PUF: the Portable UNIX Firewall

PUF is a masquerading firewall similar to Linux's kernel resident masquerading firewall. PUF differs in three major areas:

PUF resides in userland, so it can be started and stopped without restarting the kernel. That means PUF can be updated and improved and put into place without having to do anything to the host computer's kernel and without having to reboot the host.
PUF uses a virtual MAC/IP address pair, so it can (in theory) be used on a machine that is also acting as a "normal" router.
Best of all, PUF is extremely portable. It uses the Berkeley Packet Filter (BPF) library, libpcap which is supported on many flavors of UNIX. The only other facility it requires is a means to spoof traffic onto the LAN. Porting PUF to a new platform should require less than 50 lines of code.

Currently PUF works on DEC ULTRIX and Linux (sort of: ARPs don't work and Linux seems to be changing the protocol type of our ICMP packets). It is licensed under the GNU Public License and the source may be downloaded here.

NOTE: on ULTRIX you'll want to do the following each time you boot:

/usr/etc/kvar -k -wl -s ipforwarding -v 0 /vmunix: This tells ULTRIX not to do IP forwarding (routing). ULTRIX's IP forwarding is broken. If traffic is address to a foreign host that can be reached from another interface (not the one the traffic was initially seen on), ULTRIX automatically forwards it, regardless of what MAC address that traffic is address to. This means all traffic bound for the firewall ends up being forwarded straight through as well, since the DEC's ethernet adapter is in promiscuous mode.
/etc/eli -f -d: That forces eli (the system error logger) to disable error logging. This is necessary because PUF generates all sorts of unaligned access errors (the compiler is not real friendly in that respect).
/etc/eli -f -q: Force eli to not display kernel messages to the console for the same reason as above.

Stuff that doesn't work:

PUF doesn't properly handle LAN -> WAN TCP resets. In fact, it ignores them.
TCP is pretty blind right now. It doesn't wait for ACKs on any of it's packets. It assumes that LAN delivery is reliable.
IP fragments don't work. Neither do really big UDP packets.

Having said that, works very well for my three machines at home. Hopefull some day I'll actually have the time to finish implementing these features.

Paper:

Click here for an HTML version of a paper on PUF. (32K)
Click here for a DVI version of a paper on PUF (with PostScript images... tar gz'd). (21K)
Click here for a PostScript version of a paper on PUF. (400K)
Click here for a gzipped PostScript version of a paper on PUF. (71K)
Click here for a PK zipped PostScript version of a paper on PUF. (70K)

If you have any questions, mail tschroed@acm.org