wolfSentry: A turnkey dynamic firewall for lwIP

wolfSentry, wolfSSL’s embedded firewall and IDPS, now supports out-of-the-box integration with lwIP!

After simple initialization calls at application startup, all network traffic is evaluated and subject to filtration by the wolfSentry engine.  Prefiltering by network layer, protocol, and event type, allows zero-overhead transparency for selected traffic.  For example, TCP connection requests, inbound and/or outbound, can be fully evaluated by the wolfSentry engine, while traffic within established TCP connections passes freely.

lwIP integration also facilitates stateful and ephemeral rules for safe use of connectionless protocols such as DNS over UDP.  These protections are configuration-driven, automatically managed by wolfSentry-with-lwIP, and are completely transparent to the application and other libraries.

Integration with lwIP is achieved with a simple patchset to the lwIP 2.1.3+ core, bundled with wolfSentry and documented in the lwip/ subdirectory.  lwIP integration also facilitates deep packet inspection by application-installed plugins, which receive pointers to the lwIP connection context and raw packet contents.

The wolfSentry configuration system has also grown with the addition of route table export to reingestable JSON.  A persistent baseline (“factory”) JSON configuration can be supplemented with a separate, mutable rule configuration, for convenient, efficient, and safe checkpointing of rules for reload at next system startup.

wolfSentry on FreeRTOS has further matured, with full support for native heap, timer, and threading facilities.  Portability improvements also prepare wolfSentry for use with QNX, GH integrity, VxWorks, and other embedded realtime OSs.  Portability is further assured with optional strict compliance with C89, now available with the WOLFSENTRY_C89 build option.

All of these new capabilities, and much more, are featured in wolfSentry 1.3. For more details, clone wolfSentry from https://github.com/wolfSSL/wolfsentry, review ChangeLog.md and README.md, and “make test”.

Please contact our team at facts@wolfssl.com to get the conversation started and wolfSentry!