Wireshark-dev: Re: [Wireshark-dev] [ACL][firewall] how to

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 14 Apr 2009 14:08:21 -0700

On Apr 14, 2009, at 1:26 PM, Mihai Bucicoiu wrote:

The purpose is not for business software, more like for educational ones. I know that it will be hard to make one firewall application for all OS-types, but I would like to write just for the Unix-like systems.

Well, the only OS types we support are UNIX-like systems and Windows; I don't know what various firewall products for Windows (or any built into Windows) support as filter languages - Wireshark doesn't appear to know about them - but there are several different firewall mechanisms for various UNIX-like systems, so if you want one for multiple UNIX-like systems, even that could be a significant project.

I've choose Wireshark because it is the most complex packet analyzer as far as I know. I'm not trying to turn it into another language, but to turn Wireshark language into a firewall language.

What do you mean by "Wireshark language"? Do you mean the display filter expression language? As indicated, it can do tests that are far more complicated than what most if not all firewalls will support (as they act on the results of a full Wireshark dissection of the packet).

I really liked the firewall add-on, and I would like to make it happen, not just to make an "iptables" rule, for example, but to really filter the packets.

By "filter the packets" do you mean "apply the filter directly, rather than just show the filter expression and let a user add it to the iptables rules"?

I'll try to descripe how do I see the "Wireshark firewall", maybe if you are interesting in this, you can help me implementing it. As far as I see, a Firewall has deny, permit rules and some attacks fingerprints. The first 2 steps are the one that interests me, maybe one CISCO .sdf importing in Wireshark would be the next nexp. I would like to create some filters, directly in the linux kernel, based on the Wireshark dissector packets. What I mean by this, is that you give some packet fingerprint to the kernel, tell him to deny/accept and he does the trick for you.

So what we have now in Wireshark is a mechanism that, based on the contents of a packet, lets you choose which fields of the packet to use in a filter expression (from a small list), and generates a filter testing that field or fields for the value or values they have, using one of the filter syntaxes it knows.

Do you just want to have an option to take one of those filters and directly add it to the list of filters in the Linux/*BSD/Mac OS X kernel, rather than having to copy it and add it to the kernel's filter list separately, or do you also want to make the code that *generates* filters more sophisticated? (The two parts are separate - you could add the ability to stuff a filter rule into the kernel without changing the way the rules are generated, and you could add some code to add more way to generate filters without adding the ability to stuff those filter rules into the kernel.)