This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes Linux / UNIX and the fly likes Building a firewall from scratch Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "Building a firewall from scratch" Watch "Building a firewall from scratch" New topic
Author

Building a firewall from scratch

kai dranzer
Greenhorn

Joined: Jul 11, 2011
Posts: 3
Hi guys! I have decided build an open source firewall in linux environment. I have exactly one year to complete this project. The firewall will be a stateful packet filtering firewall working at network, transport and application layers. I would also be provided log analysis features.

Some of the network layer features are as follows:

Stateful Packet Inspection: Tracking each connection and filtering packets by breaking them into headers and data.

Port-scan detection
DoS and DDoS Protection
SYN/ICMP Flood Protection
Anti-spoofing Protection

For application layer features I may decide to provide antivirus and antispam filters.

What I want to know is whether this is a good enough project or put in other words, is it a worthwhile project to undertake?

Thanks in advance
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16022
    
  20

Welcome to the Ranch, Kai!

Linux comes with a first-rate firewall system already: iptables. It replaced an older firewall system that itself was fairly effective. Pretty much everything you've described is available either as part of the core package or as an add-on.

So if you're looking to produce a product for general release, you'd have to do something really radical like provide triple the throughput, ability to completely shut down botnets or cure World Hunger.

If you're just looking for an academic exercise, you read should documentation and obtain and examine the source code and and it will give you a head start.

And, of course, if you have certain specific needs that iptables doesn't handle or handle well enough for you, they're always glad to consider contributions.


Customer surveys are for companies who didn't pay proper attention to begin with.
kai dranzer
Greenhorn

Joined: Jul 11, 2011
Posts: 3
Here is the status of existing firewalls in terms of ipv6 support:

1. pfsense: no ipv6 support (under development)
2. m0n0wall : no ipv6 support (under development)
3. ipcop: no ipv6 support
4. firestarter: no ipv6 support

So should I volunteer to contribute in one of these projects or make my own DPI firewall with ipv6 support?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16022
    
  20

I did a double-take on that one. I was pretty sure that iptables should have been on that list as well. I was right: http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-ip6tables.html

But there's a bit of muddiness in some of the definitions. I think that some of the facilities you listed are actually firewall builders rather than true firewalls in an of themselves. In other words, they're programs that provide a GUI builder for iptables or other exernal firewall systems instead of doing the firewall themselves.

Not that there's anything wrong with that, since we need all the help we can get! In fact, I've been slowly trying to put together a system that will allow me to bundle up packages of firewall rules as defined in a database and apply them to my own servers.

Speaking of firewall builders, here's another one for the list: system-config-network/redhat-config-network. This is an app that helps do minimalistic building functions that's invoked as part of the install process for Red Hat and related systems such as Fedora and CentOS. It's also runnable at will after installs, but Linux likes to be paranoid from the start unlike a certain other OS we won't mention here.
kai dranzer
Greenhorn

Joined: Jul 11, 2011
Posts: 3
So what do you suggest? Should I develop an independent DPI firewall or volunteer to contribute?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4650
    
    5

I use Smoothwall, its a Linux-based distro tuned to be a great firewall. Boot from an ISO and it installs trivially

Don't know about its IPv6 support, as I expect my ISP will be one of the last to move to that decade old technology.

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4650
    
    5

Tim Holloway wrote:Linux comes with a first-rate firewall system already: iptables. It

I would not call iptables first rate. They are powerful, but too complex for mortals to understand. There are some decent iptable editing programs, such as guarddog, that I used for years. But even that was a compromise.

As to whether @kai's idea is worthwhile, that's hard for me to judge. I'd be tempted to point to one of the existing open source firewall sets, and do an analysis of whether they really meet the requirements. If not, I'd then look hard at the requirements, to see if each part is really justified. If you find you can't get a thing or two, i'd push to join an existing effort, rather than starting from scratch.

While starting from scratch can be a great learning experience, real engineer ship products. That usually means building on someone else's work.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16022
    
  20

Pat Farrell wrote:
Tim Holloway wrote:Linux comes with a first-rate firewall system already: iptables. It

I would not call iptables first rate. They are powerful, but too complex for mortals to understand.


Wow! So all these years, I've been...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Building a firewall from scratch