Writting your own firewall?

[Edwin Knoppert]

Is there a simple way to write a firewall.
No idea how to do that

[Rings]

no simple way, else there were more freeware 'firewalls' around.
but its not so complicated, just a 2 hints:

hook CreateProcess Api (global should be the best)
to prevent starting any process.

hook Sockets-Api/LoadLibrary to prevent
unattended communication

last not least :
hook Remotehread to prevent CodeInjection

For hooking Apis's global, its recomented IMHO that
you use a devicedriver to get in ring0.


links:
http://www.codeproject.com/internet/FwHookDrv.asp
http://www.codeproject.com/internet/smfirewall.asp
http://www.codeproject.com/threads/A_no ... rewall.asp

[Edwin Knoppert]

It's for personal use.

I have ZA but i tried (older) Kerio to prevent just a few specific addresses.
Unf. i also have to set a rule to allow everything and therefore the other rule to dissallow a specific address is skipped(!)

To be more specific, i'm happy with ZA but i would like to be able to maintain a list of specific addresses to cancel 100%.
(Outwards)

For example the whole www.microsoft.com site?

[Edwin Knoppert]

o btw under XP so api-hooking might be enough.

Someone??

[SFSxOI]

Why not try creating an interface for the built in winXP (with SP-2) firewall? I know people don't think much of it (I don't use it personally), but for what it was intended to do, it works, and its already part of the OS with all the hooks and stuff in place already. Contrary to popular belief it wll do outbound filtering as well (even though outbound is not really needed, there are arguments for both sides here) but theres just no really suitable interface for it for controlling everything its capable of. Half the work is already done, just needs a suitable interface.

[Edwin Knoppert]

I have no idea where to start, is there a small example?
And really, i don't need a GUI, some dll or sort of which reads a list would do.

[Num3]

Firewall are installed has hardware drivers...

So they can sniff packets, between the hardware driver itself and windows...

[flaith]

http://winsockfirewall.sourceforge.net/

[Jan Vooijs]

Edwin,

Have you looked at this page:
http://www.free-firewall.org/

There are two or three free firewalls there is even an open source firewall listed there: http://winsockfirewall.sourceforge.net/

And maybe this is something:
http://www.smoothwall.org/

Or maybe this freeware one:
http://www.jetico.com/

Next page can be VERY handy for info about a bunch of BAD perfomring firewalls and there safety FYI (for your information):
http://www.firewallleaktester.com/index.html

Good luck, wow if somebody could write an PB firewall THAT would be amazing (but not impossible).

Jan V.

[rsts]

if there are only known addresses you want to disallow access to, you could also use a hosts file?

cheers

[Edwin Knoppert]

if there are only known addresses you want to disallow access to, you could also use a hosts file?

cheers

What is that?

[rsts]

try
http://www.mvps.org/winhelp2002/hosts.htm

or google "hosts file"

there are also programs which allow you to update "on the fly" + several sites which provide "current" host files which block unwanted sites.

cheers

[Edwin Knoppert]

HEHE!!

Thanks dude

I no have blocked my 'favourite' site.. (i hope)

[TerryHough]

@Edwin

There is an interesting discussion on the Hosts file on Steve Gibson's site.
http://www.grc.com/default.htm

[Edwin Knoppert]

Not sure if we seen the same, i read the topic:

http://www.grc.com/sn/SN-045.htm

---------------------------------------------------

So far i have good results!

Any knowing the address ZA uses secretely?
I heard the freeware version calls home as well.