No announcement yet.

Where to start on firewalls for Windows

  • Filter
  • Time
  • Show
Clear All
new posts

  • Where to start on firewalls for Windows

    I was starting to build my own firewall but did know where to start on howto.
    I hope this will help some of you out there

    Inv. Mark Nelson

  • #2

    There are thousands of software firewalls already available, some very good ones are free too. If you are doing this for the learning experience, great, otherwise, you're probably waisting a lot of time reinventing the wheel.

    Personally, I've never tried to write a firewall, but off the top of my head, it seems pretty complex. Basically, you need to capture every bit in (and out) of your network connection, analyze it, and either accept or reject based on whatever you're looking for.

    At the very least, you'll want to analyze what TCP Port the data is trying to communicate over. If its on your 'acceptable' list, then allow it, otherwise drop it/alert the user. I don't believe its practical to try and monitor every possible port, so you'll have to hook into the communications protocol and then strip down the IP packets to figure out the information you want.

    A detailed understanding of TCP/IP would be necessary. You'll need to track and log what outbound connections are established to determine if the incoming requests are legitimate or not. For example, if a session begins to transfer a file from the Internet to the PC, did the user request it, or is the sending source taking advantage of a flaw in the OS to initiate the download?

    I would suggest getting a good protocol analyzer and learn how to read the information provided. This will give you a good idea of what is happening "on the wire".
    Software makes Hardware Happen


    • #3
      Simple filter versus a stateful inspection firewall

      A simple filter type firewall would just examine each packet and make decisions based on the content of the packet and only that packet.

      If you want a more useful firewall you need some stateful inspection logic. These examine packets and put them in context of a stream of packets. If it is an existing connection it would know that and look at more than just the header of the packet. These are the types of firewalls that can find virus patterns on the fly that span multiple packets.

      Take a look here for an overview:

      It would be a great exercise but writing a truly useful one (better than Windows Firewall) would take some serious understanding of the OSI 7 Layer Network Model.

      If you want to tinker some look at Intrusion Prevention Systems. They can do things like find repeated FTP logon attempts over a period of a specified seconds and then block all further attempts for a while. They adapt based on some rules.

      More resources:
      Endian Firewall Community is an Open Source Firewall and UTM Appliance with offers unique usability and features, the ideal solution for Home Networks.

      Mark Strickland, CISSP, CEH


      • #4
        Maybe this can be interesting:

        NetDefender - Open source code firewall for windows
        NetDefender is a Free Firewall with source code, which can be downloaded along with firewall executables. Netdefender works on windows 2000 and windows XP
        -- The universe tends toward maximum irony. Don't push it.

        File Extension Seeker - Metasearch engine for file extensions / file types
        Online TrID file identifier | TrIDLib - Identify thousands of file formats


        • #5
          A good router and Comodo Firewall(Free). No need to reinvent it. I used to be a big fan of Zonealarm and on their beta group until I found out that like many of then out there they only pass the tests because they watch for and block the tests...not actual threats. Comodo passed all tests and real threats. Pretty sad a Free firewall beat the "best" out there.
          Mobile Solutions
          Sys Analyst and Development