Another great feature would be to have packets matching a certain rule to get passed to a plugin for processing. For example, PPTP packets could get passed to a plugin that replaces the internal IP with the external one on the way out, and vice-versa on the way in. What would be even better is multiple interface support, where you assign each interface a different security level. The outside interface would be 0, and the inside would be 100. DMZ's could be anything in between. By default, higher security levels would be able to get to lower ones, but not the other way around. Adding this support and NAT capabilities would make it have the same functionality as a cisco PIX firewall (except for the PPTP thing). Maybe it's time to whack your code up on sourceforge.net and start a project. Once it's up and working properly, you give the code away under the GPL, but charge for support services if businesses need them. This is how the makers of MySQL and Bind make their money. I don't know yet if Oracle is free for commercial use, but they were throwing around the idea since 70% of their revenue is generated from support contracts and calls. If you could fit the project on a boot floppy, and make a nice command line interface, you'd make a very nice free alternative to very expensive commercial firewalls. Jay -----Original Message----- From: Jason DeStefano [mailto:destef at destef.com] Sent: Saturday, November 18, 2000 6:27 PM To: tclug-list at lists.real-time.com Subject: Re: [TCLUG] To firewall or not to firewall... A bridge is exactly what it is and it gives me the ability to insert code to process the packets any I want. Plus, it only took about 8 hours to write the firewall and maybe another 8 hours to adding multithreaded queueing and prioritization so it wasnt much of an investment in time (but a good learning experience). I tried linux bridging with ipchains and neither would work together, they only worked on their own. Plus, your alternate solution is BSD not linux. heh. If the program you mention can prioritize certain packets over others, do bandwidth throttling on any traffic pattern, provide a web interface to view the stats in realtime, and modify the rules table on-the-fly via a web interface then I'd be interested. Some additional features I plan to add: 1. Fake RST-ACK blocked ports to port scanners. For example, if you nmap a firewalled port nmap tells you its firewalled because it doesnt reveive a RST-ACK when its probed. If the firewall will send the RST-ACK to the port scanner on behalf of the firewalled box then a port scanning program wont even be able to tell if you have your network firewalled. 2. NAT through a bridge. In *theory* when I forward packets I could replace an "internet IP" with a 10-net IP and then back to an internet IP on the way out. Certain boxes could have a 10-net but still have a unique IP on the Internet, others could be proxied through 1 IP. This could potentially allow 10-net boxes full internet access with no configuration needed on clients. This would give NAT/proxied machines the benefits of all the other features of this program. And the best thing is that you dont need to rely on Cisco routers to handle these features even if they could. Of course, some of these ideas are future ideas and may exist already in other packages but my goal is to integrate all these features into a single transparent bridge (using my algorithms).Plus, its a good learning experience in the process. If anyone knows of any linux transparent firewalls that they know to work I'd be interesting in hearing about it. Jason At 05:42 PM 11/18/00 -0600, you wrote: >On Fri, Nov 17, 2000 at 06:10:15PM -0600, Jason DeStefano wrote: >> >You didn't have to write this yourself. It sounds to me like an ethernet >bridge. Can be done easily in OpenBSD by setting up the bridge0 device and >putting your filtering rules in /etc/ipf.rules. It's one of the coolest >capabilities I've seen in OpenBSD. Hopefully, something similar will be >implemented in the 2.4 Linux kernel. Anyone know if Linux is already >capable of bridging like this? > >Gabe > >-- >--------------------------------------------------------------------------- ----- >Gabe Turner | X-President, >UNIX Systems Administrator, | Assoc. for Computing Machinery >U of M Supercomputing Institute for | University of Minnesohta >Digital Simulation and Advanced Computation | dopp at acm.cs.umn.edu > >"Ooo-eeee-Ooooo, Killer Tofu!" - The Beats "Killer Tofu" >--------------------------------------------------------------------------- ----- >_______________________________________________ >tclug-list mailing list >tclug-list at lists.real-time.com >https://mailman.real-time.com/mailman/listinfo/tclug-list > _______________________________________________ tclug-list mailing list tclug-list at lists.real-time.com https://mailman.real-time.com/mailman/listinfo/tclug-list