How to Begin Implement Network Firewalls in NS3

To implement network firewalls in ns-3, we can replicate the environment in which detailed packets are filtered or blocked according to their predefined rules like as IP addresses, protocols, or ports. While ns3 tool doesn’t have built-in firewall components, we can apply the firewall-like functionality through using packet filtering and inspection mechanisms.

Here’s a step-by-step guide:

Steps to Begin Implement Network Firewalls in NS3

  1. Understand Network Firewalls
  • Firewall Objective: According to their security rules for control the incoming and outgoing congestion.
  • Key Features:
    • Allow/Deny congestion terms of IP addresses, ports, or protocols.
    • Packet filtering is stateful or stateless.
  1. Set up ns-3
  • Assure the ns-3 is installed:

./waf configure –build-profile=debug –enable-examples –enable-tests

./waf build

  • Validate the setting:

./waf –run hello-simulator

  1. Choose Firewall Approach
  • Use to examine the stopped packets Packet Filter Hook.
  • Apply to express the rules for Custom Packet Inspection.
  1. Set up a Basic Network
  • Build a network topology by nodes, routers, and connections.

Example Topology:

#include “ns3/core-module.h”

#include “ns3/network-module.h”

#include “ns3/internet-module.h”

#include “ns3/point-to-point-module.h”

#include “ns3/applications-module.h”

using namespace ns3;

int main(int argc, char *argv[])

{

Time::SetResolution(Time::NS);

 

// Create nodes

NodeContainer nodes;

nodes.Create(3); // Client, Router, Server

// Configure point-to-point links

PointToPointHelper p2p;

p2p.SetDeviceAttribute(“DataRate”, StringValue(“10Mbps”));

p2p.SetChannelAttribute(“Delay”, StringValue(“2ms”));

// Install devices and connect links

NetDeviceContainer devices1 = p2p.Install(nodes.Get(0), nodes.Get(1)); // Client to Router

NetDeviceContainer devices2 = p2p.Install(nodes.Get(1), nodes.Get(2)); // Router to Server

// Install Internet stack

InternetStackHelper stack;

stack.Install(nodes);

// Assign IP addresses

Ipv4AddressHelper address;

address.SetBase(“10.1.1.0”, “255.255.255.0”);

Ipv4InterfaceContainer interfaces1 = address.Assign(devices1);

address.SetBase(“10.1.2.0”, “255.255.255.0”);

Ipv4InterfaceContainer interfaces2 = address.Assign(devices2);

// Set up a UDP echo server on the server node

uint16_t port = 9;

UdpEchoServerHelper echoServer(port);

ApplicationContainer serverApp = echoServer.Install(nodes.Get(2));

serverApp.Start(Seconds(1.0));

serverApp.Stop(Seconds(10.0));

// Set up a UDP echo client on the client node

UdpEchoClientHelper echoClient(interfaces2.GetAddress(1), port);

echoClient.SetAttribute(“MaxPackets”, UintegerValue(5));

echoClient.SetAttribute(“Interval”, TimeValue(Seconds(1.0)));

echoClient.SetAttribute(“PacketSize”, UintegerValue(1024));

ApplicationContainer clientApp = echoClient.Install(nodes.Get(0));

clientApp.Start(Seconds(2.0));

clientApp.Stop(Seconds(10.0));

// Run simulation

Simulator::Run();

Simulator::Destroy();

return 0;

}

  1. Add a Firewall
  • Assign the packet filter for router node.

Example: Packet Filtering Hook

void FirewallCallback(Ptr<Socket> socket, Ptr<Packet> packet, const Address &from)

{

Ipv4Header ipv4Header;

packet->PeekHeader(ipv4Header);

Ipv4Address source = ipv4Header.GetSource();

Ipv4Address destination = ipv4Header.GetDestination();

uint16_t protocol = ipv4Header.GetProtocol();

// Define firewall rules

if (source == Ipv4Address(“10.1.1.1”) && destination == Ipv4Address(“10.1.2.1”) && protocol == 17) // Block UDP

{

NS_LOG_UNCOND(“Firewall: Dropped packet from ” << source << ” to ” << destination);

return; // Drop packet

}

NS_LOG_UNCOND(“Firewall: Allowed packet from ” << source << ” to ” << destination);

socket->ForwardUp(packet, from);

}

void InstallFirewall(Ptr<Node> node)

{

Ptr<Socket> socket = Socket::CreateSocket(node, TypeId::LookupByName(“ns3::UdpSocketFactory”));

socket->SetRecvCallback(MakeCallback(&FirewallCallback));

}

Attach Firewall to Router Node

InstallFirewall(nodes.Get(1));

  1. Add Advanced Filtering
  • Execute the filtering according to their TCP/UDP ports.
  • sample:

TcpHeader tcpHeader;

if (packet->PeekHeader(tcpHeader) && tcpHeader.GetDestinationPort() == 80) // Block HTTP traffic

{

NS_LOG_UNCOND(“Firewall: Blocked HTTP traffic”);

return;

}

  1. Run and Test
  • Generate the process for replication:

./waf –run scratch/firewall-simulation

  • Detect the logs or use tools such as FlowMonitor to prove the congestion for blocked/allowed.
  1. Enhance the Firewall
  • Improve the stateful filtering for instance track TCP connections.
  • Incorporate the logging devices to log stopped the packets.
  • It replicates the real-world environment such as:
    • Detailed IP ranges are blocking.
    • It permits only certain kinds of congestion.

We will learn and understood how the firewalls will simulated in the network using the ns3 tool for security. We will also expect to elaborate how the firewalls will perform in other simulation tool.

LATEST NS3 PROJECTS VIDEO TUTORIAL

NS3 Simulator Projects Videos Click Here to watch our latest output video using NS3 simulator

NS3 PROJECTS SCREENSHOTS

NS3 Simulator Projects Videos Click Here to watch our latest projects screenshots using NS3 simulator

Latest NS3 Projects Topics

Follow us in Twitter