Understanding How Firewall Software Intercepts Network Communication
In this article, we explore how firewall software intercepts network communication by using a packet filter and how it gets the kernel to listen to it.
Question
How does a firewall software intercept network communication?
I have a basic idea of what a software-based packet filter does, and I’m not sure if it’s entirely accurate. Basically, a packet filter is a loadable kernel module that is inserted into the network stack between the network layer and the transport layer and tells the kernel ‘Instead of sending incoming packets to the transport layer, send them to me first, and I will decide whether to forward them or not. Also, do the same thing with outgoing packets.’
My two questions are:
- Is my idea accurate,
- How does the packet filter get the kernel to listen to it and bypass its normal packet forwarding behavior, sending all packets to the filter instead?
I’m curious about how such a firewall would actually be implemented (at an abstract level; I’m aware I could just look at the source code for a firewall, but that would be rather tedious).
Answer
It is not the packet filter which gets the kernel to listen to it, it is the kernel which entrust network data to the packet filter.
The packet filter and the kernel must be compatible, technically speaking the kernel must offer specifics hooks used by the packet filter to do its job.
On Linux for instance, behind iptable front-end you will find that the Linux kernel offers hooks allowing the Netfilter framework to register callback functions:
- If the firewall is not enabled, there will be no callback registered so the kernel will handle everything by default,
- If firewall is enabled, Netfilter will have registered its callback functions so the kernel will be able to call them when appropriate.