This is wegorz homepage... (2010-05-06)
fwdaemon is a linux firewall runtime backend. Any client application
can communicate to the fwdaemon and decide which network flow
could be accepted or which should be dropped.
- running in realtime,
- adding / removing rules for runtime packet management,
- enqueue application tcp requests (rules can be build based on query entries).
How to run:
To compile and run fwdaemon you need:
- NFQUEUE target compiled in your kernel
- libraries from http://netfilter.org/
- libnfnetlink (I use 0.0.25)
- libnetfilter_queue (I use 0.0.13)
- glib 2.x
If you have above software installed try to 'make'.
fwdaemon must be run from root account. You'll also need configuration
files (see desktopfw directory in a package, copy this directory to /etc,
you should have 3 files in /etc/desktopfw: apps, config, rules)
As it is in development phase run a fwdeamon from terminal and see what
How it works:
fwdaemon connects to NFQUEUE and captures incoming and outgoing packets.
When new tcp connection occures fwdaemon scans /proc directory to find out
which application is source/target and decide (using rules) what to do.
If no rule is matched, connection is queued and waits for user interaction.
User connected to fwdaemon can see what rules are already exists, what
packets are queued and waits for user interaction.
How to use:
You can telnet at localhost, port 32123. Available commands you'll get
after LIST command. More information about commands - see protocol_commands.txt
in the package.
You need a rules in iptables INPUT/OUTPUT chains. See scripts/00_only_tcp.sh.
What is implemented:
Currently I tested tcp protocol. I'm sure there's many bugs in it but
publishing a working code will increase development speed. My friend has
started to write a kde applet.
What's the plan?
I always wanted to have a linux runtime firewall. At this moment I found
only one method how to manage a packets in realtime. This is NFQUEUE
target which allows a user to make a packet decision in userspace.
I'm writing fwdaemon as a separate application. If you want to write
a gui application you're welcome.
A lot of...
- You need to put tcp packets in NFQUEUE, use ./scripts/00_only_tcp.sh
- Start the daemon in one terminal and open another terminal and connect
to it (use "rlwrap telnet localhost 32123" for ex).
- Open your firefox or mozilla or whatever and try to open a web page.
- There's no rule so fwdaemon will queue a connection and create
a query entry which require user interaction.
try QUERY LIST
Q IFACE[eth0] DIR[outgoing] SRCIP[192.168.100.100] DSTIP[188.8.131.52] SPORT DPORT APP[/usr/lib/iceweasel/firefox-bin] INSTIME
This means an application firefox-bin is trying to connect to some host
on port 80. As is a http session many other tcp flows will be establish
according to this session.
- To allow application to go out you'll have two possibilities:
you can use syntax
- create a rule based on query
- create a fully specified rule
QUERY ADD PERM qnumber [ANYWHERE]
QUERY ADD SESS qnumber [ANYWHERE]
so according to query above you can build a permanent or session rule
QUERY ADD PERM 1 ANYWHERE
Will create new permanent entry in rules based on query number 1,
rules will be saved on disk.
QUERY ADD SESS 1 ANYWHERE
The same as above, but no rules are saved.
you can build a full rule yourself using syntax
RULES ADD SESS iface dir proto srchost srcport dsthost dstport action application
RULES ADD PERM iface dir proto srchost srcport dsthost dstport action application
for above ex:
RULES ADD SESS eth0 outgoing tcp 0/0 0 0/0 80 ACCEPT /usr/lib/iceweasel/firefox-bin
- Session rules are checked first, but they are volatile (after 60 sec of
inactivity they are removed from rules)
- When you will disconnect from fwdaemon (CLOSE command) fwdaemon will accept/drop
connections based only on rules it has in its memory.
- As all tcp connections are queued in NFQUEUE, only fwdaemon can make accept/drop decision.
When you'll stop fwdaemon you need to remove NFQUEUE iptables rules, otherwise all tcp flow
will be will be dropped.
Apart of fwdaemon which is my current project now you can download the others: