Skip To Main Content Skip To Main Navigation


Networking & Information Security
Texas A&M University
Networking & Information Security

» Home » Security » Firewalls » Drawbridge » Drawbridge Filter Compiler

Drawbridge Filter Compiler

The Filter Compiler
-------------------

Usage:  dbfc [-v] input-file [output-file]

Switches:
        -v    Displays the version and copyright notice.

The dbfc program is the filter compiler portion of the Drawbridge package.
It takes input from the text filter configuration file 'input-file' and
generates the binary filter description file 'output-file'.  If 'output-file'
is not specified, then the output is written to the file 'db_filters'.  The
output file may then be loaded into Drawbridge using the Drawbridge Manager
dbmgr.


The Filter Configuration Language
---------------------------------

o Comments

A comment starts with a '#' and extends to the end of the line.  Comments
can appear anywhere within the filter config file.


o Filter Flags

There are several flags which may be used to alter global filtering rules.
The flags are: Multicast, NonIP, OtherIP, SuspectOffset, FragmentedICMP,
and AttackICMP and are explained in the Drawbridge Manager documentation.
These flags may be set in the filter configuration file with the 'set'
command.  The possible values for the flags are 'forward' or 'discard'.  If
a flag is not set in the filter configuration file or set by the manager,
it defaults to 'forward'.

Examples:
        set Multicast = forward;
        set FragmentedICMP = discard;
        set NonIP = discard;


o Service Specification

The basic element of the language is the service specification.  A service
specification is enclosed by the symbols '<' '>' and contains up to four
pieces of information in the following order:

    The port to test (optional)
	Specifies which port to check within the packet.  The keyword
	"src=" causes the source port to be checked and the keyword "dst="
	causes the destination port to be checked.  The destination port is
	the implied default.

    The service
        Can be a symbolic entry from /etc/srvices or a number.  Service
        ranges can also be specified by using a '-' between a pair of
        services.  The specified service port is compared to the
        destination or source (see above) port within the packet.

    The protocol (optional)
        Can be 'TCP', 'UDP', or 'ICMP' and is separated from the service
        by a '/'.  Other valid protocols can be specified but will be
        silently ignored by the compiler.  If not specified, TCP is the
        default.

    The traffic direction
        Indicates whether this specification is for outbound packets,
        inbound packets, or both.  Outbound is specified by 'out',
        inbound by 'in', and both by 'in-out'.


Examples:
               # Allow smtp connections, either direction.
        <0-65535 out>           # Allow all outbound TCP connections.
                    # Allow UDP based network time protocol in
        
The Filter Compiler
-------------------

Usage:  dbfc [-v] input-file [output-file]

Switches:
        -v    Displays the version and copyright notice.

The dbfc program is the filter compiler portion of the Drawbridge package.
It takes input from the text filter configuration file 'input-file' and
generates the binary filter description file 'output-file'.  If 'output-file'
is not specified, then the output is written to the file 'db_filters'.  The
output file may then be loaded into Drawbridge using the Drawbridge Manager
dbmgr.


The Filter Configuration Language
---------------------------------

o Comments

A comment starts with a '#' and extends to the end of the line.  Comments
can appear anywhere within the filter config file.


o Filter Flags

There are several flags which may be used to alter global filtering rules.
The flags are: Multicast, NonIP, OtherIP, SuspectOffset, FragmentedICMP,
and AttackICMP and are explained in the Drawbridge Manager documentation.
These flags may be set in the filter configuration file with the 'set'
command.  The possible values for the flags are 'forward' or 'discard'.  If
a flag is not set in the filter configuration file or set by the manager,
it defaults to 'forward'.

Examples:
        set Multicast = forward;
        set FragmentedICMP = discard;
        set NonIP = discard;


o Service Specification

The basic element of the language is the service specification.  A service
specification is enclosed by the symbols '<' '>' and contains up to four
pieces of information in the following order:

    The port to test (optional)
	Specifies which port to check within the packet.  The keyword
	"src=" causes the source port to be checked and the keyword "dst="
	causes the destination port to be checked.  The destination port is
	the implied default.

    The service
        Can be a symbolic entry from /etc/srvices or a number.  Service
        ranges can also be specified by using a '-' between a pair of
        services.  The specified service port is compared to the
        destination or source (see above) port within the packet.

    The protocol (optional)
        Can be 'TCP', 'UDP', or 'ICMP' and is separated from the service
        by a '/'.  Other valid protocols can be specified but will be
        silently ignored by the compiler.  If not specified, TCP is the
        default.

    The traffic direction
        Indicates whether this specification is for outbound packets,
        inbound packets, or both.  Outbound is specified by 'out',
        inbound by 'in', and both by 'in-out'.


Examples:
               # Allow smtp connections, either direction.
        <0-65535 out>           # Allow all outbound TCP connections.
                    # Allow UDP based network time protocol in


Last Updated: Tue, Jun 30, 2009