Re: Packet filtering in neta

Subject: Re: Packet filtering in neta
From: Stefan Bethke (stefan@Promo.DE)
Date: Fri Jun 28 1996 - 14:03:38 EDT

>I've got two companies in the same house that both use appletalk as main
>network protocol. Those companies want to regularly exchange big files
>(several hundred M), but are otherwise completely separate businesses. I
>would like to create a situation, where company A has access to company B's
>one mac server and vice versa - company B has access to company A's one
>server. All the other macs and printers should be hidden for the other
>party.
>Is there a possibilty to make netatalk do a kind of restrictive routing?
>I.e. something like access lists or packet filters in TCP/IP world.

I don't think there is any filtering/firewalling code in 1.3.3. Implementing a weak filterering (ZIP+NBP), but the kernel to pass packets and RTMP to annouce routes would only require changes to atalkd; strong filtering also changes to the kernel.

However, in this special case it might be possible to do what you want with only little code. If both servers are netatalk and the setup looks something like:

A's ether
...--------+--------------------+
           | |
     [A's server] [B's server]
           | |
           +--------------------+---------...
                                     B's ether

If netatalk now wouldn't be a router but a multi-homed host, both companies could access both servers, but no devices behind the servers. This change should be fairly small: stop atalkd from ZIP/RTMPing routes into the net, and, for best security, patch the kernel to not forward AppleTalk packets.

Stopping the kernel from forwarding packets only requires changing ddp_forward in ddp_input.c from 1 to 0 (this is true at least for FreeBSD, which I am using).

The change to atalkd could be as easy as the following diff. Note however that I didn't test it; there still might be some info posted to the interfaces.

-----snip-----
*** main.c.orig Fri Jun 28 19:46:50 1996
--- main.c Fri Jun 28 19:51:36 1996
***************
*** 375,380 ****
--- 375,381 ----
                rtmp = rtmp->rt_next;
            }

+ #if defined(MULTIHOMED)
            /* send what we've got */
            if ( n > 0 ) {
                zh.zh_op = ZIPOP_QUERY;
***************
*** 389,394 ****
--- 390,396 ----
                    syslog( LOG_ERR, "as_timer sendto: %m" );
                }
            }
+ #endif /* MULTIHOMED */
        }
        if ( fgate ) {
            free( (caddr_t)fgate );
***************
*** 398,403 ****
--- 400,406 ----
        /*
         * Send RTMP broadcasts.
         */
+ #if defined(MULTIHOMED)
        if ( ninterfaces > IFBASE ) {
  #ifdef BSD4_4
            sat.sat_len = sizeof(struct sockaddr_at);
***************
*** 506,511 ****
--- 509,515 ----
                }
            }
        }
+ #endif /* MULTIHOMED */
      }

      /*
----snip-----

Both networks must be configured as if they were connected; both networks need a seed router.

Stefan 

--
Promo Datentechnik      |  Tel. 040/431360-0
+ Systemberatung GmbH   |  Fax. 040/431360-60
Waterloohain 6-8        |  e-mail: stefan@Promo.DE
D-22769 Hamburg         |  http://www.Promo.DE/

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:24:07 EST