Quote:
Originally Posted by arafat.sultan
What I want to develop is a firewall...
|
I don't think that you do. Or, at least, to do what you want to do, in as much as I understand it, you shouldn't. You might still want to in spite of it not being a particularly useful way to make progress, but, in that case, I don't think I can help.
Quote:
1. I want to catch all HTTP, IRC and P2P traffic.
|
Up to a point, doing that with a firewall isn't too bad, but its an extra few rules for the existing netfilter/iptables firewall. Read the tutorial at frozentux if that's still of interest. (I assume that, eg, http traffic can be relied on to come in the standard ports for http traffic. If you think that the problem is the someone is managing to divert http traffic around the normal mechanism that makes things more fun.)
Quote:
2. I want to be able to dump all outgoing and incoming packets (in a file) for these protocols in each communication session as a separate group of packets for later analysis.
|
You could do that, but the performance would be terrible. Put another way, it will only be practical if the data rate is low. OTOH, if you are prepared to capture packets with wireshark (or other similar util) this is more possible because you don't save packets to disk at capture time, although you may do that later. And it may entail some sampling rather than 100% capture, depending on whether you can define useful filters.
Quote:
3. I want to inspect contents of each incoming and outgoing packet online and based on that, decide whether to allow that packet to continue or drop it and also dump it in a file.
|
If I have understood (by 'online' do you mean something like 'in real time'?) this starts to get difficult however you do it. I am imagining you sat at a console watching traffic and deciding what action to take as packets fly past you.
(Or when you say 'I' do you mean 'the computer based on some algorithm'?)
If you are trying to do something like watch the packets, occasionally see accesses to a bad site and take action on that, you could consider setting up a firewall (or squid...there advantages to that) which takes in a blacklist of your bad sites and you could occasionally add to your blacklist, that would be easier.
So the first thing to decide is whether this 'blacklist method' would be adequate for your needs.