mailing list archives
a cutting-edge open-source network security project
From: travis+ml-firewalls () subspacefield org
Date: Sun, 2 May 2010 15:48:12 -0700
The dynamic firewall daemon (DFD) sets up and (optionally) maintains
your packet filter (firewall) rules. It is a framework, not a specific
implementation. My goal is for it to be capable of doing almost
anything that you'd want to do to firewall rules. Some people call
them reactive firewalls, and they are akin to IPS systems. The
philosophy behind DFD is to be the only program which modifies your
firewall rules, and by doing so, it can enforce policies and allow
multiple clients to request changes from it.
The basic idea behind DFD is to do one thing, and do it well. The DFD
programs are designed to be able to exploit virtually any capability
of the underlying firewall, and adds several abilities. Its text
command API, which is similar to the Unix shell, is designed to
decouple the programs which invoke R-box functions (sniffers, snort,
etc.) from the details of the R-box implementation (specifically,
firewall rules). DFD allows you to define a set of firewall rules (any
of which may be active at a given time) and a set of commands which
transform them in specific ways. Put simply, the other components of
your IDS shouldn't need to know what kind of firewall you are using,
much less what rule chain you want them to insert the block rules on,
or the syntax of the rules, etc. Everything else talks to DFD, via an
easy-to-use command line API, and it can do this over the network if
you wish, using nothing more complicated than netcat.
I'm actively maintaining the python/OpenBSD/pf implementation, which can
be found here:
I am looking for someone to take over the python/Linux/iptables
implementation, which can be found here:
Actually, I'm looking to stimulate interest in any way. I am not using
Linux as a firewall so think it would be best to find someone interested
in taking it over, who can try out new ideas and bounce ideas off of me,
potentially with some cooperation or healthy competition.
I've written a simple sniffer that detects bittorrent traffic and sets
up port forwarding on the NAT/DFD box so that it "just works". You
stop using it on one internal machine, start with another, and it
"just works" again, no manual intervention needed.
Another idea is to "federate" against attacks, so that when your IDS
(say, snort) detects an attack from an external entity, you block that
entity at multiple locations (each of which run DFD, but which may run
entirely different OSes and firewalls). This hasn't been implemented
but could prove itself rapidly useful (if engineered carefully).
Anyway, I think there's a LOT of room for innovation and development
of an ecosystem of tiny little programs that all interoperate around
DFD, making the network smarter.
If you're interested, please join the mlist, it's very low-traffic (at
Comments, ideas on where else to find recruits, etc., very welcome.
For quickest response, cc directly to travis () subspacefield org,
as email to this address goes into the firewalls folder.
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john () subspacefield org to get blacklisted.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
- a cutting-edge open-source network security project travis+ml-firewalls (May 03)