| Westell 6100, firewall - match filter condition, layer 2? I have been trying to make this work, and am wondering if I am just blowing bytes, or actually onto something.
In the custom firewall section there is a filter condition called "match". The sparse amount of information I have been able to gather so far is such:
match layer offset
{bit-string[:mask]} Specifies one or
more explicit bit strings and offsets into the layer header to
compare. This keyword is followed by three parameters. The first
numeric parameter is the header layer, valid values include 2
though 4 (Ethernet = 2, ip = 3, tcp/udp/icmp/igmp = 4). The second
numeric parameter is the offset into the packet to begin the
comparison. T and the third third parameter, is the representation
of the bit string and comparision bit maskitself. The bit stringIt
is delimited with the open and close curly braces ({}). A colon
delimits the bit string and mask. If no mask is provided, a mask
value of all ones is assumed. Each byte of the bit string and mask
is represented by a two character hexadecimal number and is
separated by white space from the previous byte
representation.
I have seen match used for TTL decay used in many custom rulesets.
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
Well, I have been trying to figure out to use match for local MAC filtering. I want to allow the computers to still connect using DHCP, so the IP's do differ over time, though the MAC stays the same. And then add other conditions, to filter out the abusers of say a p2p network.
Following the definition of match this should be possible. It should be also possible to fine-tune a filter by pretty much anything present in a packet layer 2, 3, or 4. That being mostly MAC, IP, Protocol, or whatever bit-string:mask at whatever offset in the layer header you use.
Unfortunately I can't seem to get started. My attempt so far has been with a restricted firewall, I add a match rule
MyCompMacPass
pass match 2 3 { 00 18 DE } >> state, done, alert 1 [ MyComp - offset 3 ]
which should match the first 3 octets of my MAC address, and allow it to pass all data. To test this I tab to a terminal and run an aggressive (-T5) nmap that I kill after about a second, just to generate data.
I have gone from 2 0 to 2 30, I have also changed the bit-string octets used. I get random flow with a smaller bit-string pattern, but it seems random.
My next attempt will probably be to set up a full 25 line variation, that increases the bit-string patterning from 1 octet to 2 octets to 3 octets will I figure out what the dang offset really is.
And yes I did research the headers, depending on what the offset is really being octets individual or following the header format, the number should be 3 or 15-20, or without the preamble 2 or 7-12.
Anyone ever do this? Or am I just ramming my head into a ... firewall? |
