Wireshark-dev: Re: [Wireshark-dev] [ACL][firewall] how to

From: Mihai Bucicoiu <mihai.bucicoiu@xxxxxxx>
Date: Wed, 15 Apr 2009 00:26:36 +0300
Hello and thanks for the reply.

I'll try to answer your questions :
 
>    I've choose Wireshark because it is the most complex packet
> analyzer as far as I know. I'm not trying to turn it into another
> language, but to turn Wireshark language into a firewall language.

What do you mean by "Wireshark language"?  Do you mean the display
filter _expression_ language?  As indicated, it can do tests that are
far more complicated than what most if not all firewalls will support
(as they act on the results of a full Wireshark dissection of the
packet).


I know some of the wireshark test, and in this first 2 months step I only what to implemnt just the simple ones. Validating MAC addresses, IP , port , ICMP and established sessions. I know that it is possible to filter traffic by this syntax. The reason for choosing Wireshark was that everyone can write on the filter toolbar "ymsg", and then add a rule to block this traffic, and only technical peoples can make a iptable/cisco ACL to block it.
 



> I really liked the firewall add-on, and I would like to make it
> happen, not just to make an "iptables" rule, for example, but to
> really filter the packets.


By "filter the packets" do you mean "apply the filter directly, rather
than just show the filter _expression_ and let a user add it to the
iptables rules"?

sorry for the typing, that's what I'm thinking about.


>    I'll try to descripe how do I see the "Wireshark firewall", maybe
> if you are interesting in this, you can help me implementing it.
> As far as I see, a Firewall has deny, permit rules and some attacks
> fingerprints. The first 2 steps are the one that interests me, maybe
> one CISCO .sdf importing in Wireshark would be the next nexp. I
> would like to create some filters, directly in the linux kernel,
> based on the Wireshark dissector packets. What I mean by this, is
> that you give some packet fingerprint to the kernel, tell him to
> deny/accept and he does the trick for you.

So what we have now in Wireshark is a mechanism that, based on the
contents of a packet, lets you choose which fields of the packet to
use in a filter _expression_ (from a small list), and generates a filter
testing that field or fields for the value or values they have, using
one of the filter syntaxes it knows.

Do you just want to have an option to take one of those filters and
directly add it to the list of filters in the Linux/*BSD/Mac OS X
kernel, rather than having to copy it and add it to the kernel's
filter list separately, or do you also want to make the code that
*generates* filters more sophisticated?

for the begging just the filter, copy the filter in the kernel , and creating a simple ACL for several ones.
 
 (The two parts are separate -
you could add the ability to stuff a filter rule into the kernel
without changing the way the rules are generated, and you could add
some code to add more way to generate filters without adding the
ability to stuff those filter rules into the kernel.)

Can you explain more for me ? I mean what rules are you talking about, the one in the user-space(wireshark) or the one in the kernel-space ?

Best,
 

   Mihai