ANNOUNCING FIREWALL-STYLE PACKET FILTERING FOR dp-2.3  --  infilt-0.6


Enclosed is a package named "infilt-0.6" that is a patch to DialupPPP
dp-2.3.  (It may also work on other SunOS/BSD streams-based 
PPP drivers.)

The package does two things:

	1. It implements firewall-style filtering on packets coming
	   into a host over a PPP connection.

	2. It adjusts the packets slightly to improve interactive
	   latency on a slow PPP link containing some batch traffic
	   as well.


Please give me feedback if you attempt to use this package;
let me know of both success and failure.  I'm particularly
interested in what platforms and drivers it works with.


This is the second release, named version "0.6", and you should
consider it beta quality.  The first release was out for a
month before this one, and worked rather well, but had problems
with fragmented packets.  This release adds the second item
above, fixes the fragementation problem from before, and has
support for configuring dynamically-loaded kernel modules
(thanks to Brett Lymn <blymn@awadi.com.AU>).


				strick@yak.net
				Henry Strickland
				strick@netcom.com
				Tue Oct  4 1994



------------------------------------------------------------------------
------------------------------------------------------------------------
Here is an excerpt from "infilt.doc".  The package itself is small, 
so it is enclosed at the end, gzip'ed and uuencoded.
------------------------------------------------------------------------

FIREWALL-STYLE FILTERING FOR INPUT PPP PACKETS

        This package provides simple firewall-style packet filtering.
        It is designed for a local network that is connected to the big
        internet through a single PPP link.  It runs inside the
        operating system kernel on the "local host", the machine
        in the local network that has the PPP interface to the
        big internet:


        -----------------                      ---------------------
                        |                      |                   |
                        |          (filtered)  |         local     |
           the          |          incoming->  |                   |
                        |                      --------    network |
             big        <======PPP=link========> local|            |
                        |                      | host |            |
             internet   |  <-outgoing          --------            |
                        |    (undisturbed)     |                   |
                        |                      |                   |
        -----------------                      ---------------------



        The package looks at packets coming into the local network
        though this PPP link ("incoming packets"), and it quietly drops
        packets that it deems to be evil, using some simple criteria.

        Packets leaving the local network through the PPP link
        ("outgoing packets") are unaffected and are never dropped.

TCP WINDOW AND MSS CLAMPING (New feature in version 0.6)

        TCP packets, both incoming and outgoing, will have their
        "window" field and "MSS" options examined and possibly
        tweaked.  Maximum values for these two fields can be
        configured, and any TCP packet with these values greater than
        the maximum values will be altered to have the maximum value.

        The benefit of keeping the "window" small is that it keeps
        batch packets from piling up on a slow PPP link and causing
        a lot of latency for small, interactive packets.

        The benefit of keeping the "MSS" small is that it will avoid
        IP fragmentation, which is messy an not very reliable (at
        least on my sun3 running SunOS4.1.1) and commonly causes
        file transfers to freeze up.

------------------------------------------------------------------------
------------------------------------------------------------------------

SEVEN ACTIONS

        The infilt package may be configured to do any or all of
        these seven different things to packets:

            1.  Drop selected incoming TCP packets, based on destination port.

            2.  Drop selected incoming UDP packets, based on destination port.

            3.  Drop selected incoming ICMP packets, based on icmp_type.

            4.  Drop incoming packets containing IP header options.

            5.  Write zeros over IP header options on incomfing packets,
                        rendering the header options impotent.

            6.  Clamp the TCP "window" field on incoming or outgoing
                        packets to a maximum value

            7.  Clamp the TCP "MSS" option field on incoming or outgoing
                        packets to a maximum value



------------------------------------------------------------------------
------------------------------------------------------------------------



