Fog Creek Software
g
Discussion Board

How do I develop a personal firewall application?

I would like to develop a personal firewall application.

However, I don't have the skills necessary to use DDK, assembler, and other stuff.

Is there a firewall API which Microsoft makes available?

Are there any components or controls which can help me implement a good personal firewall?

Thank you!

George
Monday, November 17, 2003

Firewall f = new Firewall();
f.block(22);
f.block(80);
f.start();

Or you could start with an easier project and just use an existing, proven firewall like the rest of us.

Bob
Monday, November 17, 2003

I am a professional developer with 8 years of experience, and have written many utilities. Some of these utilities have been commercially successful.

I don't avoid the DDK because I can't work with it. If I had the time and the patience, I could probably understand and use it.

So, I am looking for a solution which enables me to do this a lot faster.

George
Monday, November 17, 2003

Does windows have an equivalent to the linux iptables and the openbsd pf? It would be easy to construct a fully customized firewall solution out of one of those (unless you want to write one of those utilities).

Mike Swieton
Monday, November 17, 2003

As regards pf, it does allot more than just firewalling. It also does everything that altq used to do.

Windows 2000 already has preinstalled packages which allow you to block incoming ports etc...What exactly do you want to do with this firewall application?

Why not just make a remote GUI for controling filters on another piece of software (e.g. openbsd's pf).

If you are learning this for the sake of learning, then I'd suggest you take a look at how other people do it, such as pf (maybe ipf), iptables etc...

fw
Monday, November 17, 2003

you don't, you buy it.

o'my
Monday, November 17, 2003

You can firewall using IPSec in Windows 2000 and later. There's a GUI MMC snap-in (Start>Run>mmc - Add Remove Snap-in > "IPSEc ..."). MS also provide a command-line tool called IPSecPol http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

The tools are quite tedious to use though. A nice GUI wrapper over the command-line tool would be nice!

Duncan Smart
Monday, November 17, 2003

I'm probably stating the obvious, but just to be clear:

IPSEC is not the same as a firewall. IPSEC is used for sealing network traffic (through encryption) between two or more nodes that agree to use the protocol to communicate.

A firewall is used to analyze network traffic and make decisions on whether to allow the traffic based on some security policy that has been defined - for example "Incoming traffic on port 80 (HTTP) is OK."

Firewalls and IPSEC can both be used to help secure your network, but they're not the same thing.

Mike Treit
Monday, November 17, 2003

You can write a filtering proxy. For example, you could use perl's Net::Packet module.

Tom Vu
Monday, November 17, 2003

Why do you want to write a firewall?

Do you really want to write a firewall, or just a firewall policy (sometimes called "ruleset" or other names)?

Does it have to be hacker proof?

What's wrong with, e.g., Kerio Personal Firewall?

Ori Berger
Monday, November 17, 2003

Maybe he wants to write a firewall because he's:

1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.

http://info.astrian.net/jargon/terms/h.html#hacker

ted
Monday, November 17, 2003

http://sourceforge.net/projects/firewallpapi/

An article goes with this piece of software.

-- David

Li-fan Chen
Monday, November 17, 2003

Microsoft released a firewall API in Windows 2000.  Don't know much about it, except that it exists.

ted
Monday, November 17, 2003

Mike Treit: "Firewalls and IPSEC can both be used to help secure your network, but they're not the same thing."

Yes, Mike I realise this - it's just that in Windows 2000/XP's IPSec you create a filter for a packet of data (TCP, Port 80 incoming from w.x.y.z, say) and have 3 choices:
  * pass it,
  * block it, or
  * request security (i.e. encryption)

So the IPSec implementation in Win2K/XP provides effectively a rules-based firewall for free, with IPSec encryption should you choose to utilise it.

Duncan Smart
Monday, November 17, 2003

*lol*

Sorry to laugh, but if you need to ask that question, you are simply not capable of doing the job.

Download an existing firewall.

HeWhoMustBeConfused
Monday, November 17, 2003

Yes, I can, if there is a library or component which does that. Why is it so complicated to understand?

Are you a guy who codes everything in ASM, because, hey, you don't want to use a library?

Also, if you laugh, perhaps you know how to implement it from scratch, using C and the DDK.

So, please enlighten us - give me at least the names of a few DDK functions I can use.

Thanks!

George
Monday, November 17, 2003

"but if you need to ask that question, you are simply not capable of doing the job"

So... People cannot do anything they haven't done before.

