OMSCS/OMSCY GEORGIA TECH
SDN Firewall with POX
Summer 2024
Copyright 2024
Georgia Institute of Technology
All rights reserved.
This is solely to be used for current CS6250 students. Any public posting of the material contained within is
strictly forbidden by the Honor code.
1
SDN Firewall with POX
Table of Contents
SDN Firewall with POX Project .................................................................................................................... 2
Part 0: Project References ....................................................................................................................... 2
Part 1: Files Layout .................................................................................................................................. 2
Part 2: Before You Begin ......................................................................................................................... 4
Part 3: Review of Mininet ........................................................................................................................ 4
Part 4: Wireshark ..................................................................................................................................... 6
Part 5: SDN Firewall Implementation Details .......................................................................................... 8
Part 5a: Specifications of configure.pol .............................................................................................. 8
Part 5b: Implementing the Firewall in Code ..................................................................................... 11
Part 6: Configuration Rules .................................................................................................................. 12
What to Turn In ......................................................................................................................................... 14
What you can and cannot share ............................................................................................................... 15
Appendix A: How to Test Host Connectivity ............................................................................................ 16
Part A: How to Test Manually ........................................................................................................... 16
Part B: Automated Testing Suite ...................................................................................................... 19
Appendix B: Troubleshooting Information .............................................................................................. 21
General Coding Issues........................................................................................................................ 21
Firewall Implementation (sdn-firewall.py) Errors and Issues ........................................................... 21
Mininet/Topology Issues ................................................................................................................... 21
Appendix C: POX API Excerpt ................................................................................................................... 22
Flow Modification Object ...................................................................................................................... 22
Match Structure .................................................................................................................................... 22
OpenFlow Actions ................................................................................................................................. 24
Example: Sending a FlowMod Object ................................................................................................... 25
2
SDN Firewall with POX Project
In this project, you will use Software Defined Networking (SDN) principles to create a configurable firewall using
an OpenFlow enabled Switch. The Software Defined Networking (OpenFlow) functionality allows you to
programmatically control the flow of traffic on the network.
This project has three phrases as follows:
1. Mininet Tutorial – This phase is a brief overview of Mininet. There are no deliverables for this phase and
may be skipped, especially if you completed the Optional Simulating Networks project (Project 0).
2. Wireshark Tutorial – This phase is a brief introduction to packet capture using Wireshark/tshark. You
will examine the packet format for various traffic to learn of the different header values used in Phase 3.
There is a deliverable of a simple packet capture file.
3. SDN Firewall – This phase involves completing code to build a simple traffic blocking firewall using
OpenFlow with the POX Controller based on rules passed to it from a configuration file. In addition, you
will create a set of rules to test the firewall implementation.
Part 0: Project References
You will find the following resources useful in completing this project. It is recommended that you review these
resources before starting the project.
IP Header Format - https://erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html
TCP Packet Header Format - https://en.wikipedia.org/wiki/Transmission_Control_Protocol
UDP Packet Header Format - https://en.wikipedia.org/wiki/User_Datagram_Protocol
The ICMP Protocol - https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
IP Protocols - https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
TCP and UDP Service and Port References -
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Wireshark - https://www.wireshark.org/docs/wsug_html/
CIDR Calculator - https://account.arin.net/public/cidrCalculator
CIDR - https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Part 1: Files Layout
Unzip the SDNFirewall-Summer2024zip file into your Virtual Machine. Do this by running the following
command:
unzip SDNFirewall-Summer2024.zip
3
This will extract the files for this project into a directory named SDNFirewall at your current path (it is
recommended that your use the mininet root directory to aid in troubleshooting ( cd ~ ). The following files will
be extracted:
cleanup.sh – this file called by using following command line: ./cleanup.sh
This file will clean up the Mininet Environment and kill all zombie Python and POX processes.
sdn-topology.py – this file creates the Mininet topology used in this assignment. This is like what you
created in the Simulating Networks project. When evaluating your code against the ruleset specified in
this project, do not change it. However, you are encouraged to make your own topologies (and rules) to
test the firewall. Look at the start-topology.sh file to see how to start a different topology.
ws-topology.py – this file is substantially like sdn-topology, but it does not call the POX Controller. You
will use this during the Wireshark exercise.
