Re: [FW1] Inspect guru advice needed

[Pierre Bacquet <pbacquet@delta.fr>]

Dameon,

> Looks good to me (though I'm by no means an expert on Inspect).

Well, Inspect is a little bit sneaky ... My code was compiling OK
provided that I haven't a rule using it !! I have then added
my custom rule and the code was no more compiling !!!

The fix was easy: the very last lines should be :

#define flexlm_accept {						\
	tcp, <src, FLEXLM_MAGIC, dst, dport, ip_p> in pending,	\
	accept;							\
	}

Notice the curly braces instead of the round braces !!

I have tried my code, but I stumble into another crux: the problem
is that the port to use is given in the reply from the server.
So, my flexlm_intercept must accept the "incoming" SYN from the
client on TCP port 27000 and then take a look at the "outgoing"
server reply from that same port. I must admit I have trouble
writing such a rule. Any idea ?

In the same way, does anybody knows how to debug Inspect code ??

> I would shy away from modifying base.def directly. 4.0 has a file called
> user.def that does not get overwritten on upgrades.

Thanks for the tip.
 
Pierre.

>
> Hi estimated Inspect gurus,
>
> In my desesperate attempt to find Inspect code allowing FLEXlm
> licensed application to pass the firewall, I have sent posts
> to the list. No answer ... May be nobody has such a need, but who
> knows.
>
> So I decided to make it myself and I came to the Inspect code
> given at the end of this mail. This code is intended to be
> #included at the end of <fwdir>/base.def .
>
> Theory of operation :
> =====================
>
> The client (i.e. the licensed application) contacts FLEXlm daemon
> on a well known TCP port (usually 27000).
>
> The reply from the server to the client contains (at offset 55
> relative to the TCP header (or 0x4b relative to the IP header))
> a null-terminated string giving the port number on which a vendor
> daemon listens. All I want is that when a client is enabled to
> connect to the server by a FW GUI rule, the connection to the
> vendor daemon is automagically enabled.
>
> For this sake, I plan to add a user-defined service for which
> match is defined to "flexlm_intercept" macro and Prologue is
> defined to "flexlm_accept" macro. If some rule in the GUI allows
> a connection to the port 27000 on the server, it should be OK.
>
> Questions to gurus :
> ====================
>
> * Does this code make sense ? (note: it compiles OK)
> * How could I make it more generic ? For instance FLEXlm port is
hard-wired
>   in my flexlm.def code; 27000 is the usual port but somebody can change
it;
>   in which case I would like to have (I don't know if it is possible) a
>   definition of a FLEXlm TCP service, just defining the TCP port, and a
>   modification of my script in order to get the value of this port.
>
> Acknowledgments :
> =================
>
> * Many thanks to Phoneboy Web page and Bill Burns paper which gave me a
>   lot of insights on Inspect coding and implementation.
>
> * A big boooo to CP's documentation
>
> After tests, if it works well, I will post the final code to the
> archive.
>
> TIA,
>
> Pierre.
>
> ------------------------------------------------------------------
> Pierre BACQUET
> Director of Engineering and Research
>
> DELTA Partners H.Q.
> High Technologies for Telecommunications & Distributed  Systems
> http: file://www.delta.fr
> Tel: +33 (0)5 61 39 09 21  Fax:  +33 (0)5 61 39 15 71


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================