# D√©monstration : Firewalls et Filtrage de Paquets

Ce notebook simule le fonctionnement d'un firewall et pr√©sente des r√®gles de filtrage.

## üìö Concepts couverts

1. **Firewall √† filtrage de paquets** (stateless)
2. **Firewall stateful** (suivi de connexions)
3. **R√®gles iptables** (syntaxe et configuration)
4. **Web Application Firewall (WAF)** basique
5. **Discussion critique** des limitations

---

In [None]:
import re
from typing import List, Dict, Tuple
from dataclasses import dataclass
from enum import Enum

## 1. Firewall √† Filtrage de Paquets (Stateless)

Un firewall **stateless** examine chaque paquet ind√©pendamment selon des r√®gles.

### Crit√®res de filtrage
- Adresse IP source/destination
- Port source/destination
- Protocole (TCP, UDP, ICMP)
- Flags TCP (SYN, ACK, FIN, etc.)

In [None]:
class Action(Enum):
    ACCEPT = "ACCEPT"
    DROP = "DROP"
    REJECT = "REJECT"

@dataclass
class Packet:
    """Repr√©sente un paquet r√©seau simplifi√©"""
    src_ip: str
    dst_ip: str
    src_port: int
    dst_port: int
    protocol: str  # TCP, UDP, ICMP
    flags: List[str] = None  # SYN, ACK, FIN, RST, etc.
    
    def __post_init__(self):
        if self.flags is None:
            self.flags = []

@dataclass
class FirewallRule:
    """R√®gle de firewall"""
    chain: str  # INPUT, OUTPUT, FORWARD
    protocol: str = "*"  # *, TCP, UDP, ICMP
    src_ip: str = "*"    # IP ou "*" pour tous
    dst_ip: str = "*"
    src_port: int = None  # None pour "any"
    dst_port: int = None
    flags: List[str] = None
    action: Action = Action.ACCEPT
    description: str = ""
    
    def matches(self, packet: Packet, chain: str) -> bool:
        """V√©rifie si le paquet correspond √† la r√®gle"""
        if self.chain != chain:
            return False
        
        # V√©rifie protocole
        if self.protocol != "*" and self.protocol != packet.protocol:
            return False
        
        # V√©rifie IP source
        if self.src_ip != "*" and not self._ip_matches(self.src_ip, packet.src_ip):
            return False
        
        # V√©rifie IP destination
        if self.dst_ip != "*" and not self._ip_matches(self.dst_ip, packet.dst_ip):
            return False
        
        # V√©rifie ports
        if self.src_port is not None and self.src_port != packet.src_port:
            return False
        
        if self.dst_port is not None and self.dst_port != packet.dst_port:
            return False
        
        # V√©rifie flags TCP
        if self.flags:
            if not all(flag in packet.flags for flag in self.flags):
                return False
        
        return True
    
    @staticmethod
    def _ip_matches(rule_ip: str, packet_ip: str) -> bool:
        """V√©rifie si l'IP correspond (supporte CIDR simple)"""
        if "/" in rule_ip:
            # Support basique CIDR (simplifi√©)
            network = rule_ip.split("/")[0]
            return packet_ip.startswith(".".join(network.split(".")[:3]))
        return rule_ip == packet_ip

In [None]:
class StatelessFirewall:
    """Firewall stateless (examine chaque paquet ind√©pendamment)"""
    
    def __init__(self, default_policy: Action = Action.DROP):
        self.rules = []
        self.default_policy = default_policy
        self.stats = {
            'accepted': 0,
            'dropped': 0,
            'rejected': 0
        }
    
    def add_rule(self, rule: FirewallRule):
        """Ajoute une r√®gle"""
        self.rules.append(rule)
    
    def process_packet(self, packet: Packet, chain: str = "INPUT") -> Action:
        """Traite un paquet selon les r√®gles"""
        # Parcourt les r√®gles dans l'ordre
        for rule in self.rules:
            if rule.matches(packet, chain):
                # Premi√®re r√®gle qui matche
                self._update_stats(rule.action)
                return rule.action
        
