RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...

Thu, 18 Sep 2003 14:37:53 -0700 

Thanks for the response!

-----Original Message-----
From: Michael Vergoz [mailto:[EMAIL PROTECTED]
Sent: September 17, 2003 5:05 PM
To: [EMAIL PROTECTED]
Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...


----- Original Message ----- 
From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 18, 2003 12:01 AM
Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...


> We have a product that is dependent on winpcap. It creates point to point
> encrypted tunnels across tcp/ip networks. Basically the sender intercepts
> outbound packets, encrypts them, wraps & tunnels them over one port; the
> receiver, listening on that port, grabs the incoming packet, decrypts it,
> and reinjects it on the stack.
Oh my god!
That's a very apt response. It's been a very difficult development path.
We use winpcap on the outbound traffic to
> determine which outbound packets to grab(there is an NDIS driver that
> removes the outbound packet from the tcp/ip stack).
>
> A client wants to use this software on a machine which has a Checkpoint
> Firewall-1 installed on it. It appears as though npf.sys can still bind to
> the lower interface but no outbound traffic is being captured. We know it
> isn't the rest of our product since this behaviour is dependent on whether
> or not winpcap is on the machine; regardless of whether or not our product
> is there. If I bring up ethereal on this machine (capturing all traffic)
it
> captures all inbound traffic but no outbound traffic. A sniffer on the
same
> hub as this machine shows both inbound and outbound traffic.
You are sure that it is a hub?
Yes.
>
> I speculate that the firewall interferes with the upper-edge binding to
> npf.sys. Rebuilding a debug npf.sys and logging its activity shows lots of
> reads but nothing else. Any ideas on this would be really helpful. Thanks
> for any tips!

The "problem" of all firewalls it"s that they touch "inevitably" low a level
than you, it's its role also...
 I think that for fixed this problem it would be necessary that you launched
your program before launched firewall, it is possible that you take a best
priority.

We've tried this manually, the firewall doesn't like it. I'm going to test
adding a DependOnService value to the FW-1 service key.

I don't know exactly how ,in level kernel functions, two drivers acting out
of two similar things...
You tested of passed of the rules to the firewall?

Haven't gotten that far...

What you can do it is also hook the symbol of npf.sys and to replace them by
dex vectors of call
ex:
- open npf.sys and find all sub_  function in .text section and all of in
.idata section of the file and record it.
- close npf.sys
- copy npf.sys to npfc.sys
- open npfc.sys
- DUPLICATE the .text section with a separator.
- find all sub_ reference and patch the code after the proc nead to create a
ds: call. These sub reference must be pathed before the separator.
.text:000108EC sub_108EC       proc near               ; CODE XREF:
sub_10996+54Cp
.text:000108EC                                         ; sub_11304+EBp
.text:000108EC                                         ; DATA XREF: ...
.text:000108EC
.text:000108EC arg_0           = dword ptr  8
.text:000108EC arg_4           = dword ptr  0Ch
.text:000108EC arg_8           = dword ptr  10h
.text:000108EC call    ds:OriginalKeQueryPerformanceCounter

And OriginalKeQueryPerformanceCounter is egal to the copy before the
separator. (OriginalKeQueryPerformanceCounter is an example).

I know this method is gruikkk coding. But with that you can intercept
_every_ npf driver hook and you can replace your own priority ! in the same
type you can create a function by make 2 call at the ds segment. hmmmm if i
remember some anti-viral toolkit used this method... to be confirmed...


Sorry for my bad english;
No problem! Thanks for the ideas!

>
> -----Original Message-----
> From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> Sent: September 17, 2003 1:37 PM
> To: [EMAIL PROTECTED]
> Subject: Fw: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
>
>
>
> ----- Original Message ----- 
> From: "Michael Vergoz" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 17, 2003 9:31 PM
> Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
>
>
> > Could you given me more information on the design of your network?
> > firewall, router, computer, switch...
> >
> > You seek to know entering and outgoing Internet traffic of your
> > routeur/firewall by ethreal?
> >
> > Michael Michael VERGOZ
> > PHP Development Team
> > [EMAIL PROTECTED]
> > php-gtk : http://gtk.php.net/
> > http://www.php.net
> >
> > ----- Original Message ----- 
> > From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> > To: "'winpcap-users'" <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 17, 2003 7:07 PM
> > Subject: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> >
> >
> > > Hi, All
> > >
> > > We've run into an "interesting" problem running winpcap & a
> > > checkpoint-1 Firewall. Bringing up Ethereal on the same machine shows
> > > inbound traffic but no outbound traffic. This is with the firewall
> > > configured to pass through all traffic in both directions.
> > >
> > > I have read the faq but am hoping someone might have more technical
> detail
> > > as to why this is happening.
> > >
> > > Cheers,
> > > Richard
> >
> -----------------------------------------------------------------------
> > > Richard Jagodzinski
> > > Research & Development
> > > Non-Elephant Encryption Systems Inc.
> > > (403) 232 6001
> > >
> > >
> > > ==================================================================
> > >  This is the WinPcap users list. It is archived at
> > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > >
> > >  To unsubscribe use
> > >  mailto: [EMAIL PROTECTED]
> > > ==================================================================
> >
>
>
>
> ==================================================================
>  This is the WinPcap users list. It is archived at
>  http://www.mail-archive.com/[EMAIL PROTECTED]/
>
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ==================================================================
>
>
> ==================================================================
>  This is the WinPcap users list. It is archived at
>  http://www.mail-archive.com/[EMAIL PROTECTED]/
>
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ==================================================================



==================================================================
 This is the WinPcap users list. It is archived at
 http://www.mail-archive.com/[EMAIL PROTECTED]/

 To unsubscribe use 
 mailto: [EMAIL PROTECTED]
==================================================================


==================================================================
 This is the WinPcap users list. It is archived at
 http://www.mail-archive.com/[EMAIL PROTECTED]/

 To unsubscribe use 
 mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to