views:

155

answers:

4

Hey everyone, Is it possible to write a firewall in python? Say it would block all traffic?

Thanks!

Jake

+2  A: 

I'm sure it's probably possible, but ill-advised. As mcandre mentions, most OSes couple the low level networking capabilities you need for a firewall tightly into the kernel and thus this task is usually done in C/C++ and integrates tightly with the kernel. The microkernel OSes (Mach et al) might be more amenable than linux. You may be able to mix some python and C, but I think the more interesting discussion here is going to be around "why should I"/"why shouldn't I" implement a firewall in python as opposed to just is it technically possible.

Peter Lyons
I am not sure here, but is it guaranteed in python that IRQs reach the user code in timely manner (crossing the python layer)?
Gollum
BSD a Microkernel? what?
Yann Ramin
@Gollum: That highly depends on the operating system and the notification method in question. There is no standard for having Python code run as an IRQ handler...
Yann Ramin
@theatrus, Yes, in Cocoa (Apple framework) the Notification method does not guarantee timely delivery of signals. ( so my question was, after the IRQ has been handled it still needs to be dispatched to python code in some form (packet received, keyboard entry....) I think I got my answer. (thinking loudly)
Gollum
Oops, fixed microkernel example. Thanks, theatrus
Peter Lyons
+1  A: 

"Yes" - that's usually the answer to "is it possible...?" questions.

How difficult and specific implementations are something else entirely. I suppose technically in a don't do this sort of way, if you were hell-bent on making a quick firewall in Python, you could use the socket libraries and open connections to and from yourself on every port. I have no clue how effective that would be, though it seems like it wouldn't be. Of course, if you're simply interested in rolling your own, and doing this as a learning experience, then cool, you have a long road ahead of you and plenty of education.

OTOH, if you're actually worried about network security there are tons of other products out there that you can use, from iptables on *nix, to ZoneAlarm on windows. Plenty of them are both free and secure so there's really no reason to roll your own except on an "I want to learn" basis.

Wayne Werner
Thanks :) - It is on a want to learn basis ;) Usually there is no need to reinvent the wheel execpt if you want to know how it was made.
Jake
A: 

I'm sure in theory you could achieve what you want, but I believe in practice your idea is not doable (if you wonder why, it's because it's too hard to "interface" a high level language with the low level kernel).

What you could do instead is some Python tool that controls the firewall of the operating system so you could add rules, delete , etc. (in a similar way to what iptables does in Linux).

Unknown
I see. How would one add rules to a firewall?
Jake
On linux the firewall is controlled through the iptables command. You can use that to configure the firewall rules. http://linux.die.net/man/8/iptables
Peter Lyons
+5  A: 

Yes, yes it is.

I have some python code that interacts with linux iptables to perform firewalling duties, using nfqueue. I can use a rule in iptables that looks like:

iptables -A INPUT -j NFQUEUE --queue-num 1

And then have some python code that looks like:

import nfqueue
from dpkt import ip

q = None

def cb(dummy, payload):
    # make decision about if the packet should be allowed. in this case, drop everything:
    payload.set_verdict(nfqueue.NF_DROP)

q = nfqueue.queue()
q.open()
q.bind()
q.set_callback(cb)
q.create_queue(1)

q.try_run()
Jerub