TrafMeter :: Using TrafMeter as firewall

Using TrafMeter as firewall

Although TrafMeter, promoted as traffic monitoring software, is typically used in conjunction with a separate firewall, it has the capability to deny network packets, because it was built on a firewall engine.

Let's consider a typical case for building a firewall solution, using TrafMeter. For example, we have an office network whose gateway runs Windows Server 2003, with Routing enabled and Remote Access Service (RRAS) playing the NAT-router role. What packets should be denied to defend the gateway against hackers? A solution would be to restrict access to all network services, on the gateway, from any untrusted networks.

Incoming TCP-connections

According to the TCP protocol, the client initiates a connection with the server and sends the first TCP packet with the SYN flag. To restrict incoming TCP connections, it is necessary to create a rule which blocks TCP packets with a SYN flag from an untrusted network. This will defend all network services on the gateway, based on the TCP protocol.

Incoming UDP-connections

The UDP protocol is designed as connectionless, thus causing problems trying to detect the client and server sides, via packet header analysis. As rule, network services, based on the UDP protocol, use ports ranging from 1 to 1024. If you deny UDP packets where the destination address is the same as the gateway, and the destination port is in the range of 1 to 1024, this will restrict most of the incoming UDP connections. If any services use ports over 1024, you should create additional rules to handle them.

ICMP-packets

Typically, ICMP packets don't carry the same risks for intrusion, however, most firewalls like to block incoming ICMP echo request packets to prevent detecting the gateway by network scanners. TrafMeter can extract and deny ICMP echo request packets, when required.

Summary

In order to use TrafMeter as a firewall, the creation of a single filter (must be the first in the filterset) is required, using the following rules:

Filter 1. firewall
N	Type of IP protocol	Source address	Source port	Destination address	Destination port	Both directions	Action	Additional options or conditions
1	TCP	IP addresses of WAN	Any	My computer	Any	No	Deny	SYN
2	UDP	IP addresses of WAN	Any	My computer	1-1024	Yes	Deny
3	ICMP	IP addresses of WAN		My computer		No	Deny	Echo request

Note

The capturing of packets must be done in Active Capture Mode, otherwise TrafMeter will not deny the packets.
You should use passive FTP, if incoming TCP packets, with SYN flag, are blocked.
For any services on the gateway which require UDP ports over 1024, additional rules will be necessary.
Denied packets are logged to %programfiles%\TrafMeter\Logs.