Re: URL filtering / IP Filter NKE
Re: URL filtering / IP Filter NKE
- Subject: Re: URL filtering / IP Filter NKE
- From: Nick <email@hidden>
- Date: Wed, 29 Jun 2011 23:19:58 +0300
>1. If we want to block a URL , then the user mode application creates the raw packets and sends to the client to reset >the connection.
>OUTPUT: Not a proper result.
you probably haven't tried hard enough :-).
As I have answered before, to do everything in usermode you can use ipfw, specifically a divert rule. All (required) tcp traffic from the kernel will be diverted into your usermode application's socket, that your app had previously opened.
> 1. How to assign the ACK number and sequence number?
> 2. After performing the tryout 2, what should be the return value of NKE outbound packet callback?
> 3. Do we require to filter incoming as well as outgoing packets to block the particular url?
> 4. How to create a packet containing the customized text message?
I am not sure about NKE callbacks, so i would better consult *.h files (they have conspicuous comments about what the function should return and what errors they can return). For you important is whether you want to drop, pass or modify/reinject the packet. From this you figure out can figure out what to return in these callbacks.
ACK number, that Web-server sends to your client host, is the received SEQ number + length of received data that is being acknowleged. From this number the server will know that your client machine received all bytes.
SEQ number - is the SEQ number of the last sent packet + the length of the previously sent packet. From this value the server machine can figure out how to reorder TCP packets if they come in a wrong order, or if there are duplicates.
ACK field is needed to be properly set only when ACK flag is set in packet.
you do not need to filter incoming packets, as long as you do not let "not allowed" GET requests go to the Internet.
custom text message - is simply a TCP packet with PSH flag set and with payload that is an ordinary HTTP-response, something like
HTTP/1.0 200 OK
Date: Fri, 31 Dec 1999 23:59:59 GMT
Content-Type: text/html
Content-Length: 1354
<html>
<body>
<h1>Denied!</h1>
(more file contents)
.
.
.
</body>
</html>
(make sure content length is set to the proper value - http payload's length in bytes)
if you don't want to get friendly with bare TCP, the better approach would be to just write a (maybe transparent) HTTP proxy server. This is a the most straight way, and it does not have all these caveats.
Actually, I want to rewrite my own filter as a proxy to make it easier for other developers to support/modify my code :-). In OS X this is simple (thanks to its BSD-ancestors), in Windows it again requires TDI which is a chore.
Nick
2011/6/29 Deena Awate
<email@hidden>
| Hello Nick,
Following are our tryouts based on your reply:
2. If we want to block a URL, then the NKE injects the following packets using ipf_inject_input:
a. ACK packet.
b. DATA packet containing text as : "URL not found." (This is generated using the wireshark and HTML format)
After injecting packets, NKE packet outbound callback returns:
a. -1
OUTPUT: still continuous GET request. b. 0 OUTPUT: URL not get blocked.
c. EJUSTRETURN OUTPUT:
continuous GET request.
For ACK and DATA packet: sequence num = seq num from the URL packet.
ACK number = TCP length + ACK num from the URL packet.
Checksum is calculated using:
Queries:
1. How to assign the ACK number and sequence number?
2. After performing the tryout 2, what should be the return value of NKE outbound packet callback?
3. Do we require to filter incoming as well as outgoing packets to block the particular url?
4. How to create a packet containing the customized text message?
I know this is a long list of queries. But we are somehow unable to fake a packet. If you could give us some links to some sample code, theory that explains how to achieve this, it will be great. Thanks for your help.
Regards, Deena
Date: Monday, June 27, 2011, 6:07 PMyes, I did it completely on IP level.
I didn't reset a connection, instead i sent a fake "web-server" response to the sender (to the browser) - so I did the following:
1) sent an ACK packet (to make the browser stop sending HTTP GET requests continuously) 2) a PSH+ACK packet with a fake "web server's" response (the browser thinks it was sent by the server) with text "Access to this page was denied by filter" or something like that.
Similarly, to reset a connection, you need to send a TCP packet with properly calculated tcp and ip checksums (while calculating, make sure checksum field is set to zero, also note that while IP checksum is calculated only for IP header, TCP checksum is calculated for the whole packet together with data and IP checksum already calculated), set source and destination ports (in TCP header) and ips (in IP header) accordingly, so the browser, that receives your RST packet, understands, that it has been sent by the Web-server.
Also make sure you have SEQ and ACK fields set accordingly to TCP specs (otherwise the browser, or, rather, the kernel's TCP-unit, will reject your packet as "out-of-order"). Finally, set RST flag in TCP header.
If you omit any of these steps, your reset packet will be discarded.
If you do this correctly, you'll have "Safari can't connect to the server" immediately after you press enter in the address bar of the browser.
Basically it all is about filling IP and TCP header's structures and then injecting the packet into the flow.
HTH, Nick
2011/6/27 Deena Awate <email@hidden>
| Hello Nick,
Could you tell me a bit in detail how did you do tcp reset connection when you want to block access to a URL. Did you work at the IP filter level ? I am not able to achieve how to reset a tcp connection.
Any help would be great.
Thanks, Deena |
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden