-------- From academic-firewalls-owner@net.tamu.edu Tue Jan 31 16:25:44 1995 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 31 Jan 1995 17:20:00 -0500 From: chet@po.CWRU.Edu Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: please add Please add chet@po.cwru.edu to the academic-firewalls mailing list. - -- ``The lyf so short, the craft so long to lerne.'' - Chaucer Chet Ramey, Case Western Reserve University Internet: chet@po.CWRU.Edu -------- From academic-firewalls-owner@net.tamu.edu Wed Feb 1 22:15:23 1995 Date: Wed, 1 Feb 95 22:09:48 -0600 From: Dave Hess Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Drawbridge 2.0 Beta Well, Drawbridge 2.0 is finally out of Alpha and ready for a Beta test. Here is the README for the package. - ----------------------------------------------------------------------------- Drawbridge 2.0 Beta INTRODUCTION: Drawbridge is a copyrighted but freely distributable bridging IP filter with a powerful syntax and good performance. It uses a PC with either two Ethernet cards or two FDDI cards to perform the filtering. It is composed of three different tools: Filter, Filter Compiler and Filter Manager. This distribution is version 2.0 which is a major overhaul of Filter. To get a better idea of how Drawbridge works and how it is used, begin with the OVERVIEW paper in the doc directory. The paper tamu.ps describes the entire suite of TAMU security tools. (Note that this paper is in the process of being updated. The portions concerning Drawbridge are up to date, however.) CHANGES: o Filter now supports FDDI to FDDI filtering. Note however that due to the inherent limitations with bridging on FDDI, Filter will only work under a very specific and limited configuration. Please send email to drawbridge@net.tamu.edu if you are interested in attempting this. o Filter now uses NDIS 2.01 DOS drivers. Therefore any Ethernet cards or FDDI cards with adequate NDIS drivers can be used with Drawbridge 2.0. o Filter now has an IP protocol stack and the management occurs via UDP. This allows the Filter Manager to run on just about any Unix platform that has BSD sockets. (Note that currently I haven't ported it to platforms other than Solaris 2.3.) o Filter now uses an (as far as we know) exportable Pseudo One Time Pad cryptographic scheme for authentication and privacy over the management channel. o Filter now provides statistics from both the console and Filter Manager. Both Filter specific and NDIS statistics are reported. o Filter is now interrupt driven rather than polling (forced because of NDIS) and performance is better. With the previously recommended setup Filter now produces peak transfer rates of approximately 5.5 Mb/sec versus the previously measured peak of 3.5 Mb/sec. 10 Mb/sec on ethernet should be easily achieved with faster cards, buses and CPUs. Under FDDI with a 60MHz Pentium and two EISA Network Peripherals FDDI cards, data rates up to 18Mb/sec have been measured. The actual limit is higher but we do not have a reliable testbed capable of generating and measuring higher data rates at this time. o Filter now uses XMS to store the network tables in extended memory. A cache is kept in low memory. o Filter has a new switch which controls whether or not packets other than IP/ARP/RARP are transparently bridged. o Filter Compiler (and Filter) is backward source and binary compatible. Other than bug fixes, no changes have been made to the Filter Compiler. For Filter, the DES key file is no longer used and a new file PASSWORD is maintained. Also Filter Manager no longer uses .fmkey.* files. o The GNU Copyleft has been removed. This material is now covered under a Berkeley/MIT style copyright. I.E. you can do anything you want with the code but must credit us. See the file COPYING. o A few commands have been added/changed in the Filter Manager. The changes are documented under the help system. o Bug fixes since the Alpha release Filter was binding to the cards opposite of what was specified in the protocol.ini file (oops!). Filter Manager was core dumping when querying the reject or allow tables. A bug with subnets in the allow table has been fixed. Fixed a race condition in the event management which could allow events to be lost. Fixed a serious (but not fatal) bug in the event management that would cause events not to fire after the first time midnight went by. The symptom was Drawbridge would no longer respond to keystrokes. Fixed and cleaned up all of the NDIS error messages. o Changes since the Alpha release NDIS 2.1 from Microsoft rather than NDIS 2.0 from 3Com is now included. Thanks go to Alex Li for giving me the pointer to the newer version. Patches have been made so that fc and fm will now run on little endian machines. If you can get fc and fm to compile, endianness should not be a problem. Thanks go to Danny Thomas for generating the fixes for fc. (Note that due to the extensive amount of changes required, fc and fm do not and will not any time soon run on 64 bit architectures (e.g. Alpha).) An uptime statistic has been added to the statistics reporting. The original paper covering the entire TAMU security package has been updated to cover Drawbridge 2.0. It is still not up to date on Tiger and Netlog but will be soon. Added "retries" and "timeout" variables to the fm user interface. When managing a Drawbridge installation that uses floppy disk for the storage of the tables, a write can easily timeout. The default values are 3 retries and 3 seconds. AVAILABILITY: Drawbridge is available via anonymous ftp from net.tamu.edu (128.194.177.1) in pub/security/drawbridge as: drawbridge-2.0b.tar.gz The package should untar into 4 directories: doc - directory with documentation about Drawbridge (including three papers referenced in the documentation) fm - directory with source code for the Filter Manager plus a binary for Solaris 2.3 on Sparc. fc - directory with source code for the Filter Compiler plus a binary for Solaris 2.3 on Sparc. filter - directory with three PKZIP archives and PKUNZIP.EXE ndis.zip - PKZIP archive containing version 2.1 of the NDIS 2.01 utilities. filter.zip - PKZIP archive with source code and executable for the Filter. config.zip - PKZIP archive with example config.sys, protocol.ini, autoexec.bat and the latest SMC driver for the Ethernet cards required by earlier versions of Drawbridge. And 2 files: README - this file COPYING - copyright notice. REQUIREMENTS: The requirements are less stringent in Drawbridge version 2.0. Filter is compiled for and requires an 80386 or higher processor (it is documented in the makefile how to compile specifically for a higher processor). Any Ethernet or FDDI boards for any bus may be used as long as they have DOS NDIS 2.01 drivers. NOTE! These drivers *must* support promiscuous mode, *must* allow you to configure the driver to support two cards in one PC, and *must* provide access to the native media frame format. Be careful to confirm this before you settle on any adapters. Some adapters do not support these features. It is recommended that you use a PC with a hard disk, however, you can build a setup that uses a floppy. The reason for recommending a hard disk is that when Filter performs a write and writes all of its tables to disk, *all packet forwarding stops* for the duration of the write. This may take a substantial amount of time on a floppy depending on the configuration loaded into Filter. BUILDING: The Filter Compiler and Filter Manager both require an ANSI C compiler; the GNU C Compiler (gcc) is recommended. The Filter requires Borland C++ 4.02 and Borland Turbo Assembler 4.0. An executable version of Filter is provided in case you do not have access to these tools. To build Filter Compiler (fc) and Filter Manager (fm), just go into the respective directories and type "make". This will build the exectuables. To install fc and fm, edit the makefiles to set the destination directory, become root and type "make install". To build Filter, unarchive the PKZIP archive, go to the source directory and type "make". CONTACTS: Any suggestions or comments can be sent to: drawbridge@net.tamu.edu Any and all feedback on this Beta release is welcome. Also, ports of the Filter Compiler and Filter Manager to other platforms would be appreciated. Drawbridge is designed and programmed by: David K. Hess Douglas Lee Schales David R. Safford Texas A&M University February 1, 1994 - ----------------------------------------------------------------------------- - --- David K. Hess Network Analyst David-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University