Projects

firewall-emulator

Firewall Emulator The assignment is to write a "stateless packet filter" and client/test case generator. Note carefully: both parts are necessary; a significant part of the grade on this assignment will depend on the client+test case generator. The firewall piece isn't a real ... [More] firewall, since we're not dedicating a machine to each student. Instead, it's a program that listens on a UDP port (note: not TCP) and reads packets addressed to that port that simulate actual packets. The first thing the firewall must do, though, is read a configuration file describing the policy to be enforced. Since this is not a compiler course, I will give a very simple input language. You must implement at least this language, The input is a series of lines of the following format: modifier where is either "block" or "allow" (without the quotes), is a dotted quad (e.g., 1.2.3.4) always followed by a length. Port is an integer. Either or may also be specified as "", which means "everything". modifier is an optional parameter; the only legal value is "established". The following are legal input lines: block 127.0.0.1/32 80 allow 192.168.2.0/24 allow 25 block 21 allow established The rules are an ordered list. Input records to the UDP port contain the fields necessary for filtering: sourceIP destIP sourcePort destPort Exactly five fields must be present on all records. SourceIP and destIP and dotted quads; sourcePort and destPort are integers. is either "start", "continue", or "end"; it says whether a packet is starting a connection, part of the middle of a connection, or ending one. A rule with "established" permits only packets with "continue" to match; rules without any modifier accept any packets. Note that this is a stateless packet filter; you do not need to track connection state. So -- the firewall reads the configuration file, then listens on a port for packets. A decision must be made, according to these rules, about accepting or dropping each packet. The output of the firewall is a list of packets received, their disposition, and the number of the rule that caused the action. The client program generates packets that are consumed by the firewall. If you wish, you may have multiple instances of the client running simultaneously, each generating different packets. Be aware that you are using UDP, which means it's easy to overflow the input queue for the firewall -- you'll have to rate-limit your senders. You want to make sure that all rules are tested. Of course, you also need to be sure that your rule set is complex enough give the clients a good workout -- you need overlapping rules, where the rule order is very important. [Less]