Raw Rule SPF config help needed ?

Discussion in 'LnS English Forum' started by Defenestration, Jun 23, 2010.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I've been looking to create some Raw rules with SPF, but I can't find any information about the options on the SPF Configuration dialog.

    Can someone provide me with details on how to use these options ?
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Thanks Phant0m! Just what I was after.
     
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    As a first foray into Raw rule creation, I decided to create a simple rule to allow cFosSpeed (a traffic shaping app I use) pings out, and also setup the SPF table for the response (which would be a timeout). So, I used the normal Rule Editor to add the basic rule, as shown in the image below:

    cFos_Ping_OUT.png

    I then opened this rule using the Raw Rule Editor plugin:

    cFos_Ping_OUT_Raw.png

    Now, I understand the principles of how to create a Raw rule, but am confused by a few things to do with the raw rule I've just created above. First let me document what the different fields are checking for, and then I'll ask my questions:

    Field 0 checks the Ethernet Length field equals 2048.
    Field 1 checks the IP protocol field equals 17 (ie. UDP)
    Field 2 checks the Ethernet source address equals 01:11:21:31:41:51
    Field 3 checks the Ethernet destination address equals 52:42:32:22:12:02
    Field 4 checks the IP source address equals 1.111.221.251
    Field 5 checks the IP destination address equals 252.212.112.2
    Field 6 checks the Time To Live masked with 8191 equals 0
    Field 7 checks the first byte of Time To Live field masked with 60 equals 40

    1) According to specs, the size of the data in an Ethernet frame must be between 46 and 1500 bytes. Why is the rule checking for length of 2048 in field 0 ?

    2) What is field 6 actually checking for and how does masking work in practice (ie. is it just AND'ing the value with the mask) ?

    3) What is field 7 actually checking for ?

    EDIT: I'll do the SPF bit (and ask any related questions) once I understand the raw rule bit :D
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The rule you show is checking(field 0) ETH 12, which is "Type IP (0x0800)" not field length (0x0800 is binary for decimal 204:cool:

    I would need to check the rule for the other offsets to confirm what is being checked, but cannot at the moment as LnS on my setup ( win7 64) wont allow me to load the plugins, I need to check why.


    - Stem
     
Thread Status:
Not open for further replies.