• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Building a firewall from scratch

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys! I have decided build an open source firewall in linux environment. I have exactly one year to complete this project. The firewall will be a stateful packet filtering firewall working at network, transport and application layers. I would also be provided log analysis features.

Some of the network layer features are as follows:

Stateful Packet Inspection: Tracking each connection and filtering packets by breaking them into headers and data.

Port-scan detection
DoS and DDoS Protection
SYN/ICMP Flood Protection
Anti-spoofing Protection

For application layer features I may decide to provide antivirus and antispam filters.

What I want to know is whether this is a good enough project or put in other words, is it a worthwhile project to undertake?

Thanks in advance
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch, Kai!

Linux comes with a first-rate firewall system already: iptables. It replaced an older firewall system that itself was fairly effective. Pretty much everything you've described is available either as part of the core package or as an add-on.

So if you're looking to produce a product for general release, you'd have to do something really radical like provide triple the throughput, ability to completely shut down botnets or cure World Hunger.

If you're just looking for an academic exercise, you read should documentation and obtain and examine the source code and and it will give you a head start.

And, of course, if you have certain specific needs that iptables doesn't handle or handle well enough for you, they're always glad to consider contributions.
 
kai dranzer
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is the status of existing firewalls in terms of ipv6 support:

1. pfsense: no ipv6 support (under development)
2. m0n0wall : no ipv6 support (under development)
3. ipcop: no ipv6 support
4. firestarter: no ipv6 support

So should I volunteer to contribute in one of these projects or make my own DPI firewall with ipv6 support?
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I did a double-take on that one. I was pretty sure that iptables should have been on that list as well. I was right: http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-ip6tables.html

But there's a bit of muddiness in some of the definitions. I think that some of the facilities you listed are actually firewall builders rather than true firewalls in an of themselves. In other words, they're programs that provide a GUI builder for iptables or other exernal firewall systems instead of doing the firewall themselves.

Not that there's anything wrong with that, since we need all the help we can get! In fact, I've been slowly trying to put together a system that will allow me to bundle up packages of firewall rules as defined in a database and apply them to my own servers.

Speaking of firewall builders, here's another one for the list: system-config-network/redhat-config-network. This is an app that helps do minimalistic building functions that's invoked as part of the install process for Red Hat and related systems such as Fedora and CentOS. It's also runnable at will after installs, but Linux likes to be paranoid from the start unlike a certain other OS we won't mention here.
 
kai dranzer
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So what do you suggest? Should I develop an independent DPI firewall or volunteer to contribute?
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I use Smoothwall, its a Linux-based distro tuned to be a great firewall. Boot from an ISO and it installs trivially

Don't know about its IPv6 support, as I expect my ISP will be one of the last to move to that decade old technology.

 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Linux comes with a first-rate firewall system already: iptables. It


I would not call iptables first rate. They are powerful, but too complex for mortals to understand. There are some decent iptable editing programs, such as guarddog, that I used for years. But even that was a compromise.

As to whether @kai's idea is worthwhile, that's hard for me to judge. I'd be tempted to point to one of the existing open source firewall sets, and do an analysis of whether they really meet the requirements. If not, I'd then look hard at the requirements, to see if each part is really justified. If you find you can't get a thing or two, i'd push to join an existing effort, rather than starting from scratch.

While starting from scratch can be a great learning experience, real engineer ship products. That usually means building on someone else's work.
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Pat Farrell wrote:

Tim Holloway wrote:Linux comes with a first-rate firewall system already: iptables. It


I would not call iptables first rate. They are powerful, but too complex for mortals to understand.



Wow! So all these years, I've been...
 
reply
    Bookmark Topic Watch Topic
  • New Topic