Thursday, May 3, 2012

linux firewall project in c


The term "firewall" originally means a fireproof wall intended to prevent the spread of fire from one room or area of a building to another. The Internet is a volatile and unsafe environment when viewed from a computer-security perspective, therefore "firewall" is an excellent metaphor for network security.

All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. Your entire file downloads, Web page retrievals, emails - all these Internet communications always occur in packets.

Packet filtering policies may be based upon any of the following:
  1. Allowing or disallowing packets on the basis of the source IP address 
  2. Allowing or disallowing packets on the basis of their destination port 
  3. Allowing or disallowing packets according to protocol.
Objective of the project

To deliver a firewall based on packet filtering application using netfilters and proxies that allows or deny packet on the time of shift specified by the user. It filters or stops the packet between the two specified IPs.

  • Extract the packet header 
  • Check the protocol associated 
  • Compare with the protocol rules 
  • Check the source and destination address if protocol is same 
  • Check out the port if protocol is Transmission Control Protocol 
  • Drop the packet
After declaring the variable “Count-Rule” is declared and initialized it holds the value of the number the rule, it is increased when new rule is required. Filter list is initialized to first, its size increases as more and more rules are added. Now the packet header is taken out and is assigned to the variable ipp. Next the protocol is checked. If the protocol is numbered as 6 means it is TCP. We accept all the packets if the connection is already established. Also if we don't have the bit SYN activate then we pass the packet by using return PF_FORWARD.
Otherwise the packet is compared against the rules from the list until there is no member is in the list means till the condition while (aux! =NULL) persists. Now check if the protocol is same, if it is then look for the source and destination address and each time increment the count rule. Now it the protocol is TCP check for the port

About NFAL (NetFilter Firewall Application on Linux)

NFAL is a firewall written for Linux platform using the Netfilter api’s. Netfilter is a framework that provides hook handling within the Linux kernel for intercepting and manipulating network packets. Put more concretely, Netfilter is invoked, for example, by the packet reception and send routines from/to network interfaces. As the master Netfilter function is called with a packet, Netfilter runs through the list of registered hooks and calls the extensions in succession, which then handle packets as they desire. The term Netfilter is also used to refer to the Free Software project that aims to provide firewalling tools for GNU/Linux.

NFAL Supported Platforms

Red Hat Enterprise Linux any version
Ubuntu Desktop Editions any version

NFAL Software Details
  1. NFAL is written and developed using C. NFAL has all the ANSI standards that are applicable to C.  
  2. It is compiled under Linux with gnu GCC compiler version 4.1.2 and higher.
NFAL Hardware requirement

NFAL has a very less requirement. Under Linux it can run with any lowest combination. Under windows it can run with a minimum that Windows function properly.

NFAL Features

NFAL is a packet filtering firewall that has a simple rules of BLOCK and UNBLOCK. It has the following firewalling features based on,
  1. Protocol
  2. Port
  3. Specific IP address
  4. All IP’s
  5. MAC address
  6. All in/Out Packets.
It can block a set of IP and group of all IP’s. 

Design and Implementation

The firewall implementation is done as a Linux kernel module. The implementation also has a simple configuration program for users to configure the firewall in user space. And procfs virtual file system is used to pass information between user space and kernel space.
All programming is done in C, and the computing knowledge covered includes command line parsing API in GNU libc, how to write a linux kernel module, knowledge about Linux proc file system, and understanding of netfilter.

The configuration tool is called NFAL. It parses the user commands and sends instructions to the kernel module nfal_km.ko through a proc file /proc/nfal. Then based on user commands, nfal_km.ko can add/delete/print firewall policy.
The nfal_km.ko intercepts network packets arriving or leaving system network interface, and filters (either pass or drop) the packets based on firewall policy set by user.

We have skipped the demo screenshot here, as they may leak the project concept. For a demo version please contact on the below information.

No comments:

Post a Comment