On Thursday, Jul 10, 2003, at 18:38 US/Pacific, Aaron Suen wrote:
Does anybody forsee a port, of some sorts, of pf for Windows?
Yeah, it sounds a little wild, but I could really use something
like this. I have a bunch of Windows clients on my home LAN, and
you can never really trust the LAN (even though it's firewalled)
since these are Windows (a.k.a. virus-laden) machines. So I want
to install software firewalls on every machine to provide secondary
protection against threats on the LAN.
The big problem is that there are no good free firewalls for Windows.
Of course, everybody will recommend the same things, such as
ZoneAlarm, and similar types of programs, but all I need is something
that can do fragment reassembly, stateful inspection, and block certain
ports (135, 137-139, 445, 1025-1027, 5000) while leaving everything
else open by default. Every free firewall I've seen is missing
something. ZoneAlarm is too aggressive, blocks everything by default
and asks the user questions all the time (I want to set it up and
forget
it). Rule-based firewalls like the ones based on Tiny's codebase all
seem to lack some reassembly and stateful inspection capabilities;
they're basically just SYN filters.
In my experience, recent Windows' IP stacks aren't _that_ bad at
handling unexpected IP-level data. Most of the threat these days is
at the application level, which is primarily what things like Zone
Alarm and Tiny target. And as far as things like session interception
go on LANs, you'll have a tough time guarding against that anyway.
Especially when your attackers are armed with CAT5 and building keys.
NT has always had a rudimentary IP filter if all you want to do is
filter ports. Recent versions are slightly more capable:
http://www.hsc.fr/ressources/outils/pktfilter/
At least Tiny - and probably ZA too judging by its behavior - mostly
watch a fairly high level in the driver stack, where they actually
get explicit notification of new connections. That's why both seem
to be stateful by default -- they're using the OS's stack. It's
probably also why they both suck at handling ICS.
Actually, it would be pretty nice to have a userland application that
does what the pf engine does. One could use it, for instance, to
filter traffic that goes through other userland applications (such
as ppp using tun*).
I'm confused about this part. Windows doesn't typically send wire
network data through user space (though I suppose you could argue the
distinction on 9x, but that's another topic). For the BSDs, why?
The kernel filtering would typically work better anyway, and it can
already filter on tun.
I'd like to know how feasible this Windows port idea would be.
Doable, yes, but I suspect there's a shortage of people with time and
willingness to get familiar with both systems.
