Introduction
The term "firewall" originally
means a fireproof wall intended to prevent the spread of fire from one room or
area of a building to another. The Internet is a volatile and unsafe
environment when viewed from a computer-security perspective, therefore
"firewall" is an excellent metaphor for network security.
All Internet traffic travels in the form
of packets. A packet is a quantity of data of limited size, kept small for easy
handling. When larger amounts of continuous data must be sent, it is broken up
into numbered packets for transmission and reassembled at the receiving end.
Your entire file downloads, Web page retrievals, emails - all these Internet
communications always occur in packets.
Packet filtering policies may be based
upon any of the following:
- Allowing or disallowing packets on the basis of the source IP address
- Allowing or disallowing packets on the basis of their destination port
- Allowing or disallowing packets according to protocol.
Objective
of the project
To deliver a firewall
based on packet filtering application using netfilters and proxies that allows
or deny packet on the time of shift specified by the user. It filters or stops
the packet between the two specified IPs.
Mechanism
- Extract the packet header
- Check the protocol associated
- Compare with the protocol rules
- Check the source and destination address if protocol is same
- Check out the port if protocol is Transmission Control Protocol
- Drop the packet
Description
After declaring the variable “Count-Rule” is declared and initialized
it holds the value of the number the rule, it is increased when new rule is
required. Filter list is initialized to first, its size increases as more and
more rules are added. Now the packet header is taken out and is assigned
to the variable ipp. Next the protocol is checked. If the protocol is numbered
as 6 means it is TCP. We accept all the packets if the connection is already
established. Also if we don't have the bit SYN activate then we pass the packet
by using return PF_FORWARD.
Otherwise the packet is
compared against the rules from the list until there is no member is in the
list means till the condition while (aux! =NULL) persists. Now check if the
protocol is same, if it is then look for the source and destination address and
each time increment the count rule. Now it the protocol is TCP check for the
port
About NFAL (NetFilter Firewall Application on Linux)
NFAL is a firewall
written for Linux platform using the Netfilter api’s. Netfilter is a framework
that provides hook handling within the Linux kernel for intercepting and
manipulating network packets. Put more concretely, Netfilter is invoked, for
example, by the packet reception and send routines from/to network interfaces.
As the master Netfilter function is called with a packet, Netfilter runs
through the list of registered hooks and calls the extensions in succession,
which then handle packets as they desire. The term Netfilter is also
used to refer to the Free Software project that aims to provide firewalling
tools for GNU/Linux.
NFAL Supported
Platforms
S.No
|
Version
|
Platform
|
1
|
1.0.0
|
Red Hat Enterprise Linux any
version
|
2
|
1.0.0
|
Ubuntu Desktop Editions any
version
|
NFAL Software Details
- NFAL is written and developed using C. NFAL has all the ANSI standards that are applicable to C.
- It is compiled under Linux with gnu GCC compiler version 4.1.2 and higher.
NFAL Hardware
requirement
NFAL has a very less
requirement. Under Linux it can run with any lowest combination. Under windows
it can run with a minimum that Windows function properly.
NFAL Features
NFAL is a packet
filtering firewall that has a simple rules of BLOCK and UNBLOCK. It has the following
firewalling features based on,
- Protocol
- Port
- Specific IP address
- All IP’s
- MAC address
- All in/Out Packets.
It can block a set of
IP and group of all IP’s.
Design and
Implementation
The firewall implementation is done as a Linux
kernel module. The implementation also has a simple configuration program for
users to configure the firewall in user space. And procfs virtual file system
is used to pass information between user space and kernel space.
All programming is done in C, and the computing
knowledge covered includes command line parsing API in GNU libc, how to write a
linux kernel module, knowledge about Linux proc file system, and understanding
of netfilter.
The configuration tool is called NFAL. It parses
the user commands and sends instructions to the kernel module nfal_km.ko through
a proc file /proc/nfal. Then based on user commands, nfal_km.ko can
add/delete/print firewall policy.
The nfal_km.ko intercepts network packets
arriving or leaving system network interface, and filters (either pass or drop)
the packets based on firewall policy set by user.
We have skipped the demo screenshot here, as they may leak the project concept. For a demo version please contact on the below information.
No comments:
Post a Comment