3

I posted a question on ServerFault about a specialized Firewall setup, but as an avid software developer I am also considering rolling my own.

I am only interested in using a high-level language, preferably Java or Node.JS. Is there some system for Linux or Illumos that will take all network packets, and provide them to my application to make a determination on whether they should be allowed, dropped or refused? (or re-written)

I'm only interested in ICMP, UDP and TCP packets. I'm envisioning that I would write a Java application, that would allow me to sniff the traffic to make a determination on whether it should be allowed. For example, in HTTP traffic I may wish to check the Host header to determine what website the browser is attempting to visit.

I realize this is likely to lower the potential throughput, but perhaps the solution you guys recommend will have documentation that will let me clarify the impact of that caveat.

It's almost like I'm asking for FUSE, except for firewalls instead of filesystems.

Is there such a program out there, or would I be stuck with writing C/C++ code for the firewall?

Community
  • 1
700 Software
  • 487
  • 5
  • 16
  • Maybe this should be written as a Proxy server. I think there are solutions out there for that, but if there's one that works more natively with a NAT setup on a Linux box then that would be my preference. – 700 Software Jul 08 '16 at 20:20
  • 2
    That is like deciding, just for the fun of it, to test out your own armor design by wearing it on the battle field. It may work, but most likely that will be your last act (courageous perhaps, but certainly not brilliant even if you survive). – Julie Pelletier Jul 08 '16 at 20:22
  • Hmm.. It seems that if there were a library that would give me Java functions, I could reliably run an Access List, and sniff HTTP packets. I don't understand what is so complicated about creating accurate results. I do understand it would not be very DOS-resistant. – 700 Software Jul 08 '16 at 20:24
  • 2
    The higher level you make it, the less efficient it will be and the less flexible it will be in detecting low level attacks. You do seem interested in some kind of proxy solution which might be applicable to your need. – Julie Pelletier Jul 08 '16 at 20:26
  • Efficiency I get. Low-level attacks would be primarily handled by a Cisco IOS router separate from my server. Internal low-level attacks are something I may not be able to handle effectively given my limited experience on the subject (though I don't understand how the high-level language would be less flexible), but before I close the door I thought I'd ask you folks about it. – 700 Software Jul 08 '16 at 20:28
  • 3
    Inexperience and security are almost antonyms in the computer world. Don't try to protect yourself better than existing solutions when you don't understand how those solutions work. – Julie Pelletier Jul 08 '16 at 20:30
  • @Julie, Good advice. I may be smarter than you think though. So is there a way to make a firewall in a high-level language or would I be forced to use C/C++? (Though it does look like I'd be rolling a proxy server instead.) – 700 Software Jul 08 '16 at 20:34
  • @JuliePelletier and the armor consists of 500lb of crumpled aluminum foil. Too heavy to actually wear and too weak to stop a sword. – Ex Umbris Jul 09 '16 at 01:16
  • When it comes to DOS attacks, the analogies of 'strength and weight' apply. However from whether or not an intrusion can be successful it is more about the accuracy of the ruleset. Is there a hole we failed to consider, or not. To that end, I would limit the scope of what the high-level firewall would cover, and use it in conjunction with more mainstream firewall solutions. – 700 Software Jul 09 '16 at 14:33
  • But actually, I think I'm more likely to create a Transparent Proxy to do the packet sniffing. Given the answer on ServerFault. Still I do think this here is an interesting question. – 700 Software Jul 09 '16 at 14:33

3 Answers3

6

On Linux-based platforms there is a netlink socket that you can open from your Java program and determine whether or not to accept the packet. This socket can be included in the network stack with an iptables rule. Here of course you can also limit the types of packets to be passed to your usermode filter.

Here's what the man page has to say on the matter:

ULOG

This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets.

Given the complexity and sophistication of the netfilter project, it might be worth asking for solutions to the problem you're trying to solve. (Or perhaps that's what your other SE question covered; I haven't looked yet )

roaima
  • 107,089
  • 14
  • 139
  • 261
  • Yes, my ServerFault question is looking for a more practical solution. – 700 Software Jul 08 '16 at 20:43
  • 2
    I found [an example C program that does this](http://www.tldp.org/HOWTO/Divert-Sockets-mini-HOWTO-6.html). It will take some time for me to convert to Java, but it does look like it can do what I need. (intercept, re-inject either altered or unaltered) The best part is that it ties in with `ipfilter` so not all packets need to be intercepted. – 700 Software Jul 08 '16 at 20:49
  • I wonder if Illumos has an equivalent to `netlink`... – 700 Software Jul 08 '16 at 20:50
  • @GeorgeBailey where does Illumos fit in? (I see no reference to this in your question or in the tags.) ... Ah, found it referenced in your earlier question. – roaima Jul 08 '16 at 21:31
  • 1
    Illumos is my friend, but I do realize Linux is more common for networking. Sorry I did not include it in the question earlier. – 700 Software Jul 08 '16 at 21:33
4

On OpenBSD the divert(4) mechanism can be used to lob packets between the kernel and an arbitrary userland process written in an arbitrary language, assuming the language can be made to interface with the system call (either directly or possibly via the additional complication of a shim divert(4)-to-whatever-IPC-is-required proxy layer should the language suck at system calls).

thrig
  • 34,333
  • 3
  • 63
  • 84
3

It's entirely plausible that a firewall could be built in Java, but It's very unlikely to be a tidy project that runs at the speeds that network systems require.

I used to work for a company that made a network security appliance that ran on top of SecureBSD. Any changes that we made to ipchains needed to be carefully scrutinized because the traffic was filtered in realtime. Even a very marginal loss of performance can be catastrophic.

Jesse Williams
  • 131
  • 3