. Data channel uses arbitrary ports >1024 on both server and client sides. In you case blocking all outgoig connections except port 21 does not allow client to establish data channel and FTP in passive mode does not work.

        in reply to: Net firewall is not statefull #6082
        Vadim Smirnov
        Keymaster

          The new version of NeT Firewall 2.3.2.3 has been released. We have updated the interpretation of IN/OUT keywords for TCP protocol, now it is applied to incoming/ougoing connections instead of incoming/outgoing packets. For other protocols IN/OUT interpretation remains the same. This should help to avoid missunderstandings in the future.

          in reply to: WinPkFilter from a class #6090
          Vadim Smirnov
          Keymaster

            Basically using atexit() the way you did is not correct, you should pass a static function to atexit() instead of C++ class method. Also, since you are making the windows service you can release interfaces when your service process is stopped instead of using atexit().

            From the design point of view I would create a C++ classe to wrap each interface and manipulated adapter thru this class ( ReleaseInterface functionality could be placed into the class destructor). Some more advanced WinpkFilter code can be downloaded from this page http://www.ntkernel.com/w&p.php?id=31 once you are a registered customer.

            in reply to: Net firewall is not statefull #6079
            Vadim Smirnov
            Keymaster

              Well, you are right, but this is not about statefull inspection but the way the rules were originally implemented. IN means incoming packets, OUT means outgoing packets (in current implementation specifying only IN or only OUT for TCP protocol is senseless) and it is not exactly the same as IPFW rules where IN means incoming connection, OUT means outgoing connection for TCP. I agree that this may confuse a bit and probably it makes sense to change this behavoiur in order to avoid missunderstandings. Thanks for pointing this.

              The rule you have created allows any system connect your port (from any port) 80 and connecting any your local port from port 80 what really breaks any security. Basically if you want to allow any kind of outgoing connections you are supposed to use on the the Stealth Security levels and create rules to drop undesired outgoing connections and may be some rules to open local ports if you also work as server. High Securty level was designed for servers which are supposed not to go outside world but just open some local ports to provide services for their users.

              in reply to: Etherbridge install & operation #6077
              Vadim Smirnov
              Keymaster

                Adapters are bridged at the Etherent level and still have different IP’s if assigned so.

                Does this software work like a bridge under XP with only one IP for the 2 connection?

                No.

                in reply to: Net frozen after few minutes #6071
                Vadim Smirnov
                Keymaster

                  Regarding MTU: As far as I know, windows default MTU for ethernet adapters is 1500. I always attach a 20 bytes key to outgoing UDP packets.
                  Can I conclude from this that I might have a problem only with packets whose total length is 1480 bytes or more ?

                  Yes, you will have problems with packets which size is equal or close (so you don’t have 20 bytes in reserve) to MTU. There is a special API in WinpkFilter SetMTUDecrement. In your case if maximum size of the attached data is 20 bytes so you should call SetMTUDecrement with 20 as a parameter, please note that this API adds a driver specific value into the registry and requires reboot to take an effect (driver reads this value from the registry during start up).

                  Can I catch packets that are directed either to 127.0.0.1 or to the local IP ? are those packets passed down the TCP stack or are they redirected by Windows back to the application at higher levels ?

                  Packets directed to 127.x.x.x or local IP never reach NDIS level and processed internally by TCP/IP. However, these data can be intercepted at the TDI level http://www.ntkernel.com/w&p.php?id=8 and http://www.ntkernel.com/w&p.php?id=24

                  in reply to: Net frozen after few minutes #6069
                  Vadim Smirnov
                  Keymaster

                    Just thought to mentioned that I’m using the runtime libraries that are available at the web site (hxxp://www.ntoskrnl.com/downloads/winpkflt_rtx86.zip).

                    These binaries have no limitations.

                    Well, first of all I would start this application under debugger and check where it stops (or what is it doing) when network is frozen. Since this is a packet filtering application the network freeze can be easily caused by application hang (some dead lock or endless loop).

                    Also, I think it is important to mention that you should set MTU decrement if you are attaching additional data to the packets to the maximum size of the attached data. The total size of the ethernet frame should not exceeed 1514 bytes. I can’t see from your code if any length checks are implemented.

                    in reply to: Install IM Driver on x64 system #6066
                    Vadim Smirnov
                    Keymaster

                      snetcfg.exe -l ndisrd.inf -m ndisrd_m.inf -c s -i nt_ndisrd

                      in reply to: LHmon problems #6060
                      Vadim Smirnov
                      Keymaster

                        First of all the trial version on site is limited to capture 100 packets per boot.

                        If you are using full registered version then have you tried to run Local Host Monitor application on that system? If it works fine then the problem is relative to your code (and to advise anything I have to see more than one line), if it also does not intercept packets then it is probably driver relative. Please clarify.

                        in reply to: Packet Content #6058
                        Vadim Smirnov
                        Keymaster

                          Not sure what exactly code you need, but this question was already discussed here http://www.ntkernel.com/forum/viewtopic.php?t=19 along with some code postings.

                          in reply to: port redirection #6053
                          Vadim Smirnov
                          Keymaster

                            That can be a problem, dynamic hooking into system stack (with dynamically loadable NDIS IM driver under Windows 2000+ and dynamic hooking driver for earlier Windows versions) can be implemented bu it less reliable and more complex than static (in case of IM driver reboot still can be required in some cases).

                            in reply to: Packet Content #6056
                            Vadim Smirnov
                            Keymaster

                              How can I do the same ?

                              Packet data follow the packet header.

                              If I change the data and recalculate the chksum; what special care does the code have to take ?

                              If you don’t modify packet length then checksums (IP/TCP/UDP) recalculation is enough. If you do modify packet length (an example change “sex” to “fofo”) for TCP protocol you also have to care about Sequence and Acknowledgement numbers.

                              in reply to: SERVICE_SYSTEM_START vs SERVICE_DEMAND_START #6054
                              Vadim Smirnov
                              Keymaster

                                А эти данные из перехваченных send’ов у тебя каким-то образом обрабатываются или ждут до лучших времен пока стартанет ответственное за их обработку приложение?

                                Если ждут то причина понятна, сеть фактически заморожена отсюда и тормоза… Если обрабатываются то причину искать нужно в чем-то еще, если при высокой сетевой загрузке твой драйвер не дает тормозов то и на старте системы не должен.

                                in reply to: port redirection #6051
                                Vadim Smirnov
                                Keymaster

                                  is it possible to get that port redirect dynamically upon startup of “my_app”?

                                  WinpkFilter driver should be installed on the system before hand. But in any case you start filtering/redirecting packets only when your application is active and stop this when your application is terminated. So the answer is YES.

                                Viewing 15 posts - 1,231 through 1,245 (of 1,500 total)