The story starts in a student flat in Christchurch, New Zealand. At this time I have two flatmates who were “hardcore” gamers and when they weren’t gaming they were downloading or streaming media from various sites. At this time, being the network nerd in the house I had setup a nice Iptables firewall, hand coded rules on a old compaq laptop that shipped with windows 95 20 years ago. It ran perfectly, and naturally I was rather proud of it.
However the day came when we got the first internet bill, $700 dollars for 200G transfer. For 3 students, this is alot of cash. But alas, we survived. Then the next bill came, and the next, and well you get the story. So I started searching for a better firewall setup, that could tell me who was using the bandwidth, and how much they were using. Then we could split the bill evenly and I would get a new toy to play with. So I searched, and I found nothing. Only a few forums with other people having the same problem, and the only solution being either buy a very expensive firewall system from cisco or manually script something with iptables counters (which by the way is not at all flexible). To even authenticate a user was a problem unless you were running a proxy server, and of course with a network where there is more than just http traffic a proxy server was not the solution. This situation magnifies in a corporate or school environment, then its vital to see what is going on in your network.
At this point, I was surprised and frustrated, how could it be possible that no one had made this type of system. So I created it. I spent perhaps 6 months on the initial version, and ran into loads of problems. First started with iptables, but it was to restrictive to get the user authentication right, then I experimented with pf, and encountered the same problem. So I built it all from scratch, and thus Sphirewall was born.
Over the last 3 years, development has been on and off, and the entire codebase has been rewritten. But as it stands now, Sphirewall 0.9.8.8 is almost ready for release, and what you can do with it is getting cool. With detailed analytics and user management, the possibilities opened up for some really cool features like role based QOS, capture portal, quotas, event driven management.
At the moment we support:
- User accounts and roles
- Detailed analytics, you can see what user/host has been doing on the network
- QOS
- Quotas
- Nat/Pat
- Filtering
All firewall rules can be based on user roles, or normal criteria. Sphirewall actually hooks into the kernel packet stream itself, so its really stands alone in comparison to other firewalls that are just rule generators for Iptables or pf.
Sphirewall is managed via a JSON api, and built on top of this is our php web management interface
Sure there are bugs, and lots of things that could be improved, but I am looking for some feedback, and some support from the community. So take a look at the project and tell us what you think.
Hey,
Very cool stuff. I saw your post on /r/startups. I blog about security and programming, and I’ll be sure to have a play and blog about it. I also might mention it at Breakerfaire which is Liverpool, England’s local security event.
Good stuff man. I’m very much looking forward to playing around with it.
Matt
My flatmate, strangely also in Christchurch, set up something very similar using pmacctd and it worked very well. We had a login page for users when they came onto the network which would add an outgoing rule to the firewall. We tracked usage and billed appropriately. Alas, we never released the source code because it was a bit of a hack but it looked and worked great =) Building on top of pmacctd isn’t too hard, so you can customise it to your exact requirements.
I thought I should mention, ultimately internet became cheap enough that we didn’t need to worry about it..
Interesting, though most of these features have been part of custom firmwares such as dd-wrt and tomato firmware for years.
From what I’ve seen DD-WRT does not support the level of reporting we offer here, with the user integration, you are able to really see what a user is doing. Allot of firewall’s provide a summary of transfer by using rrdtool or something similar, but to get detailed stats per host/port/device/user is not possible. To then use this information to make decisions and remove add firewall rules is another things altogether as well.