Building A Firewall From Scratch

Understanding Firewalls

Firewalls serve as the first line of defense in network security by controlling the incoming and outgoing network traffic based on predetermined security rules. In this blog post, we will explore what firewalls are, how they work, and how to implement a simple firewall using Python.

What is a Firewall?

A firewall is a network security system that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. Firewalls can be hardware, software, or both.

Types of Firewalls

  1. Packet-Filtering Firewalls:
    • Operate at the network level of the OSI model.
    • Analyze packets and allow or deny them based on source and destination IP address, port numbers, and the protocol used.
    • Stateless in nature, meaning they do not retain memory of past packets.
  2. Stateful Firewalls:
    • Operate at the network layer but are capable of layer 7 (application layer) inspection.
    • Monitor the state of active connections and make decisions based on context.
    • Remember the state of a connection at both ends and make decisions based on the combination of current and past actions.
  3. Proxy Firewalls (Application-Level Gateways):
    • Operate at the application layer of the OSI model.
    • Intermediary between users and the services they wish to access.
    • Can filter content by inspecting application data.
  4. Circuit-Level Gateways:
    • Operate at the session layer of the OSI model.
    • Monitor TCP handshakes between packets to determine whether a requested session is legitimate.
    • Do not inspect the packets themselves.
  5. Next-Generation Firewalls (NGFWs):
    • Combine features of traditional firewalls with quality of service (QoS) functionalities to filter and prioritize traffic.
    • Include deep packet inspection, intrusion prevention systems, and application awareness.
  6. Software Firewalls:
    • Installed on individual devices (e.g., PCs, laptops).
    • Protect the device from internal and external threats by controlling incoming and outgoing traffic.
  7. Hardware Firewalls:
    • Standalone devices placed between a network and its connection to the external internet.
    • Protect multiple devices by filtering incoming traffic to protect the internal network from potential threats.
  8. Cloud Firewalls (Firewall-as-a-Service):
    • Hosted in the cloud rather than on-premises.
    • Offer scalable and flexible network security, often used in conjunction with on-premises firewalls.

    How Does a Firewall Work?

    Firewalls are essential components in network security, acting as barriers between trusted internal networks and untrusted external networks, such as the internet. They work by inspecting and filtering data packets based on a set of predefined rules. Here’s a detailed breakdown of how firewalls work:

    1. Rule-Based Filtering:
      • Firewalls operate based on a set of rules defined by the network administrator.
      • These rules determine which traffic is allowed or denied based on attributes like IP addresses, port numbers, and protocols.
      • For example, a rule might block all incoming traffic from a specific IP address or allow outgoing traffic only on port 80 (HTTP).
    2. Packet Inspection:
      • Data transmitted over networks is broken down into smaller packets.
      • Firewalls inspect each packet’s header to determine its source and destination IP addresses, port numbers, and the protocol used.
      • Based on this information and the firewall’s rules, the packet is either allowed through, denied, or flagged for further inspection.
    3. Stateful Inspection:
      • Stateful firewalls track the state of active connections and make decisions based on the context.
      • They remember past actions and can determine whether a packet is part of an established connection or if it’s an unauthorized request.
      • For instance, if an internal device initiates a connection to an external server, the firewall will recognize the return packets from that server as part of an established connection and allow them through.
    4. Proxying and Network Address Translation (NAT):
      • Some firewalls act as intermediaries (proxies) between users and the services they want to access.
      • The firewall establishes the connection on behalf of the user, inspects the traffic, and then relays approved data to the user.
      • NAT is a technique where the firewall modifies the source or destination IP address of packets as they pass through, often used to allow multiple devices on a local network to share a single public IP address.
    5. Application Layer Filtering:
      • Advanced firewalls can inspect data at the application layer of the OSI model.
      • This allows them to block or allow traffic based on specific applications or services, such as blocking all traffic related to a specific messaging app or allowing only specific web services.
    6. Intrusion Detection and Prevention:
      • Many modern firewalls incorporate intrusion detection systems (IDS) and intrusion prevention systems (IPS).
      • IDS monitors network traffic for suspicious patterns that may indicate an attack, while IPS actively blocks potentially harmful traffic.
      • For example, if a series of packets matches a known malware signature, the firewall can block them and alert the network administrator.
    7. Logging and Reporting:
      • Firewalls maintain logs of all network activities, including allowed and denied traffic.
      • These logs are crucial for analyzing network events, detecting potential threats, and ensuring compliance with security policies.

    In essence, firewalls act as gatekeepers, scrutinizing all data entering or leaving a network and making decisions based on predefined rules and real-time analysis. Their primary goal is to establish a robust line of defense against unauthorized access and malicious activities.

      Implementing a Simple Firewall in Python

      Let’s build a simple packet filtering firewall with python! This code snippet and breakdown will give you a visual on how a basic firewall looks and works.

      Importing Necessary Libraries:

      The “socket” library allows us to create and work with network sockets, which are endpoints for sending and receiving data across a network.

      import socket

      Defining the Firewall Rule:

      This function defines a basic rule. If the destination port of a packet is 80 (HTTP traffic), it will be blocked; otherwise, it’s allowed.

      def simple_firewall_rule(packet):
          if packet['dest_port'] == 80:
              return "Block"
          return "Allow"

      Main Function:

      This function contains the primary logic for our simple firewall.

      def main():

      Creating a Raw Socket:

      Here we create a raw socket to capture all packets. “socket.AF_INET” specifies the address family (IPv4 in this case). “socket.SOCK_RAW” indicates that this is a raw socket. "socket.IPPROTO_TCP” specifies that we’re interested in TCP packets.

      s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)

      Packet Capturing Loop:

      We can continuously capture packets using the "recvfrom” method. The number 65565 is the maximum amount of data (in bytes) to be received at once.

      while True:
          packet, addr = s.recvfrom(65565)

      Extracting the Destination Port:

      We extract the destination port from the packet. The destination port is located in bytes 34 and 35 of the TCP header.

      dest_port = int.from_bytes(packet[34:36], byteorder='big')

      Applying the Firewall Rule:

      We create a dictionary with the destination port and then apply our simple firewall rule to it. The result (either “Block” or “Allow”) is then printed.

      packet_dict = {'dest_port': dest_port}
      action = simple_firewall_rule(packet_dict)
      print(f"Packet with destination port {dest_port} - Action: {action}")

      Running the Firewall:

      This ensures that the main function is called when the script is executed.

      if __name__ == "__main__":
          main()

      Complete Code:

      import socket
      
      def simple_firewall_rule(packet):
          # Dummy rule: Block packets with a specific destination port
          if packet['dest_port'] == 80:
              return "Block"
          return "Allow"
      
      def main():
          # Create a socket object
          s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
          
          while True:
              packet, addr = s.recvfrom(65565)
              
              # Extract destination port from packet (just an example)
              dest_port = int.from_bytes(packet[34:36], byteorder='big')
              
              # Create a packet dictionary
              packet_dict = {'dest_port': dest_port}
              
              # Apply firewall rule
              action = simple_firewall_rule(packet_dict)
              print(f"Packet with destination port {dest_port} - Action: {action}")
      
      if __name__ == "__main__":
          main()
      

      Understanding firewalls is crucial component within cybersecurity. They are the cornerstone of network security and serve as the first line of defense against cyber threats.

      Remember, this is a basic example, and real-world firewalls are much more complex and sophisticated.

      Leave a Comment

      Your email address will not be published. Required fields are marked *