PC security is an ever-changing, ongoing issue. Most use the default applications included with Windows, but often that is just not enough. Experience reveals that many users find the Windows Security tool to be either too much or not enough.
But it doesn’t have to be so. There are plenty of security applications out there that claim to be better and more configurable than the Windows Security tool. One tool I have found really does stand up to its claims is PktFilter, which is an open source (distributed under the BSD license), command-line security tool designed to allow the user to configure the IPv4 filtering driver for Windows 2000, Windows XP, and Windows Server 2003.
The tool can be as simple or as complex as you want to make it (like most open source tools), because you can edit a text file to configure it by your rules. PktFilter works and is reliable, so let’s take a look at installing, configuring, and using the tool.
This blog post is also available in the PDF format as a TechRepublic download.
Getting and installing
The first thing you need to do is download the PktFilter zip archive from the application’s site. Once you have downloaded the package, you will want to unzip the archive into an easily accessible directory so running the commands isn’t as keyboard intensive.
When you unzip the archive, you will have a new directory called PktFilter. Inside that directory are two subdirectories (pktctl and pktfltsrv) and a readme file. The pktfltsrv directory contains the actually executable file for the program. The pktctl subdirectory contains the rules.txt file you will edit to suit your needs.
Once the archive is unzipped, you are ready to get it up and running. You will need to open a terminal window. Because PktFilter is a command-line tool you will actually have to type out the executable file name along with a switch or two in order to run it properly. So you will need to change to the …\PktFilter\pktfltsrv directory. Once there you are ready to make sure the application is working properly.
The first run will be just a test to install the service. There isn’t an actual test program involved so you will be running a real instance of PktFilter. Issue the following command from within the pktfltsrv subdirectory (Note: change the command depending on where you located the application):
C:Program FilesPktFilterpktfltsrv> pktfltsrv -i "C:Program FilesPktFilterpktctlrules.txt" "C:Program FilesPktFilterpktctlPktFilter.log"
Notice that you are including the log file for the application. This is key, because you don’t want to blindly block packets with PktFilter, you want to be able to monitor packets so you can get a better feel for what is going on.
Now that you have the service running you need to know the mapping that is used for the interface on the machine. This is determined by issuing the following command:
C:Program FilesPktFilterpktctl pktctl -I
The above command will display something similar to:
eth0: <SiS 900 PCI Fast Ethernet Adapter>: 192.168.1.102
So now you know that the networking interface you will want to configure is attached to eth0.
Writing rules for PktFilter is tantamount to having a secure system. The rules for PktFilter aren’t that difficult to write (fortunately). By default PktFilter is set up to block all traffic. You can see this near the top of the rules.txt file here:
# default behavior = deny everything
block in on eth0 allblock out on eth0 all
You see two rules above. Each rule has specific keywords. PktFilter acknowledges a number of specific keywords (see the included PktFilter.pdf file in the PktFilter package for a complete list). The keywords in the above two rules are: block, in, out, and eth0. Let’s say you wanted to allow all outgoing traffic. You could change the above “out” rule to:
pass out on eth0 all
Or let’s say you wanted to get specific and allow an external machine access to your machine’s ftp server. To do this, you would include a rule like:
pass in on eth0 from EXTERNAL.IP.ADDRESS port 20 pass in on eth0 from EXTERNAL.IP.ADDRESS port 21
Where EXTERNAL.IP.ADDRESS is the actual external IP address that needs to pass through.
Or say you want to allow that same external machine access to all ports 1024 and under. To do this, you would enter the following in the rules.txt file:
pass in on etho0 from EXTERNAL.IP.ADDRESS port <= 1024
You might need to allow DNS resolution to a nameserver. To so, you would enter something like:
pass out on eth0 proto udp from PC.GATEWAY.ADDRESS port > 1023 to DNS.NAMESERVER.ADDRESS port = 53 pass in on eth0 proto udp from DNS.NAMESERVER.ADDRESS port=53 to PC.GATEWAY.ADDRESS port > 1023
Where PC.GATEWAY.ADDRESS is the address of the gateway the PC is using (if a gateway is not used you can use the actual address of the PC used) and where DNS.NAMESERVER.ADDRESS is the actual address of the DNS nameserver.
Obviously these are some very basic rules, but they highlight the flexibility of the application. Naturally your network needs and configuration will dictate to you the depth of configuration for your rules.txt file.
Make it stick
Once you have your rules in place, you will want to rerun the application to use your newly configure rule set. Once you have PktFilter running with your new rules (and all tests out), you will want to make sure every time your machine is rebooted it starts with the same rule set. To make sure the application restarts with any reboot, you will need to do the following:
- Start Service Manager and look for startup type PktFilter (Stateless Packet Filtering).
- Show the properties for PktFilter and set it to automatic start.
PktFilter fills a void that is sorely needed within Windows: a command-line, open source, packet filtering tool that is highly configurable, simple to use, and reliable. Any network administrator would be remiss not having PktFilter in his or her arsenal of tools in the constant fight for network security.