Wish List for Firewall products

I have an idea that effective firewalls should be available as two separate components, Core and Application layers, with sufficient interoperability that you can buy one from one company and the other from someone else. My wish list focuses on the Core layer, but contributions are welcomed to both.

Core Layer

• Inbound
  • Unrestricted
    The default, unrestricted will allow incoming connections to any of your applications which are bound to your target ports. Highly undesirable.
  • Stealthed
    Stealthed ports will silently ignore any connection attempts, rendering them "invisible" to the Internet. Very desirable.
  • Semi-Stealthed
    As far as I know, this is a new idea. A semi-stealthed port will only accept incoming connections from IP addresses you contacted first (solicited) and only for the duration of the current session. All unsolicited connections will be stealthed.
  • IP Restricted
    This means that you can specify which IP addresses or URLs that a port will accept connections from. Can be combined with semi-stealth for additional protection.
  • Port Redirected
    The opposite of stealth and semi-stealth, more or less. Any unsolicited incoming connections are redirected to another port where an application such as a Personal Honey Trap can handle them - ideal for gathering data on "rogue" sites and users, preferably for sharing on things like HOSTS files and script analysers.
• Outbound
  • Unrestricted
    Any of your applications can contact any IP address using this port.
  • Stealthed
    Anything your applications send to this port are discarded without transmission.
  • Semi-Stealthed
    Applications may only wait for incoming connections; they cannot initiate connections. Useful for anti-DoS and trojan attacks.
  • IP Restricted
    Applications can only contact predefined IP addresses. For example, VisualZone could be limited to contacting the author's site for updates, and DShield to report intrusion data.
  • Port Redirected
    Any otherwise unrestricted access to the Internet can be redirected to an internal port, where a security application can gather data on unauthorised attempts to contact the Internet. Ideal for identifying trojans and keyloggers.

I don't think any of the above are mutually exclusive, though there's obviously an order of precedence required. I would like to see port and application configurations (might as well call them rules) as shared distribution files, like The Proxomitron does, so that "best of breed" rules can be tested and endorsed.

From my point of view, the very lowest level (port control) should prevail, and the highest level (application control) least, but I'm willing to be persuaded otherwise. Good programming should be able to identify conflicts, for Pity's sake! But what an interface it's going to be...and I'm very willing to assist any potential developers with the ergonomics for such a project.

Application Layer
This layer, I think, is the realm of dynamic (resident) anti-viruses, anti-trojans and script analysers.

Thoughts here are welcomed.

Checkout

- Fixed the "list" tags - LowWaterMark

 

Supposing that you talk about Windows based personal firewalls, I don't know if all this is feasable. It would probably mean hacking the Windows TCP/IP stack, since you want to have conctrol at ISO layers 2/3/4 (for your core system) and 7 (for the applications system).

As far as I can see, most dedicated firewalls offer most of the requested features and by using a (dedicated) proxy system you can add application layer functionality.
Take my (www.e-smith.org) e-smith box. It's a Linux (red hat) based firewall, that, using iptables, knows a lot about the core functions.
This same box handles ftp and e-mail (smtp) proxy with virus scanning and anti-spam functions.

Integrating both (core and application) systems on Windows... I don't know if you'd want that