Inner workings of firewall programs

I was wondering how are firewall programs such as BlackICE typically implemented? I know that they somehow intercept all traffic in and out of a network interface.
Is the firewall program relying on some "hooks" provided by the operating system? Something else?
I'd really appreciate any hints for where to look at...

I don't know much about Windows these days, but at one time the TCP stack was just a DLL -- it was replaceable and there multiple vendor-versions available. That's probably still true to some extent, and Windows firewalls probably work by hooking that DLL.
I know a little more about how this works on Linux. ipchains/iptables are kernel modules that work by hooking into the kernel's networking modules.

Oooh. Can describe what these "hooks" look like in Linux?

Hi,
Well every firewall defines the following:
Rule - a rule states whether packets(data) associated with a defined port is allowed or dis-allowed from passing a given point in the firewall.
Chain - a collection of rules. Associated with a Hook so that its rules become active.
Hooks - it is best to think of these as parts of the router that packets pass though.

[ October 07, 2003: Message edited by: girish rateshwar ]

Thanks Girish, for the info, but I know that conceptual stuff. What I'm interested in is how does a (C/C++) programmer code his program to use those hooks?

Originally posted by Lasse Koskela:
Thanks Girish, for the info, but I know that conceptual stuff. What I'm interested in is how does a (C/C++) programmer code his program to use those hooks?

Just to clarify things a bit, I don't mean "how" as in "show me the code", but more like "tell me how one connects to these hooks using plain English instead of source code".

http://www.practicallynetworked.com/sharing/firewall.htm

In Linux, it's something you can do only in kernel space -- i.e., you'd write a kernel module. The routines that provide the hooks are in the net/ipv4/netfilter directory in the kernel source distribution -- look, for example, at netfilter.c .
Now, ipfilter/iptables already offer a lot of configurable flexibility, so just using them might be all you need to do -- but I don't know why you're asking this, so I can't day.

Eric, thanks for the link. You made me realize that I was still using the wrong terminology: I was particularly interested in "software personal firewall" internals...

Originally posted by Ernest Friedman-Hill:
In Linux, it's something you can do only in kernel space -- i.e., you'd write a kernel module. The routines that provide the hooks are in the net/ipv4/netfilter directory in the kernel source distribution -- look, for example, at netfilter.c .
Now, ipfilter/iptables already offer a lot of configurable flexibility, so just using them might be all you need to do -- but I don't know why you're asking this, so I can't day.

I kind of figured that you'd need to plug your piece of code into the operating system, which makes sense in Linux, but not so (for me) in Windows. I'm asking this because someone threw an idea in the air over lunch that we should write a personal firewall for Symbian devices. The natural progression was to ask how -- even though we're not really going to do it (I'm pretty much Java-only although I have a few .NET books on the shelf waiting for the rainy day, and my C++ skills are rusty to say the least). As I chewed on my pizza, I tried to visualize how one would go about writing the code that intercepts the incoming byte streams and somehow tells the operating system whether to let it pass or stop right there. Then I realized I was probably way wrong and decided to ask someone who might know...

You probably wouldn't be intercepting streams, but raw IP packets. But basically, you'd be writing a DLL which did something like

inserting itself inside the OS.

That's along the lines I figured it could be. Thanks.

This might be a very cool place to start out (for Linux)

http://www.smoothwall.org/

open source, and free (as in beer)