Re: IPTABLES firewall Integration


Tomasz Bursztyka
 

Hi Steven,

Hi!

I realize that IoT devices have very little space 16k to 32k maybe less.

I have been thinking about the security issues associated with IoT
devices and the nightmare that will ensue in a few years time.

Let me start by saying I am not an IoT guy, but inspire to get there.


I was researching methods of securing Linux systems and one idea
popped up that required the use of IPTABLEs firewalls.

Without going into details on the method of securing the systems that
use IPTABLES firewalls (my cash cow) I wanted to put the feelers out
there to see if IPTABLES code will be added to the Zephyr project
anytime soon?
I really doubt we would ever port something like iptables into Zephyr.
It's out of scope in an OS like Zephyr to get such huge stack ported into.
(either the old xtables stack or the new one, nftables). Not to say
about the complexity of such task.
If you want something like iptables, just use Linux, where is fully
makes sense there.

If some filtering should exist in Zephyr I would rather see something
like BPF, maybe. (and not for all hardware platforms)


I believe I have a way of protecting IoT devices effectively using a
gateway and only a few lines of IPTABLES firewall script on the IoT
devices. (It would also involve a remote web server as well [somewhere
on the internet] that the gateway would talk to )
There are so many things that need to be implemented/handled into Zephyr
to ensure network security, before considering a firewall inside an IoT
devices...
which are mostly made out of hardware with only kilobytes of RAM, as you
noticed.


Also secondly do most IoT devices include an accurate clock? Which is
another requirement of the protection mechanism!
It really depends on the hardware platform, but Quark SE embeds an RTC
clock for instance.
Zephyr provides an API for such clocks.

Tomasz

Join devel@lists.zephyrproject.org to automatically receive all group messages.