Is it possible to write a firewall in python?
Is it possible to write a firewall in python? Say it would blo开发者_Python百科ck all traffic?
Yes, yes it is.
I have some Python code that interacts with Linux iptables to perform firewalling duties, using nfqueue. I can use a rule in iptables that looks like:
iptables -A INPUT -j NFQUEUE --queue-num 1
And then have some Python code that looks like:
import nfqueue
from dpkt import ip
q = None
def cb(dummy, payload):
# make decision about if the packet should be allowed. in this case, drop everything:
payload.set_verdict(nfqueue.NF_DROP)
q = nfqueue.queue()
q.open()
q.bind()
q.set_callback(cb)
q.create_queue(1)
q.try_run()
Here is a nice write up that the above code is based on:
http://blog.yancomm.net/2011/05/nfqueue-packet-mangling-with-python.html
I'm sure in theory you could achieve what you want, but I believe in practice your idea is not doable (if you wonder why, it's because it's too hard to "interface" a high level language with the low level kernel).
What you could do instead is some Python tool that controls the firewall of the operating system so you could add rules, delete , etc. (in a similar way to what iptables does in Linux).
Python-iptables provides python bindings to iptables under Linux. Interoperability with iptables is achieved via using the iptables C libraries (libiptc, libxtables, and the iptables extensions), not calling the iptables binary and parsing its output.
http://ldx.github.io/python-iptables/index.html
I'm sure it's probably possible, but ill-advised. As mcandre mentions, most OSes couple the low level networking capabilities you need for a firewall tightly into the kernel and thus this task is usually done in C/C++ and integrates tightly with the kernel. The microkernel OSes (Mach et al) might be more amenable than linux. You may be able to mix some python and C, but I think the more interesting discussion here is going to be around "why should I"/"why shouldn't I" implement a firewall in python as opposed to just is it technically possible.
Interesting thread. I stumbled on it looking for Python NFQUEUE examples.
My take is you could create a great firewall in python and use the kernel.
E.g. Add a linux fw rule through IP tables that forward sys packets (the first) to NFQUEUE for python FW to decide what to do.
If you like it mark the tcp stream/flow with a FW mark using NFQUEUE and then have an iptables rule that just allows all traffic streams with the mark.
This way you can have a powerful high-level python program deciding to allow or deny traffic, and the speed of the kernel to forward all other packets in the same flow.
"Yes" - that's usually the answer to "is it possible...?" questions.
How difficult and specific implementations are something else entirely. I suppose technically in a don't do this sort of way, if you were hell-bent on making a quick firewall in Python, you could use the socket libraries and open connections to and from yourself on every port. I have no clue how effective that would be, though it seems like it wouldn't be. Of course, if you're simply interested in rolling your own, and doing this as a learning experience, then cool, you have a long road ahead of you and plenty of education.
OTOH, if you're actually worried about network security there are tons of other products out there that you can use, from iptables on *nix, to ZoneAlarm on windows. Plenty of them are both free and secure so there's really no reason to roll your own except on an "I want to learn" basis.
精彩评论