Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,231 through 1,245 (of 1,419 total)
  • Author
    Posts
  • in reply to: conflict with Sygate Personal Firewall #5852
    Vadim Smirnov
    Keymaster

      Since Sygate firewall discontinued by Symantec it won’t cause compatibility problems anymore.

      http://www.geek.com/news/geeknews/2005Nov/gee20051130033532.htm

      in reply to: extracting TCP header #5867
      Vadim Smirnov
      Keymaster

        pIpHeader = (iphdr_ptr)(pPacketBuffer->m_IBuffer + ETHER_HEADER_LENGTH);
        pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);

        in reply to: local ip address #5866
        Vadim Smirnov
        Keymaster

          pIPHeader = (iphdr*)PacketBuffer.m_IBuffer+14;

          Typecasting has a higher priority than operator + above. You have to change it to:

          pIPHeader = (iphdr*)PacketBuffer.m_IBuffer[14];

          or

          pIPHeader = (iphdr*)(PacketBuffer.m_IBuffer+14);

          in reply to: URGENT – BAndwidth limiting question #5865
          Vadim Smirnov
          Keymaster

            Can I limit bandwidth using winpkfltr for each ip/source combination?

            Yes

            If so, Please give me some directions on how to do this?

            The basic idea is pretty simple. One possible realization is the following. Create a queue and put all packets into. Also create a periodic timer and each time when timer fires calculate time passed since last timer. Then claculate the amount of data you can allow to pass for the given time and process as many packets from the queue as it fits into clculated amount of data.

            in reply to: newbie question #5864
            Vadim Smirnov
            Keymaster

              Can I use Winpkfltr to look at the ip header and make a decision on to drop/forward the packet?

              Yes. You can take PassThru sample as a base. If you decide to drop the packet just don’t reinject it into the stack (by calling SendPacketToAdapter or SendPacketToMstcp).

              This function should be able to drop or forward the packet based on some criteria. But here is the problem:
              I dont want to drop all packets going to certain ip and port. For the same ip and port, I only want to drop say 10% of the packets and for some other ip/port, drop 20% of the packets.

              You can use kind of random generator, like C run time rand() routine.

              An example, 20% chance of drop may look like:
              if (rand() < RAND_MAX/5) bDrop = TRUE;

              in reply to: borland cpp builder with winpkfilter #5863
              Vadim Smirnov
              Keymaster

                I am trying to compile PAssThru in cbuilder folder.

                I use:
                bcc32.exe PassThru.cpp

                Hmm, I would start Borland C++ Builder, select File->Open Project, browse to PassThru.bpr and open it. After this I would click Project->Build PassThru.

                it gives me many unrsolved external sybol errors. I understand that these are caused by the linker and I probably have to link it with ndisapi.dll, but I dont know how to do this.

                Actually, you have to link to ndisapi.lib (stub library for ndisapi.dll).

                in reply to: Using the virtual network adapter VirtNet #5858
                Vadim Smirnov
                Keymaster

                  As it is stated on VirtNet page it is just dummy network interface which does not do anything special itself (similar to MS loopback adapter, but supports all Windows operating systems). However, when used in combination with WinpkFilter you can build various virtual network environments over it.

                  WinpkFilter can be used for implementing two major tasks:

                  1) To indicate packets from the name of VirtNet to TCP/IP stack.
                  2) To intercept packets sent by TCP/IP stack to VirtNet network interface.

                  You can create pure virtual network environment or bridge it to the real network or …. Actually, it depends only from you requirements.

                  in reply to: NTKernelService doesn’t start #5857
                  Vadim Smirnov
                  Keymaster

                    So, Net firewall is full functional also if no one is logged on the system.
                    It’s right?

                    Right

                    How can I see log of Firewall activity before I log on?

