February 7th, 2002, 02:29 AM
Open Source Firewall
Just as a boredom project I am thinking about writting an open source (assembly of course) firewall for windows 9x/nt. This is mostly going to be just to get me back used to programming the windows API in assembly (masm32 of course). I was thinking about actually opening ports 1-1024 (I know sounds strange huh?) and sending a text message to an "attacker" saying "Your activity has been logged, Please have a nice day", Just in general does anyone know what type of responce this would get from users, would most people use this, or leave it on the "closed down" option? Again this is for software that I have not even started coding yet, but am in the 'brainstorming" stage.
Any discussion or suggestions for a firewall are 1000000% welcome.
February 7th, 2002, 03:19 AM
Good idea. i'd like to help. PM me if you think you might need any. I also have another project in mind, and I can send you details if you're interested.
February 7th, 2002, 03:50 AM
wouldnt having those ports open defeat the purpose of the firewall? i know i get alot of alerts from my firewall that really arent anything to worry about sending a message to all of them would be kinda pointless. the point of a firewall is stealth if someone pings you the idea is to give the impression you dont exist once you send a message to them they know your there and will soon be lookin to exploit the firewall. you sta3ted ports 1-1024 being opened that in itself would be detrimental as the most commonly exploited ports are in this range ie telnet netbios smtp http etc. having any ports open is not good as with even a single open port that is accessing the net the entire network can be mapped thru the firewall( if you have say port 80 or smtp accessing the net thru the firewall the entire network can easily be mapped a.k.a. firewalking, having unneeded ports open leaves you very vulnerable even behind a firewall. the idea of open source is excellent tho for obvious reasons.
February 7th, 2002, 04:25 AM
I am not wanting to make that the default way of running the firewall (just an option). Also the part about common exploits being known for "services" running on ports 1-1024 doesn't apply, as this isn't going to be one of the services. An attack on the firewall itself would work, considering the fact it is going to be open source, it would be trivial for someone to find a coding mistake in it, and exploit it, BUT since it is open source it would be just as easy for anyone on the net to patch that hole and keep that exploit from working.
February 7th, 2002, 04:28 AM
My question is how you can send a message to someone who scan your port or whatever?
February 7th, 2002, 04:30 AM
Sounds good. Keep us up to date when you start this project. Im sure there are plenty of people here who would be interested in testing it out once u finish. . . . if u decide to do this.
"Never give in-never, never, never, in nothing great or small, large or petty, never give in to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy!" - Winston Churchill
February 7th, 2002, 04:38 AM
in order for them to be sending you a message (normally) they would have to send a TCP or UDP packet which has a source port:source address on it. Sending the information to the source port:source address would get the information to the other peron's computer easy enough. (this is excluding such things tear drop which uses malformed SYN packets). basically if the person is scanning using telnet it will send text back to them, (I don't really know if this is a *good* idea, as if someone floods you with spoofed SYN packets it could cause some type of infinate loop with someone else running the same piece of software). So I *really* doubt THAT *feature* will be put in.
February 7th, 2002, 08:15 AM
heh, even better would be to set up false services on comonly exploited ports...so the sory bastarts spend all their time trying to do simple netbios user enumeration and such(and obviously get nothing because its just the firewall sending back false responces)
hell...even having false user lists to be "coughed up" and let the bastards spend their time trying to brute force the passwords...
think of the possibilities(although this would add quite a bit of code, i would think)
i mean, offer such jucy targets as NetBios, IIS, SQL....just the stuff that makes malicious(black hat) hackers wet their pants...even better would be to spoof un-patched versions(using version #'s ect).
most hackers would spend their time there while missing services you actually have running which may have exploits. after trying a few of them they might just give up on you all together.
There are 10 types of people in this world: those who understand binary, and those who dont.
February 7th, 2002, 08:32 AM
That was the basic idea I was getting at was running services on 1-1024 so that if someone scans the box they will end up having to do it manually, which will require them to spend a LOT of time to find out that frankly there isn't anything open. The only problems I (or others so far can think of) are possible tear drop type attacks that spoof the source address on the packets could be used in a sort of "bounce" attack on another host, and the fact that someone could easily attempt to exploit the firewall itself (the latter is a problem in *any* circumstance). I have a decent idea of how I am going to approach this (should I decide to do it, which most likely I will). But first I need to read back over some info on winsock programming as I am more of a BSD sockets type of person (as far as I have found there are no open source firewalls for windows so that is why I am maybe doing this). But anyway....suggestions on "features" are welcome as reading thru the API it looks like programming a general "Shutdown EVERYTHING" firewall will be quite simple after getting the GUI coded (which is one thing I am having to relearn).
Anyway...thanks for the suggestion
February 7th, 2002, 09:14 AM
Wasn't there a program that sent a message back to
the source if a scan was detected ?