Re: Firewall without network Stack (SUMMARY)

From: Kyle Wheeler (memoryhole@cheerful.com)
Date: 09/29/01 

Message-Id: <200109291933.f8TJXUOh517431@oak.cats.ohiou.edu>
Date: Sat, 29 Sep 2001 15:33:29 -0400
From: Kyle Wheeler <memoryhole@cheerful.com>
To: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
Subject: Re: Firewall without network Stack (SUMMARY)

With the help of a few people, I found what I was looking for (and a bit
more, actually). For anyone who is interested, the software project I
had seen and was trying to find again is called "HogWash"
(http://hogwash.sourceforge.net/).

> What's the point of this, beside slowing down everything?

Well, among other things, the firewall wouldn't have an IP address on
the internet - and thus would be much harder to attack because a hacker
can't make a direct connection to it. For another, you can filter based
on the content of the packets, or the pattern of packets - for example,
theoretically, packets that are part of an http connection request that
contain the string "default.ida" and who's GET string is longer than a
certain length could be denied.

According to the HogWash web page, "Instead of closing ports like a
traditional firewall, it drops or modifies specific packets based on a
signature match."

A few people suggested looking into the SOCK_PACKET interface, and maybe
the SOCK_RAW interface... I'm not sure of the difference or the
specifics, but I'll be looking into them as well.

Thanks, everyone!
~Kyle Wheeler 

--
I've finally learned what "upward compatable" means. It means we get to 
keep all our old mistakes.
-- Dennie van Tassel

Relevant Pages

  • Re: High CPU util on 3825
    ... it makes better sense to move these functions to a firewall. ... high speed ATM interface on a low-end router. ... packets before they can be inspected and NAT performed. ...
    (comp.dcom.sys.cisco)
  • Re: netmasks and subnets
    ... >> applies to your firewall forwarding which, ... it for X,Y,Z reasons), then sending through to an internal interface. ... is not really routing as you know it. ... the packets from one internal interface to another. ...
    (comp.os.linux.networking)
  • RE: Packet filters
    ... Bill's post is correct only if the firewall defaults to pass all. ... for each interface you want to pass through the firewall. ... > nature so I need to setup a firewall on the management interface. ... > handling any of the packets on the second interface. ...
    (freebsd-questions)
  • Re: Packet filters
    ... > nature so I need to setup a firewall on the management interface. ... > handling any of the packets on the second interface. ...
    (freebsd-questions)
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)