DCERPC - does an add-on exist for netfilter

DCERPC - does an add-on exist for netfilter

[Jim Webster]

Hi.  I am new to the list and also fairly new to iptables and
netfilter.  Linux and programming - am familiar with.
Have been tasked to provide a way to move MSMQ (DCERPC?) traffic thru
our firewall.
The firewall is a CentOS iptables based box.

Unfortunately, I do not zet have the customer Wireshark trace showing
the traffic, specificallz where the  address (and port) is supposedlz
sent in the pazload.

A knowledgeable iptables/firewall person on our team has suggested we
require a netfilter helper routine (ala the ftp connection tracking).

It seems to me however that instead, some tzpe of adaptive firewall
technique is required to do this - opening a new NAT for the IP/port
sent in the pazload and closing it when done.

If so, can this be done by a simple user app - perhaps a proxy, or
should it be in the loadable kernel modules as the ftp connection
tracker is?

Have been unable to find verz much info on this zet - altho I see
references to some commercial firewalls (e.g. Cisco 5500) doing this.

Is this something that has been done already with netfilter or will I
be blazing a new trail?

Pls excuse the mixing of the y and z, am using a German computer in Germany.

Thank zou verz much,

Jim

Re: DCERPC - does an add-on exist for netfilter

[Patrick McHardy]

On 30.01.2011 12:07, Jim Webster wrote:
> Hi.  I am new to the list and also fairly new to iptables and
> netfilter.  Linux and programming - am familiar with.
> Have been tasked to provide a way to move MSMQ (DCERPC?) traffic thru
> our firewall.
> The firewall is a CentOS iptables based box.
> 
> Unfortunately, I do not zet have the customer Wireshark trace showing
> the traffic, specificallz where the  address (and port) is supposedlz
> sent in the pazload.
> 
> A knowledgeable iptables/firewall person on our team has suggested we
> require a netfilter helper routine (ala the ftp connection tracking).
> 
> It seems to me however that instead, some tzpe of adaptive firewall
> technique is required to do this - opening a new NAT for the IP/port
> sent in the pazload and closing it when done.
> 
> If so, can this be done by a simple user app - perhaps a proxy, or
> should it be in the loadable kernel modules as the ftp connection
> tracker is?

Yes, you'll need a connection tracking helper that is able to
parse the DCERPC traffic in order to integrate this with netfilter
and NAT. I've looked into this a while ago, but due to the
complexity of the protocol it is non trivial.

Re: DCERPC - does an add-on exist for netfilter

[Jim Webster]

netfilter@vger.kernel.org

On Sun, Jan 30, 2011 at 6:00 PM, Patrick McHardy <kaber@trash.net> wrote:
> On 30.01.2011 12:07, Jim Webster wrote:
>> Hi.  I am new to the list and also fairly new to iptables and
>> netfilter.  Linux and programming - am familiar with.
>> Have been tasked to provide a way to move MSMQ (DCERPC?) traffic thru
>> our firewall.
>> The firewall is a CentOS iptables based box.
>>
>> Unfortunately, I do not zet have the customer Wireshark trace showing
>> the traffic, specificallz where the  address (and port) is supposedlz
>> sent in the pazload.
>>
>> A knowledgeable iptables/firewall person on our team has suggested we
>> require a netfilter helper routine (ala the ftp connection tracking).
>>
>> It seems to me however that instead, some tzpe of adaptive firewall
>> technique is required to do this - opening a new NAT for the IP/port
>> sent in the pazload and closing it when done.
>>
>> If so, can this be done by a simple user app - perhaps a proxy, or
>> should it be in the loadable kernel modules as the ftp connection
>> tracker is?
>
> Yes, you'll need a connection tracking helper that is able to
> parse the DCERPC traffic in order to integrate this with netfilter
> and NAT. I've looked into this a while ago, but due to the
> complexity of the protocol it is non trivial.
>

Thanks for replz.  Scares me a bit when a member of Netfilter team
sazs non trivial :-).
My next step will be to dissect the ftp_conntrack (or other conntrack
routine) to see how it works.  Also, think I must dive into the
iptables source code to see how to dznamicallz add/remove the NAT
rules for the protocol.

At first, after reading this
http://www.faqs.org/docs/gazette/firewalls.html thought I might be
able to do it with a simple proxy in userspace.

I have much to discover and appreciate anz guidance.  Hopefullz, when
(no option for if) this is successful, it will be made available to
others.  I am half-time so will take me a while.

