Re: tcp/ip filtering

Coolio (omnilord@igc.net)
Thu, 16 May 1996 00:25:45 -0400 (EDT)


On the subject of implementing a server based tcp/ip packet filtering
system...

> Okay, I see the scale of what you are trying to do now.... It would
> certainly be a neat demonstration!

Yeah! And definetly a bonus for linux, if it became an easily configured
option (maybe with its own mailing list & constantly updated database of
"no-no" words & sites...)

> > Also, about students encrypting their data to evade the censorship..
>
> I don't think it would be that hard. It wouldn't take full encryption;
> simply toggling bit 3 of every byte would do quite well.

True, but its high school and very few would take the time to figure out
how to xor their bytes :)

> Your idea would stop some of the most blatant searches for encryption.
> However, there is always going to be a way out. And how can anyone
> stop people from downloading "nuaghty" pictures, anyway, which is
> probably the teachers' most serious concern? Hmm, actually I'd probably
> enjoy being on the development team for Optical Breast Recognition :)

Yes, I have spent a while thinking of loopholes in this plan, but
hopefully when it is finished it will block web pages (along with irc &
email, and anything else that arrives over the network) with bunches of
nasty pictures, not by analyzing the picture data, but by recognizing an
unwanted picture name in the html source... It would probably be a happy(?)
side effect that an incoming web page would have <IMG SRC="breast.gif">,
and the filterer would notice breast.gif and stop the connection... (Im not
saying anything with the word "breast" should be filtered, just
"breast.gif"... maybe there would even be a whole sub category of banned
picture names... it would certainly have to be more restrictive than
other triggers, since once the incoming data from the picture arrives, it
is too late.. and of course, not everything with the word "breast" should
be filtered :)

Basically, I think the parser could be broken down to a very simple method:

1. Step through incoming data until alphabetic character is encountered
(A-Z)... Wait for more characters, adding them onto the end of a string
until a non-alphabetic character is encountered..

2. Do an optimized comparison of the uppercased string with all of the
pre-uppercased "no-no" words.. If any matches, terminate connection
immediately.. (maybe later it could be made to spit out "No-no word
found, connection terminated" or something more informative before
cutting the connection)

3. If the alphanumeric characters do not terminate before the end of a
packet, they would get stored in a "buffer" string, so that fragmented
words would still be filtered...

That would probably be enough to make my teachers very happy, and give a
pretty impressive tool to the linux community to play with (altho most
probably abhor censorship and dont want anything to do with it).. even
so, we might see some ISPs start to use it...

Later on, maybe some parsing features could be added, altho there might
be some debate of effectiveness versus speed... For instance, people on
irc regularly encode their words by simply replacing some letters with
look-alikes... maybe the engine could be made aware of this (altho more
things to scan for = more procesor wasted... it would all depend on how
secure the sysadmin wants his system) like breast could be written as
]3rE/-\S+... hmm, well this would be a subject to think about after the
base filterer was in place..

Hopefully someone will help me out with it because I am not at the point
of being a kernel hacker yet... In fact I am just moving to C after
spending a LONG time hacking with pascal & asm :):) ... Maybe after some
basic working code is written I could try messing around with it, but for
now I have no idea where to start putting stuff in the kernel.. (someone
suggested ip_fw.c, which is a good idea, since thats where packets get
filtered already, except the criteria is presently limited to source &
desitnation IP)

> I still think that the only ways to really do effective censorship are:
> a) have a teacher scan every single network request, either in
> real-time or no.
> b) have some sort of "OK list" of things to download from the Internet.
> Automatically reject things that aren't on the OK list.

Yes, but like I said, my teachers are very lazy... In fact I think they
enjoy spending their time obstructing productivity more than
encouraging it... which is why I think a good piece of code in the kernel
would do a WAY better job at restricting access (hmm maybe even a bad
piece of code.. hehe)
There are some companies out there that want to do what you suggested for
B, but they have a lot more funding (I have none) and time than I have to
browse the web and rate each page (besides, whats the use of having
everything automated up to this point to just revert back to requiring
human intervention?)... it would be a lot more time effective (and neat) to
build a little filterer... no matter how ineffective the first
version may be, it would provide a starting point...

> A sincere good luck on your quest for Internet access. I would
> have a very difficult time dealing with these people.

Thank you, and thanks to everyone that replied... I was trying to send an
email in response to someone else this morning, but my connection died
and my ISPs old version of pine happily threw my email away! (resuming
postponed message gives bug report).. By the time I got back to email
this afternoon, I had another 200 something new messages to read :)..
(most are worth the effort tho!)

> Lex

-Vermont Rutherfoord
omnilord@igc.net
http://www.igc.net/~omnilord/ (has pointer to linux computer and lots of
nifty programming stuffs!)