        # Aucune r√®gle ne matche : applique la politique par d√©faut
        self._update_stats(self.default_policy)
        return self.default_policy
    
    def _update_stats(self, action: Action):
        if action == Action.ACCEPT:
            self.stats['accepted'] += 1
        elif action == Action.DROP:
            self.stats['dropped'] += 1
        elif action == Action.REJECT:
            self.stats['rejected'] += 1
    
    def print_rules(self):
        """Affiche les r√®gles configur√©es"""
        print(f"\nüìã R√®gles du firewall (politique par d√©faut: {self.default_policy.value})")
        print("=" * 80)
        for i, rule in enumerate(self.rules, 1):
            print(f"{i:2d}. {rule.action.value:8s} | {rule.protocol:5s} | "
                  f"{rule.src_ip:15s}:{rule.src_port or '*':5} ‚Üí "
                  f"{rule.dst_ip:15s}:{rule.dst_port or '*':5}")
            if rule.description:
                print(f"    {rule.description}")
    
    def print_stats(self):
        """Affiche les statistiques"""
        total = sum(self.stats.values())
        print(f"\nüìä Statistiques :")
        print(f"   Total paquets : {total}")
        print(f"   ‚úÖ Accept√©s   : {self.stats['accepted']} ({self.stats['accepted']/total*100:.1f}%)")
        print(f"   ‚ùå Dropp√©s    : {self.stats['dropped']} ({self.stats['dropped']/total*100:.1f}%)")
        print(f"   üö´ Rejet√©s    : {self.stats['rejected']} ({self.stats['rejected']/total*100:.1f}%)")

In [None]:
# Configuration d'un firewall basique
print("=" * 80)
print("D√âMONSTRATION: Firewall Stateless")
print("=" * 80)

firewall = StatelessFirewall(default_policy=Action.DROP)

# R√®gle 1: Autoriser SSH (port 22) depuis un r√©seau sp√©cifique
firewall.add_rule(FirewallRule(
    chain="INPUT",
    protocol="TCP",
    src_ip="192.168.1.0/24",
    dst_port=22,
    action=Action.ACCEPT,
    description="Autoriser SSH depuis r√©seau local"
))

# R√®gle 2: Autoriser HTTP/HTTPS
firewall.add_rule(FirewallRule(
    chain="INPUT",
    protocol="TCP",
    dst_port=80,
    action=Action.ACCEPT,
    description="Autoriser HTTP"
))

firewall.add_rule(FirewallRule(
    chain="INPUT",
    protocol="TCP",
    dst_port=443,
    action=Action.ACCEPT,
    description="Autoriser HTTPS"
))

# R√®gle 3: Bloquer connexions depuis IP suspecte
firewall.add_rule(FirewallRule(
    chain="INPUT",
    src_ip="10.0.0.100",
    action=Action.DROP,
    description="Bloquer IP suspecte"
))

# R√®gle 4: Rejeter tout le reste (explicite)
# Non n√©cessaire car politique par d√©faut = DROP

firewall.print_rules()

# Test de paquets
print("\n" + "=" * 80)
print("TEST DE PAQUETS")
print("=" * 80)

test_packets = [
    (Packet("192.168.1.50", "192.168.1.10", 54321, 22, "TCP"), "SSH depuis r√©seau local"),
    (Packet("203.0.113.1", "192.168.1.10", 54322, 22, "TCP"), "SSH depuis Internet"),
    (Packet("203.0.113.1", "192.168.1.10", 54323, 80, "TCP"), "HTTP depuis Internet"),
    (Packet("203.0.113.1", "192.168.1.10", 54324, 443, "TCP"), "HTTPS depuis Internet"),
    (Packet("10.0.0.100", "192.168.1.10", 54325, 80, "TCP"), "Requ√™te depuis IP bloqu√©e"),
    (Packet("203.0.113.1", "192.168.1.10", 54326, 3306, "TCP"), "MySQL depuis Internet"),
]

for packet, description in test_packets:
    action = firewall.process_packet(packet)
    icon = "‚úÖ" if action == Action.ACCEPT else "‚ùå"
    print(f"{icon} {action.value:8s} | {description}")
    print(f"   {packet.src_ip}:{packet.src_port} ‚Üí {packet.dst_ip}:{packet.dst_port} ({packet.protocol})")

firewall.print_stats()

## 2. Firewall Stateful (Connection Tracking)

Un firewall **stateful** suit l'√©tat des connexions TCP/UDP.