Thank zou,
-- 
Jim

Re: DCERPC - does an add-on exist for netfilter

[Victor Julien]

On 01/31/2011 12:52 PM, Jim Webster wrote:
> netfilter@vger.kernel.org
> 
> On Sun, Jan 30, 2011 at 6:00 PM, Patrick McHardy <kaber@trash.net> wrote:
>> On 30.01.2011 12:07, Jim Webster wrote:
>>> Hi.  I am new to the list and also fairly new to iptables and
>>> netfilter.  Linux and programming - am familiar with.
>>> Have been tasked to provide a way to move MSMQ (DCERPC?) traffic thru
>>> our firewall.
>>> The firewall is a CentOS iptables based box.
>>>
>>> Unfortunately, I do not zet have the customer Wireshark trace showing
>>> the traffic, specificallz where the  address (and port) is supposedlz
>>> sent in the pazload.
>>>
>>> A knowledgeable iptables/firewall person on our team has suggested we
>>> require a netfilter helper routine (ala the ftp connection tracking).
>>>
>>> It seems to me however that instead, some tzpe of adaptive firewall
>>> technique is required to do this - opening a new NAT for the IP/port
>>> sent in the pazload and closing it when done.
>>>
>>> If so, can this be done by a simple user app - perhaps a proxy, or
>>> should it be in the loadable kernel modules as the ftp connection
>>> tracker is?
>>
>> Yes, you'll need a connection tracking helper that is able to
>> parse the DCERPC traffic in order to integrate this with netfilter
>> and NAT. I've looked into this a while ago, but due to the
>> complexity of the protocol it is non trivial.
>>
> 
> Thanks for replz.  Scares me a bit when a member of Netfilter team
> sazs non trivial :-).
> My next step will be to dissect the ftp_conntrack (or other conntrack
> routine) to see how it works.  Also, think I must dive into the
> iptables source code to see how to dznamicallz add/remove the NAT
> rules for the protocol.
> 
> At first, after reading this
> http://www.faqs.org/docs/gazette/firewalls.html thought I might be
> able to do it with a simple proxy in userspace.
> 
> I have much to discover and appreciate anz guidance.  Hopefullz, when
> (no option for if) this is successful, it will be made available to
> others.  I am half-time so will take me a while.
> 
> Thank zou,

You could have a look at the Suricata IDS or Snort. Both have DCERPC
parsers written in GPL C-code.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

Re: DCERPC - does an add-on exist for netfilter

[Jim Webster]

Thanks, will look at those.

Jim

On Mon, Jan 31, 2011 at 12:56 PM, Victor Julien <lists@inliniac.net> wrote:
> On 01/31/2011 12:52 PM, Jim Webster wrote:
>> netfilter@vger.kernel.org
>>
>> On Sun, Jan 30, 2011 at 6:00 PM, Patrick McHardy <kaber@trash.net> wrote:
>>> On 30.01.2011 12:07, Jim Webster wrote:
>>>> Hi.  I am new to the list and also fairly new to iptables and
>>>> netfilter.  Linux and programming - am familiar with.
>>>> Have been tasked to provide a way to move MSMQ (DCERPC?) traffic thru
>>>> our firewall.
>>>> The firewall is a CentOS iptables based box.
>>>>
>>>> Unfortunately, I do not zet have the customer Wireshark trace showing
>>>> the traffic, specificallz where the  address (and port) is supposedlz
>>>> sent in the pazload.
>>>>
>>>> A knowledgeable iptables/firewall person on our team has suggested we
>>>> require a netfilter helper routine (ala the ftp connection tracking).
>>>>
>>>> It seems to me however that instead, some tzpe of adaptive firewall
>>>> technique is required to do this - opening a new NAT for the IP/port
>>>> sent in the pazload and closing it when done.
>>>>
>>>> If so, can this be done by a simple user app - perhaps a proxy, or
>>>> should it be in the loadable kernel modules as the ftp connection
>>>> tracker is?
>>>
>>> Yes, you'll need a connection tracking helper that is able to
>>> parse the DCERPC traffic in order to integrate this with netfilter
>>> and NAT. I've looked into this a while ago, but due to the
>>> complexity of the protocol it is non trivial.
>>>
>>
>> Thanks for replz.  Scares me a bit when a member of Netfilter team
>> sazs non trivial :-).
>> My next step will be to dissect the ftp_conntrack (or other conntrack
>> routine) to see how it works.  Also, think I must dive into the
>> iptables source code to see how to dznamicallz add/remove the NAT
>> rules for the protocol.
>>
>> At first, after reading this
>> http://www.faqs.org/docs/gazette/firewalls.html thought I might be
>> able to do it with a simple proxy in userspace.
>>
>> I have much to discover and appreciate anz guidance.  Hopefullz, when
>> (no option for if) this is successful, it will be made available to
>> others.  I am half-time so will take me a while.
>>
>> Thank zou,
>
> You could have a look at the Suricata IDS or Snort. Both have DCERPC
> parsers written in GPL C-code.
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>



-- 
Jim