UCBerkeleyCS168,Fall2014

CS168Project3a
(Version1.2)

Due:11:59:59am(atnoon),November17th,2014(harddeadline)

ChangLanShoumikPalkarSangjinHan

Overview
Inthisproject,youwillimplementabasicfirewallrunningatendhosts.Afirewallisasecuritysystem
thatcontrolstheincomingandoutgoingnetworktrafficbyanalyzingthedatapacketsand
determiningwhethertheyshouldbeallowedthroughornot,basedonaruleset[Wikipedia].Unlike
thepreviousprojectsofthiscourse,whereyouworkedinsimulatedenvironments,youwilldealwithreal
packetsinaLinuxbasedvirtualmachine(VM)forthisproject.

Thismonthlongprojectisdividedintotwoparts,andeachparthasitownsubmissiondeadline.Inthefirst
part(3a),whichiscoveredinthisdocument,youareaskedtobuildastatelessfirewallontopofthegiven
framework.Inthesecondpart(3b),youwillbeextendingthefunctionalityofyourfirewalltosupport
statefulrulesattheapplicationlayer.NotethatyoursolutionforProject3awillalsobeusedasabasefor
Project3b.Itisveryimportanttokeepyourcodereadableandextensible.

YourtaskforProject3aistoimplementafirewallthatfiltersoutpacketsbasedonsimplefirewall
(Protocol/IP/PortandDNSquery)rulesonapacketbypacketbasis.Uponsuccessfulcompletionofthis
project,youwillbeableto:

Understandthebasicfunctionalitiesofafirewall.
BefamiliarwiththedetailsofTCP/IPpacketformats.
Explorelowlevelpacketprocessing.
Utilizevarioustoolsfornetworktesting.

Besideswritingcode,youwillneedto(andshould)spendalotoftimetounderstandprotocol
specifications,todesignalgorithms,andtotestyourapplication.Startworkingontheprojectassoonas
possible.

Changelog
v1.2(10/30/2014)

ChangedtheVMimagelinktohttp://bit.ly/cs168proj3

v1.1(10/29/2014)

Changedduetimedescriptioninordertoavoidconfusion

v1.0(10/27/2014)

Firstrelease

VMSetup
Apersonalfirewallmusthavetheabilitytointerceptincomingandoutgoingnetworkpacketsfrom
networkinterfaces.Sincethisoperationissecuritycriticalanddependentonyouroperatingsystem,we
provideaVMimagethatispreconfiguredtobereadilyusedfortheproject.ToruntheVM,youwillneed
touseyourpersonalx86laptop/desktop,ratherthaninstructionalmachines.TheVMrunsontheUbuntu
Linux14.04Desktopedition.

UnderstandingtheVMNetworkConfiguration
ThefollowingfigureillustrateshowtheVMnetworkisconfigured.

Thearrowsinthediagramrepresenttheflowofnetworktraffic(packets).IntheVM,therearetwo
networkinterfaces,namelyextandint(shortforexternalandinternal,respectively),andthe
firewallinbetween,asabumpinthewire.AlloutgoingpacketsoftheVMwillbesentthroughtheint
interface.Similarly,allincomingpacketswillbereceivedviatheextinterface.Yourfirewallshould
inspectpacketsreceivedfromoneinterfaceandselectivelypassthemtotheotherinterface.Forexample,
whenthefirewallreceivesanincomingpacketfromext,itdetermineswhethertopassthepacketthrough
basedonthefirewallrules.Ifso,thefirewalltransmitsthepacketontoint,tobeprocessedbytheLinux
TCP/IPstack.Similarthingshappenforoutgoingpacketsaswell.

Whenthefirewallisnotrunning,nothingrelayspacketsbetweenextandint.ThustheVMhasno
accesstotheoutsidenetworkbydefault.Dontbesurprisedifyoucannotaccesstoanywebsites
withFirefoxintheVM.Onceyouhavecorrectlyimplementedyourfirewall,orafterrunningsudo
./main.py --mode bypass(explainedlater),yourapplicationsintheVMwillhaveaccesstothe
Internet.
3


Note:Duetosomeinternalissues,youwillnotseeanypacketsontheintinterfacewith
tcpdump/wireshark,whilethefirewallisnotrunning.

Forsimplicity,wemadethefollowingdesigndecisionsfortheproject:

extandintareEthernetinterfaces,whichcarryEthernetframes(with14byteEthernetheader
followedbyitspayload,mostlyanIPpacket).However,yourfirewallwillonlyneedtocareabout
IPpacketsitreceivesandsendsIPpackets,andallEthernetrelatedoperationswillbehandled
bythecodewehaveprovided.
IPv6wascompletelydisabledintheVM.AllyouseeinthefirewallisIPv4packets.
YourfirewallwillnotreceiveanyfragmentedIPpackets.

AnotherthingworthmentioningisthatthereisaNAT1 moduleinVirtualBox,whichconnectstheVMto
theoutsidenetwork.WhilethedetailsofNATisoutofthescopeofthisproject,therearetwothingsto
remember:

TheIPaddressoftheVM(staticallysetto10.0.2.15)willnotbeseenfromtheoutsidenetwork.
ThisisbecausetheNATmoduletranslatesitintotheIPaddressofthehost(yourlaptop)for
everyoutgoingpacket,andtheotherwayaroundforeveryincomingpacket.
Bydefault,theNATmodulewillnotallowincomingconnectionsdestinedfortheVM(e.g.,the
NATmodulewillnotforwardincomingTCPSYNpackets).Inotherwords,youcannotrun
networkserverapplicationsintheVM.

