The story starts in a student flat in Christchurch, New Zealand. At this time I have two flatmates who were “hardcore” gamers and when they weren’t gaming they were downloading or streaming media from various sites. At this time, being the network nerd in the house I had setup a nice Iptables firewall, hand coded rules on a old compaq laptop that shipped with windows 95 20 years ago. It ran perfectly, and naturally I was rather proud of it.
However the day came when we got the first internet bill, $700 dollars for 200G transfer. For 3 students, this is alot of cash. But alas, we survived. Then the next bill came, and the next, and well you get the story. So I started searching for a better firewall setup, that could tell me who was using the bandwidth, and how much they were using. Then we could split the bill evenly and I would get a new toy to play with. So I searched, and I found nothing. Only a few forums with other people having the same problem, and the only solution being either buy a very expensive firewall system from cisco or manually script something with iptables counters (which by the way is not at all flexible). To even authenticate a user was a problem unless you were running a proxy server, and of course with a network where there is more than just http traffic a proxy server was not the solution. This situation magnifies in a corporate or school environment, then its vital to see what is going on in your network.
At this point, I was surprised and frustrated, how could it be possible that no one had made this type of system. So I created it. I spent perhaps 6 months on the initial version, and ran into loads of problems. First started with iptables, but it was to restrictive to get the user authentication right, then I experimented with pf, and encountered the same problem. So I built it all from scratch, and thus Sphirewall was born.
Over the last 3 years, development has been on and off, and the entire codebase has been rewritten. But as it stands now, Sphirewall 0.9.8.8 is almost ready for release, and what you can do with it is getting cool. With detailed analytics and user management, the possibilities opened up for some really cool features like role based QOS, capture portal, quotas, event driven management.
At the moment we support:
- User accounts and roles
- Detailed analytics, you can see what user/host has been doing on the network
All firewall rules can be based on user roles, or normal criteria. Sphirewall actually hooks into the kernel packet stream itself, so its really stands alone in comparison to other firewalls that are just rule generators for Iptables or pf.
Sphirewall is managed via a JSON api, and built on top of this is our php web management interface
Sure there are bugs, and lots of things that could be improved, but I am looking for some feedback, and some support from the community. So take a look at the project and tell us what you think.