% GateKeeper -- a lightweight firewall for Webshield kernels % Jessica L. Parsons % Wed Jan 16 00:43:19 PST 2008 #GateKeeper **Gatekeeper** was written a few years ago to stop some noxious hacker from getting into a network I was administering. It's a really simple firewall (though it's getting a little bit more complicated over time) that allows the attacker to do the three-way handshake before stepping in and kicking them off the line, but the [Webshield kernel](/~orc/Code/Archive/Webshield/index.html), which is not accessable from the outside world, thus forcing the attacker to do keyhole or denial-of-service attacks instead of the traditional rootkitting of the firewall and subsequent running rampant over the entire network. >A second approach to making your machines unrootable is to run >something like [Mastodon Linux](/~mastodon), which >doesn't have any rootkits for it yet. But the gatekeeper + kernel >approach wins pretty largely on the security via invisibility >approach, as long as you don't leave any wide open holes into >your local network. =[version 1.2](gatekeeper-1.2.tar.gz)= **manpages** deserve a minor version upgrade. Now all the programs and the .cf file format are documented, which is something new. =[version 1.1](gatekeeper-1.1.tar.gz)= This version reinvents the wheel. I've changed the data structures internally so that they are much closer to the linux `ip_fw` structure, plus I've added support for hard firewalls (kernel ip filtering) and have added an `ipfw` program that is almost enough to replace the old `ipfwadm` program. This should be version 2.0, except for the teeny detail that I've not yet properly tested it, I want to put in the rest of the `ipfwadm` functionality, and I _really_ need to document the thing. =[version 1.0](gatekeeper-1.0.tar.gz)= The first generation of the gatekeeper firewall. This only does soft firewalling -- it allows the connection to establish (but **NO** traffic is allowed to flow through) before either allowing or forbidding it.