{SPAM} [Snort-users] Need to MAKE/DEVELOP my own firewall

Matt Kettler mkettler at ...4108...
Wed Apr 16 19:20:02 EDT 2003


>i have downloaded the hogwash code... i'm trying to
>understand it but can somebody
>
>tell me when hogwash picks up a packet from the
>adapter and snort  tell it to stop

Short answer: It doesn't.


In particular, I perused the source quickly to get a rough Idea of how 
hogwash works. You also should read some of the hogwash documentation:

http://hogwash.sourceforge.net/docs/setting.html


 From what I can tell Hogwash provides absolutely NO protection to the 
machine it runs on, only those behind it in the network. Hogwash does *NOT* 
stop the packets from reaching the network stack of the host OS. They will 
get there and hogwash can't and won't stop it. If the host OS configuration 
is going to do anything about the packets, hogwash will _not_ protect it.

Hogwash appears to rely on you to configure your system to not route 
packets between interfaces and let hogwash do it for you.  To quote the 
hogwash documentation:

"Whenever Hogwash is inline, it is important to remember to disable the 
kernel IP forwarding otherwise Hogwash will forward a packet and the kernel 
will forward a packet. "

For security you'd also have to make sure no network servers are listening 
on the outside interface.

As for mechanisms Hogwash read appears to read in packets, figures out 
which interface they should go to, and then directly writes them to the 
interface to send to or drops them. If the OS of the machine you are 
running it on is configured to forward packets between interfaces, hogwash 
will provide zero protection for the network.

Some of the important source directories:

packets/        The code that handles packet reading and writing.
tests/          The code that implements various tests that rules use
routes/ The code that implements routing decisions between interfaces
engine          This is the "main" code that loops and gets packets then 
figures out what to do with them.

--------------
As a side note, I don't mean to be excessively negative.. Based on the 
simplicity of the questions asked it sounds like you've got a LOT of 
reading before you're going to be able to write a firewall with any 
reasonable chance of it not having security holes the size of Texas in it. 
If you're not _intimately_ familiar on an expert level with how firewalls 
and routers work, and how the network stack of windows works, don't go any 
further without learning those parts first.

If you want to play with it, go ahead, but realize in advance that 
firewalls are _not_ simple. You will have to be both an IP protocol expert 
and a network programming expert to get something that works well. I know 
I'd not trust one that I wrote, and I've got a fair amount of related 
experience.
-----------

Also you will need to be aware that according to 
http://sourceforge.net/projects/hogwash Hogwash is GPL licensed code, as is 
snort. If you work with the source code from either project, realize that 
you are obligated to provide the modified source code to anyone you give a 
binary to should they ask for it (ie: you cannot use this code in a 
conventional closed source commercial product without violating 
copyrights). I'm not sure if this will or will not be a problem for your 
situation, but you should be aware of it.

------


At 11:41 PM 4/15/2003 -0700, Junaid wrote:

i'm
a developer not an admin. so i need source code for
some libraries to help me DEVELOP my own firewall. i'm
like to use wpcap to make a firewall (a packet
filtering firewall) for a network but i know it is
only packet capturing library and i have to write a
piece of software to add the ability of dropping and
accepting packets to my software becomes a firewall.
we are using trying to make some thing like hogwash in
WIN2K. 





More information about the Snort-users mailing list