### √âtats de connexion TCP
- **NEW** : Nouveau paquet SYN (d√©but de connexion)
- **ESTABLISHED** : Connexion √©tablie (√©change bidirectionnel)
- **RELATED** : Paquet li√© √† une connexion existante (ex: FTP data)
- **INVALID** : Paquet malform√© ou non attendu

In [None]:
class ConnectionState(Enum):
    NEW = "NEW"
    ESTABLISHED = "ESTABLISHED"
    RELATED = "RELATED"
    INVALID = "INVALID"

class StatefulFirewall:
    """Firewall stateful avec suivi de connexions"""
    
    def __init__(self, default_policy: Action = Action.DROP):
        self.rules = []
        self.default_policy = default_policy
        # Table de connexions : {(src_ip, src_port, dst_ip, dst_port): state}
        self.connections = {}
        self.stats = {
            'accepted': 0,
            'dropped': 0,
            'new': 0,
            'established': 0
        }
    
    def add_rule(self, rule: FirewallRule, state: ConnectionState = None):
        """Ajoute une r√®gle avec √©tat de connexion optionnel"""
        self.rules.append((rule, state))
    
    def process_packet(self, packet: Packet, chain: str = "INPUT") -> Action:
        """Traite un paquet avec suivi de connexion"""
        conn_key = (packet.src_ip, packet.src_port, packet.dst_ip, packet.dst_port)
        conn_key_reverse = (packet.dst_ip, packet.dst_port, packet.src_ip, packet.src_port)
        
        # D√©termine l'√©tat de la connexion
        if conn_key in self.connections:
            conn_state = ConnectionState.ESTABLISHED
            self.stats['established'] += 1
        elif conn_key_reverse in self.connections:
            # Paquet de retour d'une connexion existante
            conn_state = ConnectionState.ESTABLISHED
            self.connections[conn_key] = True  # Bidirectionnel
            self.stats['established'] += 1
        elif "SYN" in packet.flags and "ACK" not in packet.flags:
            # Nouveau SYN = nouvelle connexion
            conn_state = ConnectionState.NEW
            self.stats['new'] += 1
        else:
            conn_state = ConnectionState.INVALID
        
        # Parcourt les r√®gles
        for rule, required_state in self.rules:
            # V√©rifie l'√©tat de connexion si sp√©cifi√©
            if required_state and conn_state != required_state:
                continue
            
            if rule.matches(packet, chain):
                if rule.action == Action.ACCEPT and conn_state == ConnectionState.NEW:
                    # Enregistre la nouvelle connexion
                    self.connections[conn_key] = True
                
                self._update_stats(rule.action)
                return rule.action
        
        # Politique par d√©faut
        self._update_stats(self.default_policy)
        return self.default_policy
    
    def _update_stats(self, action: Action):
        if action == Action.ACCEPT:
            self.stats['accepted'] += 1
        elif action == Action.DROP:
            self.stats['dropped'] += 1
    
    def print_connections(self):
        """Affiche les connexions track√©es"""
        print(f"\nüîó Connexions track√©es : {len(self.connections)}")
        for i, conn in enumerate(list(self.connections.keys())[:10], 1):
            src_ip, src_port, dst_ip, dst_port = conn
            print(f"   {i}. {src_ip}:{src_port} ‚Üí {dst_ip}:{dst_port}")

In [None]:
# Configuration firewall stateful
print("=" * 80)
print("D√âMONSTRATION: Firewall Stateful")
print("=" * 80)

stateful_fw = StatefulFirewall(default_policy=Action.DROP)

