REAPOFF - Regular Expression, Arbitrary Protocol, Opensource Filtering Firewall

A proxy server is a program which accepts connections on behalf of another program and forwards these connections to the original program. There are a number of different commonly used proxies involved, such as web proxies, ftp proxies, and mail proxies.

Proxy based Firewalls

Proxy based firewalls offer superior protection to packet filtering firewalls. This is because the proxies are interpreting each protocol. This is unlike more conventional packet filtering firewalls which make the assumption that protocol interactions are somehow related to TCP port numbers. Proxy based firewalls offer the following advantages:

For example suppose that we have an FTP proxy protecting an FTP server. This proxy ensures that the clients to the FTP server are actually using the FTP protocol. In addition the administrator may also specify a small subset of FTP commands that are allowed, for example no uploads are allowed etc. The best feature about this is that the administrator can deploy the proxy on the perimeter and have the security policy apply to any machines that may be installed inside.

Such a fine level of control is great, but in practice most proxies do not really offer that level of contol, and if they do its difficult to configure.

Where does REAPOFF fit?

REAPOFF is an arbitrary protocol proxy. That is to say, the same proxy may be used to control any TCP/IP based protocol - the behavior of the proxy is fully specified by its configuration files. This fact allows REAPOFF to be easily modified to work with any new protocol simply by writing a new configuration file. In addition new features are easily added simply by adding new rules. Removing rules which may not be applicable for a particular scenario can be achieved very easily by commenting these out in the configuration file. The aim of this project is to produce the most intelligent proxy. This is very important for system administrators who need to add a new filtering rule to protect their network against a newly announced vulnerability for example.

The REAPOFF site will have a library of rules, each adding new functionality to the proxy or protecting against a newly announced vulnerability exploitation, in much the same way as IDS or anti-virus vendors include new signatures in response to new vulnerabilities.

OK, so how does it work?

REAPOFF is a regular expression enabled proxy. Even though REAPOFF is written in C and is very fast, it supports the full range of PERL style regular expression thanks to the PCRE library. Basically REAPOFF is configured similarly to a standard firewall. Rules are written in the configuration file in this general format:

	Action .....
	Action .....
	Action .....

	Action .....

A job is defined as a collection of actions associated with a condition. The actions are only executed if the condition is met. Each job is executed in turn and then the buffer is passed onto its destination. The full reference manual for writing configuration files can be found here. Typically a feature of the proxy is defined by one or more of such jobs. It is therefore easy to add or remove features by simply modifying the configuration files.

I get the opensource bit, but what about the firewall?

REAPOFF aims to become a full opensource proxy firewall solution. Currently a significant number of proxies for different applications are supported, and this number is growing quickly. For a more thorough list of features click here. The latest version of reapoff has a GUI allowing for easy configuration of a particular firewall installation.

Since REAPOFF is written in C and has such a tiny footprint, it is ideal for embedded firewall applications. It is entirely possible to run a fully configured and operational firewall on a TRINUX machine with no hard disk at all, or on any of the many floppy based distribution. A mini-distribution specifically designed to run REAPOFF will appear on the download site shortly. Because REAPOFF consists of a self contained deployement directory, it may be used in conjunction with any other firewall distribution, or even be deployed on standard workstation platforms such as RedHat Linux or Debian.

REAPOFF was written from the outset to be an industrial strength firewall product. Great care was taken during coding to prevent buffer overruns and similar coding errors. Features such as dropping of user and group IDs are supported as well as a chroot prison environment. Usually REAPOFF does not require any libraries or other executables to be installed within its chroot prison (only a read only version of its configuration files), and so it is extremely easy to run in such an environment. In fact the REAPOFF distribution contains a script which automatically runs all the proxies inside a chroot prison.

Intrusion Detection has become a very hot topic lately. The basic idea of an intrusion detection system is that it listens to all network traffic promiscuously detecting particular attack signatures. The problem with this basic design is that if the IDS is successfully evaded, the attack will arrive at the target host without any alerts. In a way IDS does not really offer any protection to the servers, rather it provides detection (see for example Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection ). There are a number of projects aimed at using IDS technology to provide real protection to servers, probably the most famous of these is hogwash.

REAPOFF intercepts all communications between the client and the server. Further, because REAPOFF is a proxy, any low level packet injection attacks are guaranteed to not reach the target server. REAPOFF will simply create a new connection and pass the data onto the server. In this way REAPOFF can protect servers with weak TCP/IP stacks. Low level network attacks (such as IP fragmentation attacks etc) are no longer effective.

In addition REAPOFF has a powerful regular expression matching engine. This can be used to detect attack signatures, in a similar way to SNORT. For example, signatures have been written to detect complex CGI scanning attacks, such as used by whisker. Not only does REAPOFF detect such attacks, but it can take immediate action, like terminating the connection. This ensures that attacks never reach the destination.

Currently a host of attack pattens are implemented for each relevant proxy, drawing heavily from the SNORT project.


I would like to extend a warm thanks to for their kind support of the opensource community. The sourceforge service is absolutely invaluable to the rapid development of software.

SourceForge Logo

Last modified: Wed Mar 27 00:30:07 EST 2002