On Apr 14, 2009, at 1:26 PM, Mihai Bucicoiu wrote:
The purpose is not for business software, more like for
educational ones. I know that it will be hard to make one firewall
application for all OS-types, but I would like to write just for the
Unix-like systems.
Well, the only OS types we support are UNIX-like systems and Windows;
I don't know what various firewall products for Windows (or any built
into Windows) support as filter languages - Wireshark doesn't appear
to know about them - but there are several different firewall
mechanisms for various UNIX-like systems, so if you want one for
multiple UNIX-like systems, even that could be a significant project.
I've choose Wireshark because it is the most complex packet
analyzer as far as I know. I'm not trying to turn it into another
language, but to turn Wireshark language into a firewall language.
What do you mean by "Wireshark language"? Do you mean the display
filter expression language? As indicated, it can do tests that are
far more complicated than what most if not all firewalls will support
(as they act on the results of a full Wireshark dissection of the
packet).
I really liked the firewall add-on, and I would like to make it
happen, not just to make an "iptables" rule, for example, but to
really filter the packets.
By "filter the packets" do you mean "apply the filter directly, rather
than just show the filter expression and let a user add it to the
iptables rules"?
I'll try to descripe how do I see the "Wireshark firewall", maybe
if you are interesting in this, you can help me implementing it.
As far as I see, a Firewall has deny, permit rules and some attacks
fingerprints. The first 2 steps are the one that interests me, maybe
one CISCO .sdf importing in Wireshark would be the next nexp. I
would like to create some filters, directly in the linux kernel,
based on the Wireshark dissector packets. What I mean by this, is
that you give some packet fingerprint to the kernel, tell him to
deny/accept and he does the trick for you.
So what we have now in Wireshark is a mechanism that, based on the
contents of a packet, lets you choose which fields of the packet to
use in a filter expression (from a small list), and generates a filter
testing that field or fields for the value or values they have, using
one of the filter syntaxes it knows.
Do you just want to have an option to take one of those filters and
directly add it to the list of filters in the Linux/*BSD/Mac OS X
kernel, rather than having to copy it and add it to the kernel's
filter list separately, or do you also want to make the code that
*generates* filters more sophisticated? (The two parts are separate -
you could add the ability to stuff a filter rule into the kernel
without changing the way the rules are generated, and you could add
some code to add more way to generate filters without adding the
ability to stuff those filter rules into the kernel.)