# R√®gle 1: Accepter nouvelles connexions HTTP/HTTPS
stateful_fw.add_rule(
    FirewallRule("INPUT", "TCP", dst_port=80, action=Action.ACCEPT),
    state=ConnectionState.NEW
)

stateful_fw.add_rule(
    FirewallRule("INPUT", "TCP", dst_port=443, action=Action.ACCEPT),
    state=ConnectionState.NEW
)

# R√®gle 2: Accepter tout le trafic ESTABLISHED (retours de connexions)
stateful_fw.add_rule(
    FirewallRule("INPUT", action=Action.ACCEPT),
    state=ConnectionState.ESTABLISHED
)

print("\nüìã Configuration :")
print("   1. Accepter nouvelles connexions HTTP/HTTPS (NEW)")
print("   2. Accepter tout le trafic ESTABLISHED")
print("   3. Politique par d√©faut: DROP")

# Simulation d'une connexion HTTP compl√®te
print("\n" + "=" * 80)
print("SIMULATION: Connexion HTTP compl√®te")
print("=" * 80)

# 1. Client envoie SYN (NEW)
syn_packet = Packet("203.0.113.1", "192.168.1.10", 54321, 80, "TCP", flags=["SYN"])
action = stateful_fw.process_packet(syn_packet)
print(f"\n1Ô∏è‚É£  Client ‚Üí Server : SYN")
print(f"   √âtat: NEW, Action: {action.value}")

# 2. Server r√©pond SYN-ACK (ESTABLISHED)
synack_packet = Packet("192.168.1.10", "203.0.113.1", 80, 54321, "TCP", flags=["SYN", "ACK"])
action = stateful_fw.process_packet(synack_packet, chain="OUTPUT")
print(f"\n2Ô∏è‚É£  Server ‚Üí Client : SYN-ACK")
print(f"   √âtat: ESTABLISHED (retour), Action: {action.value}")

# 3. Client envoie ACK (ESTABLISHED)
ack_packet = Packet("203.0.113.1", "192.168.1.10", 54321, 80, "TCP", flags=["ACK"])
action = stateful_fw.process_packet(ack_packet)
print(f"\n3Ô∏è‚É£  Client ‚Üí Server : ACK")
print(f"   √âtat: ESTABLISHED, Action: {action.value}")

# 4. √âchange de donn√©es (ESTABLISHED)
data_packet = Packet("203.0.113.1", "192.168.1.10", 54321, 80, "TCP", flags=["ACK"])
action = stateful_fw.process_packet(data_packet)
print(f"\n4Ô∏è‚É£  Client ‚Üí Server : GET /index.html HTTP/1.1")
print(f"   √âtat: ESTABLISHED, Action: {action.value}")

response_packet = Packet("192.168.1.10", "203.0.113.1", 80, 54321, "TCP", flags=["ACK"])
action = stateful_fw.process_packet(response_packet, chain="OUTPUT")
print(f"\n5Ô∏è‚É£  Server ‚Üí Client : HTTP/1.1 200 OK")
print(f"   √âtat: ESTABLISHED, Action: {action.value}")

stateful_fw.print_connections()

# Test d'un paquet non sollicit√© (devrait √™tre bloqu√©)
print("\n" + "=" * 80)
print("TEST: Paquet non sollicit√© (sans SYN, pas de connexion existante)")
print("=" * 80)

unsolicited = Packet("203.0.113.50", "192.168.1.10", 12345, 22, "TCP", flags=["ACK"])
action = stateful_fw.process_packet(unsolicited)
print(f"\nPaquet ACK sans connexion √©tablie")
print(f"√âtat: INVALID, Action: {action.value}")
print("\n‚úÖ Le firewall stateful bloque les paquets non sollicit√©s!")

print(f"\nüìä Statistiques :")
print(f"   Nouvelles connexions : {stateful_fw.stats['new']}")
print(f"   Paquets ESTABLISHED  : {stateful_fw.stats['established']}")
print(f"   Accept√©s             : {stateful_fw.stats['accepted']}")
print(f"   Dropp√©s              : {stateful_fw.stats['dropped']}")

## 3. R√®gles iptables

Voici des exemples de r√®gles **iptables** (firewall Linux standard).

