Hi guys! I have decided build an open source firewall in linux environment. I have exactly one year to complete this project. The firewall will be a stateful packet filtering firewall working at network, transport and application layers. I would also be provided log analysis features.
Some of the network layer features are as follows:
Stateful Packet Inspection: Tracking each connection and filtering packets by breaking them into headers and data.
DoS and DDoS Protection
SYN/ICMP Flood Protection
For application layer features I may decide to provide antivirus and antispam filters.
What I want to know is whether this is a good enough project or put in other words, is it a worthwhile project to undertake?
Linux comes with a first-rate firewall system already: iptables. It replaced an older firewall system that itself was fairly effective. Pretty much everything you've described is available either as part of the core package or as an add-on.
So if you're looking to produce a product for general release, you'd have to do something really radical like provide triple the throughput, ability to completely shut down botnets or cure World Hunger.
If you're just looking for an academic exercise, you read should documentation and obtain and examine the source code and and it will give you a head start.
And, of course, if you have certain specific needs that iptables doesn't handle or handle well enough for you, they're always glad to consider contributions.
An IDE is no substitute for an Intelligent Developer.
Joined: Jul 11, 2011
Here is the status of existing firewalls in terms of ipv6 support:
1. pfsense: no ipv6 support (under development)
2. m0n0wall : no ipv6 support (under development)
3. ipcop: no ipv6 support
4. firestarter: no ipv6 support
So should I volunteer to contribute in one of these projects or make my own DPI firewall with ipv6 support?
But there's a bit of muddiness in some of the definitions. I think that some of the facilities you listed are actually firewall builders rather than true firewalls in an of themselves. In other words, they're programs that provide a GUI builder for iptables or other exernal firewall systems instead of doing the firewall themselves.
Not that there's anything wrong with that, since we need all the help we can get! In fact, I've been slowly trying to put together a system that will allow me to bundle up packages of firewall rules as defined in a database and apply them to my own servers.
Speaking of firewall builders, here's another one for the list: system-config-network/redhat-config-network. This is an app that helps do minimalistic building functions that's invoked as part of the install process for Red Hat and related systems such as Fedora and CentOS. It's also runnable at will after installs, but Linux likes to be paranoid from the start unlike a certain other OS we won't mention here.
Joined: Jul 11, 2011
So what do you suggest? Should I develop an independent DPI firewall or volunteer to contribute?
Tim Holloway wrote:Linux comes with a first-rate firewall system already: iptables. It
I would not call iptables first rate. They are powerful, but too complex for mortals to understand. There are some decent iptable editing programs, such as guarddog, that I used for years. But even that was a compromise.
As to whether @kai's idea is worthwhile, that's hard for me to judge. I'd be tempted to point to one of the existing open source firewall sets, and do an analysis of whether they really meet the requirements. If not, I'd then look hard at the requirements, to see if each part is really justified. If you find you can't get a thing or two, i'd push to join an existing effort, rather than starting from scratch.
While starting from scratch can be a great learning experience, real engineer ship products. That usually means building on someone else's work.