Using The pktfilter software with dynamic interfaces

Apologies for the disjointedness of this document - it was thrown together to get something out there in answer to a question on the pktfilter-users mailing list.
This is a tool to use the Pktfilter software with dynamic interfaces - it came about because I needed to make the software work with dialup and wireless interfaces not always present on the system.
You can download the archive of the software (including a cron file for the highly reccomended Pycron starting with: Version 1
The software is released under the GNU Public license.

Installation

  1. Install Pktfilter.
  2. Copy the perl-ruleset.txt to "c:\Program Files\pktfilter\pktctl\". This contains the rules template.
  3. copy perl-ruleset.txt.example to perl-ruleset.txt and add rules as you need, following the (hopefully) obvious format.
  4. Register the software as a service, turn on logging, start the service and load the services control panel. Or you could use the 'register.bat' file included :-)
  5. Use the services control panel to set the "Stateless Packet Filter" to Automatic
  6. Copy the firewall.exe to "c:\Program Files\pktfilter\pktctl\". This is the firewall 'management' software.
  7. Copy the crontab.txt file "C:\Program Files\pycron" (or the appropriate entry) if you are using pycron to regularly restart the service.
  8. Start the pycron service, and set it to automatic.
Note: You could automate all of this with a batch file. I even have a tailored specfic one. Maybe I'll make it generic (or write the installer in perl!). Fow now, the step by step is as good documentation as anything..

How it works

firewall.exe is a compiled perl script (source code is in firewall-modular.pl) which gets round some of the limitations of the pktfilter software, namely (with thanks to Anton);
  1. The software loads and operates correctly on existing interfaces even if they are not yet configured. Basically it programs the BPF and the BPF operates correctly.
  2. The software aborts if you try to refer to a non-existent interface.
  3. The software will not reload if you completely remove an interface from the system and put another interface wich ends up having the same notation (replace a pcmcia ethernet with pcmcia wireless for example). You need to reload the ruleset externally.
  4. The software does not try to capture system messages that notify of routing changes (this is the easiest way of catching interface additions and removals and enable/disable rules).
  5. If an interface just changes its administrative state without the driver being completely unloaded (ppp brought down and reestablished, link layer on ether, so on) rules stay and operate correctly.
Basicaly, the script enumerates all the current interfaces in unix terms (eth0, pp0 etc), and uses a template file (perl-ruleset.txt) to generate a ruleset for each interface. This script is then run every min by PyCron. The latest version checks to see if the pktfilter is set to automatic. If it is, but the service isn't running, it recreates the rules.txt file using the template perl-ruleset.txt and restarts the service. If it isn't set to automatic, it does nothing. The template file is seperated into two ares, default rules and specific rulesets. Due to the way pktfilter reads its rules file, all the default rules have to come first, and this is taken care of by the script. The script ignores as a comment any line beginning with #, allowing us to ( shock horror) document it.. The idea of all this is that not only will the firewall protect all the interfaces, including the dynamic dial up ones and wifi within an average of .5 mins. It will also be easier to manage, in that we can write the configuration, and then copy the template file (perhaps via logon script, or at least remotely while the machine is VPN'd) to the pc. Note: There is an bug with the implementation, in that the pktfilter software will crash if it is told to implement a ruleset for interaces that do not exist, i.e. if the rules.txt has rules for eth0 and eth1, when pktctl -I reports only eth0. This is likely to occur if the system is shutdown when it has two interfaces up, but brought back up with only one, and the firewall script hasn't been run in the meantime, leaving the rules.txt in a state unrepresentative of the network interfaces. To sum up, its not a bug in my code (which is, of course, perfect :-), but in the implementation.

Documentation

Sorry, this is it. I haven't even written any POD for the source code..

Warranty

I don't offer any. I don't make any warranty claims. Don't rely on it for anything. I might respond to emails sent to 'john at kript dot net', but, then again...