Erlang firewall
Luke Gorrie
luke@REDACTED
Wed Nov 28 12:43:06 CET 2001
"Vlad Dumitrescu" <vlad.dumitrescu@REDACTED> writes:
> Hi good folks,
>
> I was thinking about Erlang security aspects, and I wonder if it
> would be possible to set up an Erlang firewall, that will separate
> the internal from the external networks, possibly by using different
> cookies for them, and only allowing for some messages to pass
> through... seem like not easy and resource demanding, so it might
> not be practical, but is there at least a theoretical possibility
> for such a thing to function?
Not quite sure what you mean, but if you want to write a regular
firewall in Erlang then I have a hack for you at
http://www.bluetail.com/~luke/misc/tunnel-0.1.tar.gz
It's a "tunnel device" driver for erlang on Linux. A tunnel device is
a faked network device where packets go to and from a program instead
of a real network.
The program comes totally undocumented but is very simple (3
functions). It does include a tiny example though. If you run erlang
as root with something like (note the fully-qualified ebin dir):
# erl -pa /home/luke/src/tunnel-0.1/ebin/
Erlang (BEAM) emulator version 5.0.1.1.b2 [source] [threads]
Eshell V5.0.1.1.b2 (abort with ^G)
1> tunnel:proxy().
Opening proxy on "tun0"
Now the program has a tunnel device opened - it will read any packets
from it and then write them straight back. But you have to configure
the tunnel's IP address like this:
# ifconfig tun0 192.168.43.1 pointopoint 192.168.43.2
Those're just made-up IP addresses. This gives the tunnel the address
192.168.43.1, and says that packets for 192.168.43.2 should go through
it (automatically adds the route).
Now you can do "ping 192.168.43.2" and you'll see the erlang packet
receiving the packets!
Some notes if you wanna actually use it:
- Use the tcpdump program to see what's going on
- You need to have "universal tun/tap" support for your kernel (the
module is called "tun").
- If you want to use this as a firewall, you need to decipher the
Linux Advanced Routing HOWTO (or ask me - I've got this setup but
its a bit tricky).
That's all I can think of just now!
Cheers,
Luke
More information about the erlang-questions
mailing list