With that attitude, your job will probably get outsourced to someone that has some drive & initiative.

ted
Monday, November 17, 2003

George,

What I think you want is to write an NDIS "filter hook" driver.  The start of your journey might begin here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/network/hh/network/101rm_0odj.asp

Anyhow, I did some poking around - there was a time when I could tell you something about NDIS - but hey, this isn't open source land, and there is not a whole lot on the MSDN site.  So sorry, you're on your own.

The basic idea, is that NDIS packets get passed up/down the protocol stack from hardware to application.  You want to wedge yourself in between the application IP stack, and check for socket open based on port - and perhaps do some additional IP header checking.

Hey, check it out, some google searching:

http://ntdev.h1.ru/tdi_fw.html

Someone has already got a good start for you.  DriverEntry is found in src/tdi_fw.c.

Why do I care?  I don't.  But we've got all these windows experts around here that couldn't answer a simple question.  I thought there should be some reply other than insults to a reasonable question.

Probably gotta get the DDK to compile it.

hoser
Monday, November 17, 2003

Thank you very much, Hoser!

George
Monday, November 17, 2003

Duncan:

You're right.

I've used IPSEC before to set up secure traffic, but I missed that it had the packet filtering options in addition to encrypting traffic.

Thanks for pointing that out.

Mike Treit
Monday, November 17, 2003

People are hostile to him because he said he doesn't have the "time and patience" to learn the functions he needs in the DDK, but he wants us to use our time and patience to teach it to him...

Skagg
Monday, November 17, 2003

I don't believe he said he wanted you or anyone else to teach him, i believe he was simply looking for some higher level components, which seems perfectly reasonable. It's not my field, so I can't really help, but it would seem a nice policy that if you can help do, if you can't help at all, remember that criticism is only of much use when constructive...

Andrew Cherry
Monday, November 17, 2003

"but if you need to ask that question, you are simply not capable of doing the job"

that must be the first cousin of "if you need to ask how much it is, you can't afford it."

I've never been fond of either one.  They give you artificial limits usually established by those less capable than you.

Mike
Monday, November 17, 2003

"but he wants us to use our time and patience to teach it to him."

Dude.  I don't remember reading in your contract that you

a) Had to read this forum
b) Answer questions you had no interest in.

You are simply wasting your _own_ time.

ted
Monday, November 17, 2003

Google on seach terms like "writing firewall Win32".

Check this out: "WinPcap: the Free Packet Capture Architecture for Windows" (the above search yielded this):

http://winpcap.polito.it/

Bored Bystander
Monday, November 17, 2003

An interesting firewall related application would be some sort of IDS system that can communicate with an existing firewall (either on the same system, or preferably elsewhere). For this project, you wouldn't need terribly much to start, just some mechanism for looking at packets on the wire.

http://winpcap.polito.it/

(Which seems similar to the Unix-library, which is brain-dead simple to use.)

IDS -- intrusion detection system, is a field a lot of people are interested in. Some firewalls attempt to "learn" about traffic on the network, and then create dynamic policies based upon this learning period. (Of course, no real system administrator worth his salt would dare trust this -- but for a home user who has no clue, it's useful.)

Writing a full fledged firewall application that actually did some new and useful -- such as looking at OpenBSD's PF and replicating it on Windows -- would be an interesting yet difficult project. It's really difficult to do right unless you have fairly low-level access to a networking stack. However, proxies and deep packet inspection utilities may be interesting.

SG
Monday, November 17, 2003

Ummm... that's "hoser", small 'h' please.

hoser: one who hoses gasoline from your car to theirs.

I used to have a real name, but I've abandoned it.  Ged gave me pause in a prior post about real names. 

No problem.  Its an interesting question - a person could make a mint writing security apps these days.  Good luck.  Especially something that logged virus/adware/malware/spyware signatures and could guard against them.  That would be cool.

hoser
Tuesday, November 18, 2003

Heh, I wish making a mint were that easy. :-)

SG
Tuesday, November 18, 2003

Wow HeWhoMustBeConfused,

Not only are you so seriously wrong, you come off like an a$$ too!  Thank god for annonymous internet message boards, huh?  That's ok.  I'm sure your life is stellar and you are the smartest programmer on earth.

Obviously there is a point where you are brand new to a situation (i.e. Never attempted it before - which doesn't mean you can't do it).  The guy is asking questions and I'm sure doing his own research.

Check this out...it's brilliant! giggle.  If you ASK a question, someone might give you a nugget of information that takes you longer to find in your own research.  *gasp*  Wow!  Brilliant!

It's too bad he's gotta go through the minefield of dickheadedness.

HeWhoMustBeConfused_Hater!
Tuesday, November 18, 2003

*  Recent Topics

*  Fog Creek Home