I am returning to a project which used to use IPFilter to take raw packets passed straight through from a modem. It would filter and route accordingly over several interfaces to insure an isolated set of trusted and untrusted subnets over those separate interfaces (including to a honeypot). That is simple enough, however we need to be able to run a small custom C program which does some real-time magic based upon the source and final disposition of each packet, including the final interface chosen for the route.
We would also like to be able to create dynamic rulesets using a program that keeps track of the services which are expected to listening at the destinations which requires a module call at the top of the ruleset.
This never worked as well as we wanted in IPFilter, and that seems to no longer be an option in any case, so we are looking for an alternative which allows us to call our programs (even if it is the result of a rule rather than at the interface level) and I thought I would ask the great minds here if there was a specific firewall that we should be using to accomplish this task.
Obviously, we need this to be as efficient as possible as we are potentially processing each packet in real time and not passing a log at the end of the day. While statefulness speeds the packet along, we would still want to tally the packets routed by a state match and maintain statistics for the connection source and destination including the interface that was chosen.
We have discussed intercepting the log file and processing that, but we don't have a feel for security and performance impact, let alone a best practice to go about this if we chose that path for an option.
Suggestions? All are appreciated!!
We would also like to be able to create dynamic rulesets using a program that keeps track of the services which are expected to listening at the destinations which requires a module call at the top of the ruleset.
This never worked as well as we wanted in IPFilter, and that seems to no longer be an option in any case, so we are looking for an alternative which allows us to call our programs (even if it is the result of a rule rather than at the interface level) and I thought I would ask the great minds here if there was a specific firewall that we should be using to accomplish this task.
Obviously, we need this to be as efficient as possible as we are potentially processing each packet in real time and not passing a log at the end of the day. While statefulness speeds the packet along, we would still want to tally the packets routed by a state match and maintain statistics for the connection source and destination including the interface that was chosen.
We have discussed intercepting the log file and processing that, but we don't have a feel for security and performance impact, let alone a best practice to go about this if we chose that path for an option.
Suggestions? All are appreciated!!
