Re: tcp/ip filtering

Alan Cox (alan@cymru.net)
Wed, 15 May 1996 09:37:38 +0100 (BST)


> However, after all this work, my teachers have informed me (thanks to
> someone on irc who msged me with a nasty message) that we cannot open
> internet access to the public until a secure censoring system is in
> place... They are going to try out Surfwatch, but this is a magnet school

> someone may have already done, but after alot of searching haven't found
> anything about it), is to build in a filtering system into the base of
> the tcp/ip handling of the kernel... I know this would slow it down alot,
> but it would be worth it to have slow internet access than none, or the
> threats of lawsuits from maniac parents...

Dont forget the lawsuits from parents who claim by blocking stuff in a
way oriented to one religion you may be committing an offence, and the
fact that any site you block as unsuitable will have the right to sue your
school for libel if it feels its unjustified in being described that way.

> So if someone knows how to make an addon to linux that will filter out a
> list of "no-no" words from tcp/ip packets, I would appreciatte it alot...

Such no-no strings can occur at random in things like binaries, gzip
files. You have to have context. Thus you could do it by port and screen
www and ftp traffic (but not compressed stuff easily). Email you may find
is covered by privacy legislation that actually stops you reading people's
email to scan it (even by program). If so then I guess you can write it
into the "conditions of use" or something. Im more familiar with this
game in the UK, where it is a legislative mine field (although one the
politicians want to clean up neatly).

You would want to put the code in question in (I think) the ip_firewall
(ip_fw.c)


if(port is one we want to )
{
if(scan_bytes(skb->data,skb->len))
{
printk(KERN_INFO "Some naughty user on %s tripped the scanner.\n", in_ntoa(src));
printk(KERN_INFO "Trip occured while talking to site %s.\n", in_ntoa(dst));

return FW_BLOCK;
}
}

where scan bytes is a routine you write that scans a block of data for
len bytes for "naughties". That wouldnt catch every single one (eg split
across packets) but it would get almost all.

Possibly somewhere like here..

switch(ip->protocol)
{
case IPPROTO_TCP:
dprintf1("TCP ");
/* ports stay 0xFFFF if it is not the first fragment */
if (!offset) {
src_port=ntohs(tcp->source);
dst_port=ntohs(tcp->dest);
if(tcp->ack)
/* We *DO* have ACK, value FALSE */
notcpack=0;
if(tcp->syn && notcpack)
/* We *DO* have SYN, value FALSE */
notcpsyn=0;
}
if(src_port==80||src_port==6667....)
{
Do the check described above
}
prt=IP_FW_F_TCP;
break;

Happy hacking.

Alan