This project aims to use software-defined networking (SDN) to create an externally configurable blacklist firewall using the SDN platform Pyretic and the POX OpenFlow Controller.
The firewall rules are in the configuration file firewall-config.pol. The firewall policy is implemented in firewall_policy.py. The following rules are implemented:
- Block PPTP, prohibiting all hosts from sending traffic to a PPTP server running on
server2. - Prohibit all hosts from sending traffic to an SSH server on hosts
e1,e2, ande3. - Protect the DNS and NTP services on
server1andserver2from receiving traffic from all hosts. - Disallow hosts
w1andw2from pingingclient1. - Disallow host
e1from sending traffic destined to TCP ports 9950-9952 on hoste3. - Restrict host
client1from sending traffic to hostse1,e2, ande3. - Prohibit all hosts from sending traffic to a L2TP/IPSEC server running on
server3.
firewall.py sets up the Pyretic application and reads the firewall config into a data object. firewall-topo.py is a Mininet program that starts a topology consisting of one switch and two groups of hosts. The learning switch is implemented in pyretic_switch.py. run-firewall.sh is used to run the firewall; it also allows for different config files to be used by providing a filename via the command line.
For TCP testing: test-tcp-client.py acts as a TCP client - it opens a connection, sends a string, then waits to hear it echoed back. test-tcp-server.py acts as a TCP server - it listens on a specified port and echoes back whatever it hears.
For UDP testing: test-udp-client.py acts as a UDP client. test-udp-server.py acts as a UDP server that echoes back whatever it hears.