Erlang firewall

Luke Gorrie luke@REDACTED
Wed Nov 28 12:43:06 CET 2001

"Vlad Dumitrescu" <vlad.dumitrescu@REDACTED> writes:

> Hi good folks,
> I was thinking about Erlang security aspects, and I wonder if it
> would be possible to set up an Erlang firewall, that will separate
> the internal from the external networks, possibly by using different
> cookies for them, and only allowing for some messages to pass
> through... seem like not easy and resource demanding, so it might
> not be practical, but is there at least a theoretical possibility
> for such a thing to function?

Not quite sure what you mean, but if you want to write a regular
firewall in Erlang then I have a hack for you at

It's a "tunnel device" driver for erlang on Linux. A tunnel device is
a faked network device where packets go to and from a program instead
of a real network.

The program comes totally undocumented but is very simple (3
functions). It does include a tiny example though. If you run erlang
as root with something like (note the fully-qualified ebin dir):

  # erl -pa /home/luke/src/tunnel-0.1/ebin/
  Erlang (BEAM) emulator version [source] [threads]

  Eshell V5.0.1.1.b2  (abort with ^G)
  1> tunnel:proxy().
  Opening proxy on "tun0"

Now the program has a tunnel device opened - it will read any packets
from it and then write them straight back. But you have to configure
the tunnel's IP address like this:

  # ifconfig tun0 pointopoint

Those're just made-up IP addresses. This gives the tunnel the address, and says that packets for should go through
it (automatically adds the route).

Now you can do "ping" and you'll see the erlang packet
receiving the packets!

Some notes if you wanna actually use it:

- Use the tcpdump program to see what's going on
- You need to have "universal tun/tap" support for your kernel (the
  module is called "tun").
- If you want to use this as a firewall, you need to decipher the
  Linux Advanced Routing HOWTO (or ask me - I've got this setup but
  its a bit tricky).

That's all I can think of just now!


More information about the erlang-questions mailing list