Side note: This article is based on a project in my master course about computer system security at 2010. I’m writing this article to recall the knowledge I’ve learned through the project and also hoping someone else can benefit from it.
Features of the Firewall
The firewall can BLOCK or UNBLOCK packets according to a set of rules. The rules are set by a user space configuraiton utility program. For example,
./mf –in –scrip 10.0.2.15 –srcnetmask 255.255.0.0 –destport 80 –proto TCP –action BLOCK
The rule will be added to the firewall and all incoming TCP packets from source IP 10.0.0.0/16 network to destination port 80 will be blocked.
The firewall configuration utility can add, delete and print rules. And the kernel module will manipulate the network packets according to these rules.
Design and Implementation
The firewall implementation is done as a Linux kernel module. If you don’t have experience in kernel programming, don’t worry, I’ll try to be as detailed as necessary.
The implementation also has a simple configuration program for users to configure the firewall in user space. And procfs virtual file system is used to pass information between user space and kernel space.
All programming is done in C, and the computing knowledge covered includes command line parsing API in GNU libc, how to write a linux kernel module, knowledge about Linux proc file system, and understanding of netfilter.
The overall design of this firewall implementation is as below,
Figure 1. Overall Design of Minifirewall
The configuration tool is called minifirewall. It parses the user commands and sends instructions to the kernel module mf_km.ko through a proc file /proc/minifirewall. Then based on user commands, mf_km.ko can add/delete/print firewall policy.
The mf_km.ko intercepts network packets arriving or leaving system network interface, and filters (either pass or drop) the packets based on firewall policy set by user.
More details of the implementation will be covered later.
Part 6: Put Everything Together (If you want the entire code, check out this part)