• Stars
    star
    302
  • Rank 138,030 (Top 3 %)
  • Language
    C
  • License
    Other
  • Created about 11 years ago
  • Updated about 11 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This is a mini-firewall that completely isolates a target device from the local network.

isowall

This is a mini-firewall that completely isolates a target device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

# apt-get install git gcc make libpcap-dev
# git clone https://github.com/robertdavidgraham/isowall
# cd isowall
# make

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you'll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

# ./bin/isowall --internal eth1 --external eth2 -c xxxx.conf

where xxxx.conf contains your configuration, which is described below.

Configuration

The following shows a typical configuration file

internal = eth1
internal.target.ip = 10.0.0.129
internal.target.mac = 02:60:8c:37:87:f3

external = eth2
external.router.ip = 10.0.0.1
external.router.mac = 66:55:44:33:22:11

allow = 0.0.0.0/0
block = 192.168.0.0/16
block = 10.0.0.0/8
block = 224.0.0.0-255.255.255.255

The target device we are isolating has the indicated IP and MAC address.

Only IPv4 and ARP packets are passed.

Outbound packets must have the following conditions:

  • source MAC address equal to internal.target.mac
  • destination MAC address equal to external.router.mac
  • EtherType of 0x800 or 0x806
  • source IPv4 address equal to internal.target.ip
  • destination IPv4 address within an allow range, but not in a block range
  • if an ARP packet, then the destination IPv4 address must equal that external.router.ip
  • if an ARP packet, must be a "request"

Inbound packets must have the following conditions:

  • destination MAC address equal to internal.target.mac
  • source MAC address equal to external.router.mac
  • EtherType of 0x800 or 0x806
  • destination IPv4 address equal to internal.target.ip
  • source IPv4 address within an allow range, but not in a block range
  • if an ARP packet, then the source IPv4 address must equal that external.router.ip
  • if an ARP packet, then must be a "reply"

Security Guarantee

There is no guarantee, of course, but this program has pretty good security.

The security rests on the fact that there is no IP stack bound to adapters. What that means is that the infected targetted cannot touch the firewall machine in any way, except as allowed within the is_allowed() function. That function represents the majority of the attack surface for the firewall machine. And, as you can tell from reading the function, it contains almost no functionality, meaning that the attack surface is very small indeed.

There are a few theoretical attacks that might happen at the physical layer, but for the most part, we don't have to worry about them.

More Repositories

1

masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
C
23,568
star
2

rdpscan

A quick scanner for the CVE-2019-0708 "BlueKeep" vulnerability.
C
894
star
3

heartleech

Demonstrates the "heartbleed" problem using full OpenSSL stack
C
699
star
4

robdns

A fast DNS server based on C10M principles
C
602
star
5

pemcrack

Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks. This code is extraordinarily slow, DON'T JUDGE ME!!!
C
299
star
6

wc2

Investigates optimizing 'wc', the Unix word count program
C
251
star
7

telnetlogger

Simulates enough of a Telnet connection in order to log failed login attempts.
C
237
star
8

hunter-dkim

Discusses how to verify DKIM signatures in old emails, namely one of the Hunter Biden emails in the news
Python
95
star
9

cve-2015-5477

PoC exploit for CVE-2015-5477 BIND9 TKEY assertion failure
C
64
star
10

whats-dec

WhatsApp end-to-end media decryptor
C
63
star
11

wifi-mon

Web-based WiFi monitor
C
60
star
12

hamster

A proxy server for cookie sidejacking. Works with 'ferret'.
55
star
13

cybersymposium

Mike Lindell's cybersymposium files
Rich Text Format
49
star
14

iotpasswds

Recording default/backdoor passwords from IoT devices I come across
38
star
15

ecb-penguin

Demonstrating the famous ECB penguin so that you can repeat the process yourself.
37
star
16

sockdoc

Sample programs demonstrating how to program in C using the Sockets API.
C
35
star
17

packetdump

A packet-sniffer for 10gig networks that writes to compressed files. I created this because
C
27
star
18

non-math-crypto

A non-math, but still technical, guide to cryptography
JavaScript
24
star
19

hellolua

Simple examples of integrating the Lua scripting language into C programs.
C
24
star
20

ferret

A continuation of my 'ferret' project that extracts useful information from networks.
C
23
star
21

dnsparse

Parses DNS responses in a secure, rigorous manner
C
22
star
22

scanme

A lightweight/secure honeypot using Lua scripts.
C
22
star
23

mp4dec

Prototype program to decode a video file looking for exploits/malware.
C
16
star
24

bluetoothid

Identifies Bluetooth Low-energy devices
C
15
star
25

smb-logger

Logs incoming attempts to connect to NetBIOS/SMB
C
14
star
26

echobench

A simple implementation of an 'echo' (port 7) server using epoll (Linux), kqueue (FreeBSD), and IOCompletionPorts (Windows).
C
13
star
27

krackips

C
12
star
28

montyhall-js

The Monty Hall problem, in JavaScript
JavaScript
12
star
29

c10mbench

C
12
star
30

papers

This project is various snippets of code for academic papers.
C
12
star
31

scan-results

Results from some of our scans using masscan.
12
star
32

applevfbi

A collection of all the court filings in the case of Apple being forced to help the FBI unlock the San Bernadino shooter's phone, plus some commentary.
11
star
33

robutils

A bunch of library code that can easily be included in new/prototype projects with few (usually zero) dependencies, even on themselves.
C
10
star
34

blxtract

An extractor that grabs CSV files from BLX files for Mike Lindell's cyber-symposium, from code by Dennis Montgomery.
C
9
star
35

modern-sockets

8
star
36

faq-covid-vaccine

Answers to frequently asked covid vaccine questions.
7
star
37

deprogrammer

Students are indoctrinated in a multitude of outdated and wrong concepts.
5
star
38

microvulns

Prominent open-source vulnerabilities extracted into just a few files so they can be easily built, fuzzed, tested, mediated, and so on.
5
star
39

nxbench

Like Apache Bench for benchmarking websites, but using 10,000 concurrent connections instead of 100
C
5
star
40

pcap-strip

Strips out datalink headers (like Ethernet), leaving behind just the raw IP packets.
5
star
41

regexx

My unfinished regex library for multi-pattern matching.
C
4
star
42

buildharden

https://github.com/robertdavidgraham/buildharden
C
3
star
43

snivel

Automatically exported from code.google.com/p/snivel
C
3
star
44

rednoise-stick

Reproducing the climate change Hockey Stick with simple rednoise/whitenoise generator.
HTML
1
star
45

box-scrape

incomplete project for scraping videos from Box.com
JavaScript
1
star