Socket - Fiirewall

[François Pinard]

[Salvatore]

> I would like to create a little firewall in Python.  Does anybody know how
> to block a port like a FireWall ?

On Linux, there was ipfwadm (?), ipchains, and now iptables, which are
implemented as rule tables within the kernel.  There are programs by the
names above able to install or edit those tables, but at fairly low level.

Writing or maintaining long strings of calls to the above commands, by hand,
is fairly tedious.  I once was hired to write firewall rules, each machine
its own set, for a rather complex topology of machines and routers -- and an
usually bizarre topology.  They also asked me for being able to easily and
quickly re-install new topologies if they were shuffling equipment around.

I first managed to create a description syntax for topologies and services.
Then, I wrote a Python program able to transform these topologies in long
strings of `ipchains' calls (the exact program depending on the level of the
Linux kernel), each tuned for the goal machine.  (In fact, when `ipfwadm'
was later dropped, I used and abused of chains for optimisation.)  The same
program was simultaneously taking care of conveniently setting up or
updating routing and ARP tables for each machine.

For simpler and more usual topologies at other sites, I find it simpler to
merely use what is provided by the Linux distributors.  I get SuSE installed
when they asked me, and SuSEfirewall2 is usually sufficient for small sites.
So, I do not resort to Python helpers to build them.

-- 
François Pinard   http://www.iro.umontreal.ca/~pinard