From: Victor Julien <lists@inliniac.net>
To: Jim Webster <jwebster@ilstechnology.com>
Cc: netfilter@vger.kernel.org
Subject: Re: DCERPC - does an add-on exist for netfilter
Date: Mon, 31 Jan 2011 12:56:29 +0100 [thread overview]
Message-ID: <4D46A36D.4070605@inliniac.net> (raw)
In-Reply-To: <AANLkTinAawfFBZ+=7giqUsOdzGd5d5avjUW9aaG_dA9h@mail.gmail.com>
On 01/31/2011 12:52 PM, Jim Webster wrote:
> netfilter@vger.kernel.org
>
> On Sun, Jan 30, 2011 at 6:00 PM, Patrick McHardy <kaber@trash.net> wrote:
>> On 30.01.2011 12:07, Jim Webster wrote:
>>> Hi. I am new to the list and also fairly new to iptables and
>>> netfilter. Linux and programming - am familiar with.
>>> Have been tasked to provide a way to move MSMQ (DCERPC?) traffic thru
>>> our firewall.
>>> The firewall is a CentOS iptables based box.
>>>
>>> Unfortunately, I do not zet have the customer Wireshark trace showing
>>> the traffic, specificallz where the address (and port) is supposedlz
>>> sent in the pazload.
>>>
>>> A knowledgeable iptables/firewall person on our team has suggested we
>>> require a netfilter helper routine (ala the ftp connection tracking).
>>>
>>> It seems to me however that instead, some tzpe of adaptive firewall
>>> technique is required to do this - opening a new NAT for the IP/port
>>> sent in the pazload and closing it when done.
>>>
>>> If so, can this be done by a simple user app - perhaps a proxy, or
>>> should it be in the loadable kernel modules as the ftp connection
>>> tracker is?
>>
>> Yes, you'll need a connection tracking helper that is able to
>> parse the DCERPC traffic in order to integrate this with netfilter
>> and NAT. I've looked into this a while ago, but due to the
>> complexity of the protocol it is non trivial.
>>
>
> Thanks for replz. Scares me a bit when a member of Netfilter team
> sazs non trivial :-).
> My next step will be to dissect the ftp_conntrack (or other conntrack
> routine) to see how it works. Also, think I must dive into the
> iptables source code to see how to dznamicallz add/remove the NAT
> rules for the protocol.
>
> At first, after reading this
> http://www.faqs.org/docs/gazette/firewalls.html thought I might be
> able to do it with a simple proxy in userspace.
>
> I have much to discover and appreciate anz guidance. Hopefullz, when
> (no option for if) this is successful, it will be made available to
> others. I am half-time so will take me a while.
>
> Thank zou,
You could have a look at the Suricata IDS or Snort. Both have DCERPC
parsers written in GPL C-code.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
next prev parent reply other threads:[~2011-01-31 11:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-30 11:07 DCERPC - does an add-on exist for netfilter Jim Webster
2011-01-30 17:00 ` Patrick McHardy
2011-01-31 11:52 ` Jim Webster
2011-01-31 11:56 ` Victor Julien [this message]
2011-01-31 17:10 ` Jim Webster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D46A36D.4070605@inliniac.net \
--to=lists@inliniac.net \
--cc=jwebster@ilstechnology.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.