is there a firewall does not base on iptables in linux?

wangjinyi · 09-13-2005, 09:51 PM

Hi,all

i want to write a tool like firewall. i will inspect all
ip packet and do some changes on it before pass it to
TCP and APP, or resend to network.

i have read some firewall source code of linux, but almost of them
base on the linux utility iptables. so, i can't change the packet
and only can make a decision droping or accepting or etc. that is
so discouraged.

maybe, there is a way but i don't know.

would you like to give me some directions.

primo · 09-13-2005, 10:40 PM

What are you trying to do? Iptables lets you mangle packets, and it's based on netfilter which is plugged into the kernel. The packet mangling should be available in the API too. Read the docs at www.netfilter.org

Capt_Caveman · 09-14-2005, 11:04 PM

Iptables also has a queue feature which can be used to pass packets to userland where you can process them with your own home brew utility. For example, here's a Perl utility for manipulating packets once they're handed off:
http://aspn.activestate.com/ASPN/Cod...q/IPQueue.html

There's also ipchains and ipfwadmin :-]

slacky · 09-15-2005, 09:27 AM

There is a "ipfilter" program that says it works under Linux - since in runs on BSD, etc, I don't think it uses iptables at all:

http://coombs.anu.edu.au/~avalon/ip-filter.html

wangjinyi · 09-16-2005, 03:08 AM

I see some code about netfilter, and i am sure it is competent.
I will look over other techs above.

so many thx to all of you.

deepsix · 09-19-2005, 10:15 PM

go kernel level.........all i have to say...........

wangjinyi · 09-21-2005, 01:00 AM

i find that i only can inspect ip packet with netfilter hooks.

if there are some hooks with which i can look deeply in other packets, i.e. ARP.