In [None]:
# Exemples de r√®gles iptables (documentation)
iptables_examples = """
=============================================================================
EXEMPLES DE R√àGLES IPTABLES
=============================================================================

# 1. POLITIQUE PAR D√âFAUT (tout bloquer)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# 2. AUTORISER LOOPBACK (127.0.0.1)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 3. AUTORISER CONNEXIONS √âTABLIES
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 4. AUTORISER SSH (port 22) depuis r√©seau local uniquement
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

# 5. AUTORISER HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# 6. LIMITER CONNEXIONS SSH (protection brute-force)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \\
         --seconds 60 --hitcount 4 -j DROP

# 7. BLOQUER UNE IP SP√âCIFIQUE
iptables -A INPUT -s 10.0.0.100 -j DROP

# 8. PROTECTION SYN FLOOD
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

# 9. BLOQUER PING (ICMP Echo Request)
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# 10. LOGGER LES PAQUETS DROPP√âS
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " \\
         --log-level 7
iptables -A INPUT -j DROP

# 11. NAT (MASQUERADE pour routeur)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# 12. PORT FORWARDING (redirection)
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

=============================================================================
COMMANDES UTILES
=============================================================================

# Lister les r√®gles
iptables -L -v -n

# Sauvegarder les r√®gles
iptables-save > /etc/iptables/rules.v4

# Restaurer les r√®gles
iptables-restore < /etc/iptables/rules.v4

# Supprimer toutes les r√®gles (ATTENTION!)
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Compter les paquets
iptables -L -v -n --line-numbers

=============================================================================
"""

print(iptables_examples)

## 4. Web Application Firewall (WAF) Basique

Un **WAF** inspecte le contenu HTTP pour d√©tecter des attaques applicatives (SQL injection, XSS, etc.).

In [None]:
class WAF:
    """Web Application Firewall simplifi√©"""
    
    # Patterns d'attaque
    SQL_INJECTION_PATTERNS = [
        r"(\b(SELECT|UNION|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\b.*\b(FROM|INTO|TABLE|WHERE)\b)",
        r"(--|#|/\*|\*/)",
        r"('\s*OR\s*'.*'\s*=\s*')",
        r"(;\s*DROP\s+TABLE)",
    ]
    
    XSS_PATTERNS = [
        r"(<script[^>]*>.*</script>)",
        r"(javascript:)",
        r"(onerror\s*=)",
        r"(onload\s*=)",
        r"(<iframe[^>]*>)",
    ]
    
    PATH_TRAVERSAL_PATTERNS = [
        r"(\.\.[\\/])",
        r"(%2e%2e[\\/])",
    ]
    
    def __init__(self):
        self.stats = {
            'requests': 0,
            'blocked': 0,
            'sql_injection': 0,
            'xss': 0,
            'path_traversal': 0
        }
    
    def inspect_request(self, method: str, path: str, query: str = "", body: str = "") -> Tuple[bool, str]:
        """Inspecte une requ√™te HTTP"""
        self.stats['requests'] += 1
        
        full_request = f"{path} {query} {body}"
        
        # V√©rifie SQL Injection
        for pattern in self.SQL_INJECTION_PATTERNS:
            if re.search(pattern, full_request, re.IGNORECASE):
                self.stats['blocked'] += 1
                self.stats['sql_injection'] += 1
                return False, "SQL Injection detected"
        
        # V√©rifie XSS
        for pattern in self.XSS_PATTERNS:
            if re.search(pattern, full_request, re.IGNORECASE):
                self.stats['blocked'] += 1
                self.stats['xss'] += 1
                return False, "XSS detected"
        
        # V√©rifie Path Traversal
        for pattern in self.PATH_TRAVERSAL_PATTERNS:
            if re.search(pattern, path, re.IGNORECASE):
                self.stats['blocked'] += 1
                self.stats['path_traversal'] += 1
                return False, "Path Traversal detected"
        
        return True, "OK"
    
    def print_stats(self):
        print(f"\nüìä Statistiques WAF :")
        print(f"   Total requ√™tes      : {self.stats['requests']}")
        print(f"   ‚ùå Bloqu√©es         : {self.stats['blocked']} ({self.stats['blocked']/self.stats['requests']*100:.1f}%)")
        print(f"      SQL Injection    : {self.stats['sql_injection']}")
        print(f"      XSS              : {self.stats['xss']}")
        print(f"      Path Traversal   : {self.stats['path_traversal']}")