setup-firewall.py – this file sets up the frameworks used in this project. DO NOT MODIFY THIS FILE. This
file will create the appropriate POX framework and then integrates the rules implemented in sdn-
firewall.py into the OpenFlow engine. It will also read in the values from the configure.pol file and
validate that the entries are valid. If you make changes to this file, the autograder will likely have issues
with your final code as the autograder uses the unaltered distribution version of this file.
start-firewall.sh – this is the shell script that starts the firewall. This file must be started before the
topology is started. It will copy files to the appropriate directory and then start the POX OpenFlow
controller. This file is called by using following command line: ./start-firewall.sh
start-topology.sh – this is the shell script that starts the Mininet topology used in the assignment. All it
does is call the sdn-topology.py file with superuser permissions. This file is called by using following
command line: ./start-topology.sh
test-client.py – this is a python test client program used to test your firewall. This file is called using the
following command line: python test-client.py PROTO SERVERIP PORT SOURCEPORT where PROTO is
either T for TCP, U for UDP, or G for GRE, SERVERIP is the IP address of the server (destination), PORT is
the destination port, and optionally SOURCEPORT allows you to configure the source port that you are
using. Example: python test-client.py T 10.0.1.1 80
test-server.py – this is a python test server program used to test your firewall. This file is called using the
following command line: python test-server.py PROTO SERVERIP PORT where PROTO is either T for
TCP, U for UDP, G for GRE, SERVERIP is the IP address of the server (the server you are running this script
on), and PORT is the service port.
Example: python test-server.py T 10.0.1.1 80
test-suite – This is a student developed test script that was developed in 2021 that can be used to test
your implementation AFTER YOU FINISH BOTH THE IMPLEMENTATION FILES. The test cases in the main
folder will be used to evaluate your implementations for the first run. An alternate configuration and
topology will also be used to evaluate your implementations. This will be similar to, but not identical to
what is found in the extra sub-folder. See Appendix A for information on how to use the test suite.
Project Deliverables
configure.pol - this file is where you will supply the configuration to the firewall that specifies the traffic
that should either be blocked or allowed (override blocks). The format of this file will be specified later
in this document. This file is one of the deliverables that must be included in your ZIP submission to
Canvas.
4
? sdn-firewall.py –This file implements the firewall using POX and OpenFlow functions. It receives a copy
of the contents of the configure.pol file as a python list containing a dictionary for each rule and you will
need to implement the code necessary to process these items into POX policies to create the firewall.
This file is one of the deliverables that must be included in your ZIP submission to Canvas.
packetcapture.pcap – This will be the packet capture completed in Part 4. This file is one of the
deliverables that must be included in your ZIP submission to Canvas.
Part 2: Before You Begin
This project assumes basic knowledge about IP and TCP/UDP Protocols. It is highly encouraged that you review
the following items before starting. This will help you in understanding the contents of IP packet headers and
what you may need to match.
o What is the IP (Internet Protocol)? What are the different types of Network Layer protocols?
o Review TCP and UDP? How does TCP or UDP differ from IP?
o Examine the packet header for a generic IP protocol entry. Contrast that with the packet header for a
TCP packet, and for a UDP packet. What are the differences? What does each field mean?
o What constitutes a TCP Connection? How does this contrast with a UDP connection.
o A special IP protocol is ICMP. Why is ICMP important? What behavior happens when you do an ICMP
Ping? If you block an ICMP response, what would you expect to see?
o If you block a host from ICMP, will you be able to send TCP/UDP traffic to it?
o Can you explain what happens if you get a ICMP Destination Unreachable response?
o What is CIDR notation? How do you subnet a network?
o What IP Protocols use Source or Destination Ports?
Part 3: Review of Mininet
IF YOU HAVE FAMILIARITY WITH MININET OR IF YOU COMPLETED THE OPTIONAL PROJECT SIMULATING
NETWORKS, YOU MAY SKIP THIS SECTION AND START WITH PART 4: WIRESHARK
Mininet is a network simulator that allows you to explore SDN techniques by allowing you to create a network
topology including virtual switches, links, hosts/nodes, and controllers. It will also allow you to set the
parameters for each of these virtual devices and will allow you to simulate real-world
最低0.47元/天 解锁文章
扫一扫
评论
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
查看更多评论
添加红包