                    Log is not collected if firewall console (MMC snap-in) is not loaded, so in the current version there is no way to look through packets processed before logon.

                    in reply to: NTKernelService doesn’t start #5855
                    Vadim Smirnov
                    Keymaster

                      NTKernelService stats dirung system start up, load latest firewall configuration into the driver and exits. So the situation you have expirienced is normal, this service should not be running, all the packet filtering functionality implemented in the kernel mode driver. Service is only responsible for configuring it.

                      in reply to: Some NeT Firewall questions #5854
                      Vadim Smirnov
                      Keymaster

                        If I add a rule allowing external access to one of those IP’s, all the others get accessable too. Why is that?

                        It should not be, probably the rule you create is too common and covers more than one IP.

                        Could someone please list a standard ruleset for allowing all traffic to port 80 on the server only. I know it’s very basic but it would be great to make sure I did it right.

                        Allow, TCP, Source IP: Any, Source Port: Any, Destination IP:[IP address your WWW server is bound to], Destination Port:80 Bidirectional.

                        Also set the security level to high.

                        I found a few bugs playing about. Are you interested in fixing then if i detail the issues?

                        Sure, if you find any bugs we would appreciate reporting about…

                        in reply to: Redirect after filter on packets #5842
                        Vadim Smirnov
                        Keymaster

                          Do you also properly adjust DNS records length? (See dnsr_rdlength in the dns_record structure on the following link http://www.chiark.greenend.org.uk/ucgi/~richardk/cvsweb/dns/dns.h?rev=1.8&content-type=text/x-cvsweb-markup)

                          in reply to: Redirect after filter on packets #5840
                          Vadim Smirnov
                          Keymaster

                            When I ‘overwrite’ the dns packet, can I do this within the already allocated buffer (by winpkfilter) OR do I need to create a totally new buffer. If so I do not have a clue how …. do you have an example ?

                            You can do this in the already allocated buffer. Actually, packet buffer is allocated by you, passed to WinpkFilter, which copies packet data into it and returns buffer to you. You can do anything with the packet but don’t forget to adjust packet length and recalculate requred checksums (UDP and IP in case of DNS).

                            As for the sample, Internet Gateway makes DNS redirect, it may help a bit. However, it does not modify DNS data, only packet header.

                            In case of DNS hijacking the easiest way is changing IP in the DSN response packet. You are right here.

                            in reply to: Redirect after filter on packets #5838
                            Vadim Smirnov
                            Keymaster

                              In case of DNS you can form a new packet and replace the original one with it. It’s pretty easy to do because DNS works over UDP. However, the same trick with TCP packet is much more complex. Packets in TCP stream has sequence and aknowledgement numbers which are incremented to the amount of data payload in the packet. So if you change data length you must also track changes in SEQ and ACK fileds.

                              in reply to: conflict with Sygate Personal Firewall #5851
                              Vadim Smirnov
                              Keymaster

                                Well, yes it looks that Sygate is a problem. Their NDIS driver makes a dirty hook by modifying TCPIP.SYS module image (ArpSend routine if I remember fine). The only possible work around I could find is re-patching TCPIP.SYS after Sygate driver, but I really don’t like this solution. You can try to explain Sygate that dirty hacking is no good but I don’t think they would listen.

                                Latest WinpkFilter release also includes NDIS IM variant of WinpkFilter driver. Basically it was created to be used for Windows x64 (patching system is hardly possible there unless patching KeBugCheckEx in the kernel or something of this kind, see the notes from MS here http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx). However, you can also use this driver for the latest operating systems (Windows 2000/XP/2003). By design it can coexists with Sygate driver, so it’s also a variant.

                                in reply to: WinpkFilter news/updates. #5506
                                Vadim Smirnov
                                Keymaster

                                  Internet Gateway 1.0 released. This is the first sample (even more than sample, it can be successfully used in the real environment) from the Advanced WinpkFilter Samples series which is targeted to demonstrate WInpkFilter libraries applicability. The source code for Internet Gateway is available to all registered WinpkFilter customers.

                                Viewing 15 posts - 1,231 through 1,245 (of 1,419 total)