# Test du WAF
print("=" * 80)
print("D√âMONSTRATION: Web Application Firewall (WAF)")
print("=" * 80)

waf = WAF()

test_requests = [
    ("GET", "/index.html", "", "", "Requ√™te l√©gitime"),
    ("GET", "/users", "id=1", "", "Requ√™te l√©gitime avec param√®tre"),
    ("GET", "/users", "id=1' OR '1'='1", "", "SQL Injection (OR 1=1)"),
    ("GET", "/search", "q=<script>alert('XSS')</script>", "", "XSS (script tag)"),
    ("GET", "/../../../etc/passwd", "", "", "Path Traversal"),
    ("POST", "/login", "", "username=admin&password='; DROP TABLE users;--", "SQL Injection (DROP TABLE)"),
    ("GET", "/page", "name=<img src=x onerror=alert(1)>", "", "XSS (onerror)"),
]

print("\nüß™ Tests :")
for method, path, query, body, description in test_requests:
    allowed, reason = waf.inspect_request(method, path, query, body)
    icon = "‚úÖ" if allowed else "‚ùå"
    request_str = f"{method} {path}"
    if query:
        request_str += f"?{query[:50]}"
    print(f"\n{icon} {description}")
    print(f"   {request_str}")
    if not allowed:
        print(f"   üö´ Blocked: {reason}")

waf.print_stats()

## 5. Discussion Critique des Firewalls

### ‚úÖ Avantages

1. **Premi√®re ligne de d√©fense** contre les attaques r√©seau
2. **R√©duction de la surface d'attaque** (ferme les ports inutilis√©s)
3. **Logging et audit** du trafic r√©seau
4. **Protection automatique** sans modification des applications

### ‚ùå Limitations

#### 1. **Trafic chiffr√© (HTTPS)**
- Les WAF ne peuvent pas inspecter le contenu HTTPS sans terminaison SSL
- Risque de man-in-the-middle si le WAF d√©chiffre le trafic

#### 2. **Attaques applicatives**
- Un firewall r√©seau ne prot√®ge pas contre :
  - Logique m√©tier vuln√©rable
  - Authentication bypass
  - IDOR (Insecure Direct Object Reference)
  - Race conditions

#### 3. **Faux positifs**
- Les r√®gles trop strictes bloquent du trafic l√©gitime
- Exemple : `O'Reilly` d√©tect√© comme SQL injection √† cause de `'`

#### 4. **Contournement**
- **Fragmentation** : D√©couper les payloads malveillants
- **Encoding** : Unicode, URL encoding, base64
- **Tunneling** : Encapsuler dans protocoles autoris√©s (DNS tunneling)

#### 5. **Performance**
- L'inspection approfondie (DPI) impacte les performances
- Trade-off entre s√©curit√© et latence

#### 6. **Configuration complexe**
- Erreurs de configuration fr√©quentes
- Exemple : Oublier de bloquer IPv6 alors qu'IPv4 est filtr√©

### üéØ Best Practices

1. **Defense in depth** : Le firewall est UNE couche, pas la seule
2. **Principe du moindre privil√®ge** : Bloquer tout sauf ce qui est n√©cessaire
3. **Logging et monitoring** : Analyser les r√®gles qui matchent
4. **Tests r√©guliers** : Auditer les r√®gles et tester les contournements
5. **Mise √† jour** : Patterns de WAF doivent √™tre maintenus (nouvelles attaques)

---

## üîó R√©f√©rences

- **iptables** : https://www.netfilter.org/
- **nftables** : Successeur moderne d'iptables
- **OWASP ModSecurity** : WAF open-source
- **pfSense** : Firewall open-source bas√© sur FreeBSD
- **Snort** : IDS/IPS open-source avec r√®gles de d√©tection