The Intelligent Hacker's Choice.. Systems, Networks, Administration.. since 1977
Firewalls Mailing List Archives
Security Whitepapers
Firewall Topics
Internet Security
Network Security
Enter phrases, or multiple key words.
Latest News TZ=utc List All News
08/07 23:52:27 Update on recent issues at
06/22 19:17:48 Multiple vulnerabilties in ISC's DHCP
06/16 18:13:17 Cisco BGP DOS
05/05 17:06:15 FreeBSD local DOS vulnerability
05/05 16:39:08 cvs(1) vulnerable

AnySystem.Com has the largest selection of brand name remanufactured computer products at the lowest prices. Save up to 80% off the original list price of all Sun Products and Parts!  Call (201) 967-9500 or visit our online store

Firewalls Mailing List: infilt-0.6 released; improves interactive latency

infilt-0.6 released; improves interactive latency

strick (
Wed, 5 Oct 1994 00:26:10 -0700

Here's the announcement for the new release of my dp-2.3 packet filter.

Notice the major new feature marked "TCP WINDOW AND MSS CLAMPING",
which really improves interactive latency in the presence of
batch transfers. (That's for you, Scott Yelich!)

FTP from /pub/infilt/infilt-0.6.tar.gz
or email me if you want it uuencoded by email.




Enclosed is a package named "infilt-0.6" that is a patch to DialupPPP
dp-2.3. (It may also work on other SunOS/BSD streams-based
PPP drivers.)

The package does two things:

1. It implements firewall-style filtering on packets coming
into a host over a PPP connection.

2. It adjusts the packets slightly to improve interactive
latency on a slow PPP link containing some batch traffic
as well.

Please give me feedback if you attempt to use this package;
let me know of both success and failure. I'm particularly
interested in what platforms and drivers it works with.

This is the second release, named version "0.6", and you should
consider it beta quality. The first release was out for a
month before this one, and worked rather well, but had problems
with fragmented packets. This release adds the second item
above, fixes the fragementation problem from before, and has
support for configuring dynamically-loaded kernel modules
(thanks to Brett Lymn <>).
Henry Strickland
Tue Oct 4 1994

Here is an excerpt from "infilt.doc".


This package provides simple firewall-style packet filtering.
It is designed for a local network that is connected to the big
internet through a single PPP link. It runs inside the
operating system kernel on the "local host", the machine
in the local network that has the PPP interface to the
big internet:

----------------- ---------------------
| | |
| (filtered) | local |
the | incoming-> | |
| -------- network |
big <======PPP=link========> local| |
| | host | |
internet | <-outgoing -------- |
| (undisturbed) | |
| | |
----------------- ---------------------

The package looks at packets coming into the local network
though this PPP link ("incoming packets"), and it quietly drops
packets that it deems to be evil, using some simple criteria.

Packets leaving the local network through the PPP link
("outgoing packets") are unaffected and are never dropped.

TCP WINDOW AND MSS CLAMPING (New feature in version 0.6)

TCP packets, both incoming and outgoing, will have their
"window" field and "MSS" options examined and possibly
tweaked. Maximum values for these two fields can be
configured, and any TCP packet with these values greater than
the maximum values will be altered to have the maximum value.

The benefit of keeping the "window" small is that it keeps
batch packets from piling up on a slow PPP link and causing
a lot of latency for small, interactive packets.

The benefit of keeping the "MSS" small is that it will avoid
IP fragmentation, which is messy an not very reliable (at
least on my sun3 running SunOS4.1.1) and commonly causes
file transfers to freeze up.



The infilt package may be configured to do any or all of
these seven different things to packets:

1. Drop selected incoming TCP packets, based on destination port.

2. Drop selected incoming UDP packets, based on destination port.

3. Drop selected incoming ICMP packets, based on icmp_type.

4. Drop incoming packets containing IP header options.

5. Write zeros over IP header options on incomfing packets,
rendering the header options impotent.

6. Clamp the TCP "window" field on incoming or outgoing
packets to a maximum value

7. Clamp the TCP "MSS" option field on incoming or outgoing
packets to a maximum value