[TCLUG] To firewall or not to firewall...

Sat Nov 18 20:11:54 CST 2000

Another great feature would be to have packets matching a certain rule to
get passed to a plugin for processing.  For example, PPTP packets could get
passed to a plugin that replaces the internal IP with the external one on
the way out, and vice-versa on the way in.  

What would be even better is multiple interface support, where you assign
each interface a different security level.  The outside interface would be
0, and the inside would be 100.  DMZ's could be anything in between.  By
default, higher security levels would be able to get to lower ones, but not
the other way around.  Adding this support and NAT capabilities would make
it have the same functionality as a cisco PIX firewall (except for the PPTP
thing).

Maybe it's time to whack your code up on sourceforge.net and start a
project.  Once it's up and working properly, you give the code away under
the GPL, but charge for support services if businesses need them.  This is
how the makers of MySQL and Bind make their money.  I don't know yet if
Oracle is free for commercial use, but they were throwing around the idea
since 70% of their revenue is generated from support contracts and calls.
If you could fit the project on a boot floppy, and make a nice command line
interface, you'd make a very nice free alternative to very expensive
commercial firewalls.

Jay

-----Original Message-----
From: Jason DeStefano [mailto:destef at destef.com]
Sent: Saturday, November 18, 2000 6:27 PM
To: tclug-list at lists.real-time.com
Subject: Re: [TCLUG] To firewall or not to firewall...

A bridge is exactly what it is and it gives me the ability to insert code
to process the packets any I want. Plus, it only took about 8 hours to
write the firewall and maybe another 8 hours to adding multithreaded
queueing and prioritization so it wasnt much of an investment in time
(but a good learning experience). I tried linux bridging with ipchains and
neither would work together, they only worked on their own.

Plus, your alternate solution is BSD not linux. heh.

If the program you mention can prioritize certain packets over others,
do bandwidth throttling on any traffic pattern, provide a web interface
to view the stats in realtime, and modify the rules table on-the-fly
via a web interface then I'd be interested.

Some additional features I plan to add:

1. Fake RST-ACK blocked ports to port scanners. For example, if you nmap
a firewalled port nmap tells you its firewalled because it doesnt reveive
a RST-ACK when its probed. If the firewall will send the RST-ACK to the
port scanner on behalf of the firewalled box then a port scanning program
wont even be able to tell if you have your network firewalled.

2. NAT through a bridge. In *theory* when I forward packets I could
replace an "internet IP" with a 10-net IP and then back to an internet
IP on the way out. Certain boxes could have a 10-net but still have a
unique IP on the Internet, others could be proxied through 1 IP. This
could potentially allow 10-net boxes full internet access with no
configuration needed on clients. This would give NAT/proxied machines
the benefits of all the other features of this program.

And the best thing is that you dont need to rely on Cisco routers to
handle these features even if they could.

Of course, some of these ideas are future ideas and may exist already in
other packages but my goal is to integrate all these features into a single
transparent bridge (using my algorithms).Plus, its a good learning
experience
in the process.

If anyone knows of any linux transparent firewalls that they know to work
I'd be interesting in hearing about it.

Jason

At 05:42 PM 11/18/00 -0600, you wrote:
>On Fri, Nov 17, 2000 at 06:10:15PM -0600, Jason DeStefano wrote:
>> 
>You didn't have to write this yourself.  It sounds to me like an ethernet
>bridge.  Can be done easily in OpenBSD by setting up the bridge0 device and
>putting your filtering rules in /etc/ipf.rules.  It's one of the coolest
>capabilities I've seen in OpenBSD.  Hopefully, something similar will be
>implemented in the 2.4 Linux kernel.  Anyone know if Linux is already
>capable of bridging like this?
>
>Gabe
>
>-- 
>---------------------------------------------------------------------------
-----
>Gabe Turner				       |  	   X-President,
>UNIX Systems Administrator,		       | Assoc. for Computing
Machinery
>U of M Supercomputing Institute for	       |    University of Minnesohta
>Digital Simulation and Advanced Computation    |       dopp at acm.cs.umn.edu
>
>"Ooo-eeee-Ooooo, Killer Tofu!"	- The Beats "Killer Tofu"
>---------------------------------------------------------------------------
-----
>_______________________________________________
>tclug-list mailing list
>tclug-list at lists.real-time.com
>https://mailman.real-time.com/mailman/listinfo/tclug-list
> 

_______________________________________________
tclug-list mailing list
tclug-list at lists.real-time.com
https://mailman.real-time.com/mailman/listinfo/tclug-list