[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Inspect guru advice needed

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Inspect guru advice needed
From: Pierre Bacquet <pbacquet@delta.fr>
Date: Mon, 26 Apr 1999 12:06:47 +0200 (MET DST)


Hi estimated Inspect gurus,

In my desesperate attempt to find Inspect code allowing FLEXlm
licensed application to pass the firewall, I have sent posts
to the list. No answer ... May be nobody has such a need, but who
knows.

So I decided to make it myself and I came to the Inspect code
given at the end of this mail. This code is intended to be 
#included at the end of <fwdir>/base.def .

Theory of operation :
=====================

The client (i.e. the licensed application) contacts FLEXlm daemon
on a well known TCP port (usually 27000). 

The reply from the server to the client contains (at offset 55
relative to the TCP header (or 0x4b relative to the IP header))
a null-terminated string giving the port number on which a vendor
daemon listens. All I want is that when a client is enabled to
connect to the server by a FW GUI rule, the connection to the
vendor daemon is automagically enabled. 

For this sake, I plan to add a user-defined service for which
match is defined to "flexlm_intercept" macro and Prologue is
defined to "flexlm_accept" macro. If some rule in the GUI allows
a connection to the port 27000 on the server, it should be OK.

Questions to gurus :
====================

* Does this code make sense ? (note: it compiles OK) 
* How could I make it more generic ? For instance FLEXlm port is hard-wired
  in my flexlm.def code; 27000 is the usual port but somebody can change it;
  in which case I would like to have (I don't know if it is possible) a
  definition of a FLEXlm TCP service, just defining the TCP port, and a
  modification of my script in order to get the value of this port.
  
Acknowledgments :
=================

* Many thanks to Phoneboy Web page and Bill Burns paper which gave me a
  lot of insights on Inspect coding and implementation.
  
* A big boooo to CP's documentation

After tests, if it works well, I will post the final code to the 
archive.

TIA,

Pierre.

------------------------------------------------------------------
Pierre BACQUET
Director of Engineering and Research

DELTA Partners H.Q.
High Technologies for Telecommunications & Distributed  Systems
http:	//www.delta.fr
Tel: 	+33 (0)5 61 39 09 21  	Fax:  +33 (0)5 61 39 15 71



==================== 0< === flexlm.def === 0< ====================
//
// TBD: 
// #include "standard_disclaimer"
//
#ifndef __flexlm_def__
#define __flexlm_def__

#define FLEXLM_MAGIC 0x464c4558		/* "FLEX" */
#define FLEXLM_TIMEOUT	30
#define FLEXLM_PORT	27000

#define DMN_PORT_LOC(offset) \
	(TCPDATA + offset)

#define VDAEMON_PORT5(offset) 					\
	((([DMN_PORT_LOC(offset):1] - 48 ) * 10000) +		\
	 (([DMN_PORT_LOC(offset+1):1] - 48 ) * 1000) +		\
	 (([DMN_PORT_LOC(offset+2):1] - 48 ) * 100) +		\
	 (([DMN_PORT_LOC(offset+3):1] - 48 ) * 10) +		\
	  ([DMN_PORT_LOC(offset+4):1] - 48 ) 			\
	)

#define VDAEMON_PORT4(offset) 					\
	((([DMN_PORT_LOC(offset):1] - 48 ) * 1000) +		\
	 (([DMN_PORT_LOC(offset+1):1] - 48 ) * 100) +		\
	 (([DMN_PORT_LOC(offset+2):1] - 48 ) * 10) +		\
	  ([DMN_PORT_LOC(offset+3):1] - 48 ) 			\
	)

//
// Determine the vendor daemon port. We assume that it is a non
// privileged port (hence 4 or 5 digits). Since it is null terminated
// we know if we have 4 or 5 digits just by looking at the 5th port byte
//

#define VDAEMON_PORT(offset)							
\
	( ([DMN_PORT_LOC(offset+4):1] = 0, set sr1 VDAEMON_PORT4(offset))	
\
		or								
\
	  set sr1 VDAEMON_PORT5(offset)						
\
	)

//
// This code must be allowed by a rule in the FW GUI
// When executed it records an entry allowing the client
// to connect on the server assigned TCP port
//

#define flexlm_intercept								
\
	(tcp, sport=FLEXLM_PORT,							
	\
	 VDAEMON_PORT(55),								
\
	 record <dst, FLEXLM_MAGIC, src, sr1, ip_p;0,0 @FLEXLM_TIMEOUT> in 
pending	\
	)
//
// This is what you put in the prologue section
// and what gets executed on a match
//

#define flexlm_accept						\
	tcp, <src, FLEXLM_MAGIC, dst, dport, ip_p> in pending,	\
	accept

#endif /* __base_def__ */


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] FW-1 vs AIX4.3.2
Next by Date: [FW1] Anti-virus server comparison chart
Prev by thread: Re: [FW1] Resource temporarily unavailable
Next by thread: Re: [FW1] Inspect guru advice needed
Index(es):
- Date
- Thread