Wireshark-dev: Re: [Wireshark-dev] [ACL][firewall] how to

From: Mihai Bucicoiu <mihai.bucicoiu@xxxxxxx>
Date: Tue, 14 Apr 2009 23:26:46 +0300
It sounds as if you're developing something that doesn't involve
captured packets at all, just taking an _expression_ in one packet-
matching language (Wireshark's filter language) and attempting to turn
it into an _expression_ in another packet-matching language (the
language for whatever packet filter mechanism you're using).  There's
nothing Wireshark-specific about that - you're not using any of
Wireshark's inherent capabilities, as you're not generating the filter
_expression_ from a captured packet's contents - so why are you choosing
to use Wireshark for this?

  Thanks for your reply, and I'll write here my explanation for why I'm I using it.

   The purpose is not for business software, more like for educational ones. I know that it will be hard to make one firewall application for all OS-types, but I would like to write just for the Unix-like systems.

   I've choose Wireshark because it is the most complex packet analyzer as far as I know. I'm not trying to turn it into another language, but to turn Wireshark language into a firewall language. I really liked the firewall add-on, and I would like to make it happen, not just to make an "iptables" rule, for example, but to really filter the packets.

   About the CISCO IOS ACL commands, the one generated by Wireshark were not so good (in my opinion), and I would like to develop them, maybe even sending them in a CISCO router (if I'll have time for it).

   I'll try to descripe how do I see the "Wireshark firewall", maybe if you are interesting in this, you can help me implementing it.
As far as I see, a Firewall has deny, permit rules and some attacks fingerprints. The first 2 steps are the one that interests me, maybe one CISCO .sdf importing in Wireshark would be the next nexp. I would like to create some filters, directly in the linux kernel, based on the Wireshark dissector packets. What I mean by this, is that you give some packet fingerprint to the kernel, tell him to deny/accept and he does the trick for you. I would like to use for this the CISCO ACL aproch, in that the filters are listed and apply by the order of them in the list.

  Hope I can find someone to help me in this approch,

Mihai