eth-filter is a translator that implements a very simple stateless firewall.


incubator, dde


For instance, to drop any attempt to access port 22:

# settrans -c /dev/eth0f /hurd/eth-filter -i /dev/eth0 -r "not port 22"

This creates a /dev/eth0f device, which is the filtered version of /dev/eth0. One can then use /dev/eth0f instead of /dev/eth0:

# settrans /servers/socket/2 /hurd/pfinet -i /dev/eth0f [...]

..., or run dhclient /dev/eth0f, or similar.

See also Zheng Da's howto.

Open Issues

IRC, freenode, #hurd, 2013-07-27

<youpi> ok, so as usual we actually *already* have a firewall
<youpi> it's the eth-filter translator from zheng da
<youpi> it has just never been really pushed forward...
<teythoon> good news :)
<youpi> well, the bad news is that it probably doesn't support connection
<youpi> since it's just bpf
<youpi> using the libpcap syntax
<teythoon> well, a stateless fw should do for Debian/Hurds needs for now,
<youpi> yes
<youpi> and it does work indeed