HelenOS packet filter
| Thesis title in Czech: | Paketový filtr pro HelenOS |
|---|---|
| Thesis title in English: | HelenOS packet filter |
| Key words: | HelenOS, paketový filtr, firewall, síťování, TCP/IP |
| English key words: | HelenOS, packet filter, firewall, networking, TCP/IP |
| Academic year of topic announcement: | 2014/2015 |
| Thesis type: | Bachelor's thesis |
| Thesis language: | angličtina |
| Department: | Department of Distributed and Dependable Systems (32-KDSS) |
| Supervisor: | Mgr. Martin Děcký, Ph.D. |
| Author: | hidden - assigned and confirmed by the Study Dept. |
| Date of registration: | 18.09.2014 |
| Date of assignment: | 27.09.2014 |
| Confirmed by Study dept. on: | 21.11.2014 |
| Date and time of defence: | 07.09.2015 00:00 |
| Date of electronic submission: | 29.07.2015 |
| Date of submission of printed version: | 31.07.2015 |
| Date of proceeded defence: | 07.09.2015 |
| Opponents: | Mgr. Vojtěch Horký, Ph.D. |
| Guidelines |
| The goal of this thesis is to implement an extendable and easily configurable packet filter (firewall) for the HelenOS operating system. The packet filter is designed as an independent component that communicates with the other componets of the HelenOS networking stack via IPC.
The implementation of the packet filter allows to decide whether each individual packet should be passed, discarded or modified. The packet filter filters according to common criteria (source/destination address/subnet, packet size, direction of the traffic, transport protocol properties -- source/destination port, type of the packet, packet flags, state of the TCP connection, etc.). The thesis also contains an analysis of the configuration languages of existing packet filters in other operating systems, a design and an implementation of a configuration language that provides means to define filtering rules based on the combination of the supported criteria and their negations. The packet filter is designed in a modular fashion to be easily extended by new filtering criteria, methods for modifying the packets and stateful filtering. To demonstrate these features, the packet filter implements a basic variant of the NAT mechanism. |
| References |
| [1] HelenOS 0.2.0 Design Documentation (http://www.helenos.org/documentation)
[2] Networking stack Reference Manual, http://www.helenos.org/doc/refman/networking-0.4.2/ [3] IEEE a RFC specifikace týkající se protokolů 802.3, ARP, IP, ICMP, TCP, UDP |
| Preliminary scope of work |
| Cílem práce je vytvořit rozšiřitelný a snadno konfigurovatelný paketový filtr (firewall) pro operační systém HelenOS. Paketový filtr je navržen jako samostatná komponenta komunikující s ostatnímí komponentami síťového stacku systému HelenOS pomocí IPC.
Implementace paketového filtru umožňuje, aby o každém příchozím a odchozím paketu bylo možné rozhodnout, zda jej nechat projít dál, zahodit nebo modifikovat. Paketový filtr umožňuje filtrovat podle obvyklých kritérií (zdrojová/cílová adresa/podsít, velikost paketu, směr provozu, vlastností paketu transportního protokolu -- zdrojový/cílový port, druh paketu, příznaky, stav TCP spojení atd.). Součástí práce je také analýza konfiguračních jazyků existujících paketových filtrů v jiných operačních systémech a návrh a implementace konfiguračního jazyka, který umožňuje vytváření filtrovacích pravidel složených z podporovaných filtrovacích kritérií a jejich negací. Samotný paketový filtr je navržen modulárně, aby dovoloval snadné rozšiřování o další kritéria, metody modifikující pakety a stavové filtrování. Pro demonstraci těchto vlastností implementuje paketový filtr jednoduchou variantu mechanismu NAT. |
| Preliminary scope of work in English |
| The goal of this thesis is to implement an extendable and easily configurable packet filter (firewall) for the HelenOS operating system. The packet filter is designed as an independent component that communicates with the other componets of the HelenOS networking stack via IPC.
The implementation of the packet filter allows to decide whether each individual packet should be passed, discarded or modified. The packet filter filters according to common criteria (source/destination address/subnet, packet size, direction of the traffic, transport protocol properties -- source/destination port, type of the packet, packet flags, state of the TCP connection, etc.). The thesis also contains an analysis of the configuration languages of existing packet filters in other operating systems, a design and an implementation of a configuration language that provides means to define filtering rules based on the combination of the supported criteria and their negations. The packet filter is designed in a modular fashion to be easily extended by new filtering criteria, methods for modifying the packets and stateful filtering. To demonstrate these features, the packet filter implements a basic variant of the NAT mechanism. |