VMInstallation
1. Downloadandinstallthelatestversion(4.3isrecommended)ofVirtualBox,from
https://www.virtualbox.org/wiki/Downloads
2. DownloadtheVMimage,fromhttp://bit.ly/cs168proj3
a. Itmaytakeawhiletodownloadtheimage,duetoitslargesize(>2.2GB).
b. Makesureyouhaveenoughdiskspace,asthecompressedimagegetsbiggerwhenitis
imported.Werecommendsecuringatleast10GBoffreespace.
3. LaunchVirtualBox,andimporttheVM.
a. SelectFileImportAppliance
b. ClicktheOpenappliance...button
c. Choosecs168proj3.ova
4. Onceimported,selectcs168proj3ontheleftpanelofthemainwindow,andclicktheStart
buttontolaunchtheVM.

Account
1

NetworkAddressTranslation:http://en.wikipedia.org/wiki/Network_address_translation

Theusernameiscs168anditspasswordisF1rewa!!(numberoneinsteadofletterIand
exclamationmarkinsteadofletterL),withoutquotes.Feelfreetochangethepasswordifyourlefthand
fingersgettired.

Manyapplications(includingthefirewallitself)youwillrunontheVMneedrootpermission,astheyneed
toperformprivilegednetworkoperations.Youraccountisgrantedsudoprivilegeswithoutthepassword.

(Optional)SettingHostOnlyInterface
YoucanskipthisconfigurationifyoudonotmindworkingintheUbuntudesktopenvironment.

SomeofyoumaywanttoconnecttotheVMviaSSHtoworkontheproject,ratherthandirectlyusing
theGUIoftheVM.FortheconnectionbetweenthehostandtheVM,youneedtofollowtheprocedure
(basedonMacOSX,butitshouldbesimilaronotheroperatingsystems)below.

1. TurnofftheVM.
2. Addahostonlyinterfaceforthehost
a. SelectVirtualBoxPreferencesinthemenu.
b. ChoosetheNetworktab.
c. ChoosetheHostonlyNetworkstab.
d. Clickthe+buttonontheright.
e. Clickthescrewdriverbuttonontheright.
f. OntheAdaptortab,
i.
SettheIPv4Addressto172.16.122.1
ii.
SettheIPv4NetworkMaskto255.255.255.0
g. OntheDHCPtab,
i.
UnmarktheEnableServercheckbox.
3. AddahostonlyinterfacefortheVM
a. Selectthecs168proj3VMontheleftpaneloftheVirtualBoxManagerwindow.
b. ClicktheSettingsbutton.
c. ChoosetheNetworktab.
d. ChoosetheAdaptor2tab.
e. MarktheEnableNetworkAdaptorcheckbox.
i.
Attachedto:HostonlyAdapter
ii.
Name:vboxnet0(oranythingelseyoucreatedabove)
f. ClickontheAdvanced
g. SettheAdapterTypetoPCnetFASTIII
h. SettheMACAddressto080027107f8d(inhex)
i. MarktheCableConnectedcheckbox.
4. CheckifeverythingisOK.
a. LaunchtheVM
b. Openaterminalwindow.
c. Runthecommandifconfig.
5

d. Youshouldbeabletoseethehostinterface.

TheIPaddressofthehostonlyinterfaceintheVMis172.16.122.2.Inthehost(yourlaptop),youcan
makeaSSHconnectiontotheVM,withssh cs168@172.16.122.2(onLinuxorMAC)oryour
favoriteSSHclient(onWindows).

Networkconnectionsoverthisdedicatedinterfacewillnotbeaffectedbythefirewall.Alloutgoing
packetsfromtheVMwithadestinationIPaddressin172.16.122.0/24willbesentthroughthehost
interface,insteadoftheintinterface.

ProjectSpecification
ProvidedFiles
Allfilesneededtodotheprojectresideinthe/home/cs168/proj3directory.Yourtaskistoimplement
theprojectspecificationinthefirewall.pyfile.Rememberthatthisfileistheonlysourcecodeyou
submitfortheproject.Allyourmodificationmustbedoneonlyinthisfile.

The/home/cs168/backup_proj3directoryalsocontainsthesamefiles,justincaseyouneedthe
originalversion.

main.py
Thisisthemainexecutablefileforyourfirewall.Modifythisfileonlyfordebuggingpurposes.Itcontains
somelowlevelcodetointercept/injectpacketsfrom/toLinuxnetworkinterfaces.Becauseofthis,youwill
needrootprivilegestorunthisscript.

sudo ./main.py [--mode <module name>] [--rule <rule file name>] [--opt1 arg1] ...

Therearetwopredefinedoptions:
--mode:ItspecifiesaPythonmodulenamethatimplementsFirewallclass.Thedefault
argumentisfirewall,whichwillrunfirewall.py.
--rule:Itspecifiesarulesfilename.Thedefaultargumentisrules.conf.

Allothercommandlineoptionswillbeparsedandstoredintheconfigdictionary,whichisgiventothe
constructorofFirewallclass.

bypass.py
Thisisadummyexamplethatimplementsthebypassmode.Inthismode,allincoming/outgoingpackets
willbepassedregardlessofthefirewallrules.ThismodecanbeusefulwhenyouwanttheVMto
communicatewithoutinterferencefromthefirewall,suchas:

Installingnewapplications
Analyzinghownetworkprotocolsworkinnormalconditionswithtcpdump/wireshark
CopyingyoursourcecodetooutsidetheVMforfinalsubmission
soon.

Thefollowingcommandwillruninthebypassmode:
sudo ./main.py --mode bypass

TheFirewallclassimplementedinthisfilewillgiveyousomebasicideasonhowtoimplementyour
ownfirewallinfirewall.py,suchashowtoutilizethetimerfunctionalityorhowtopasspacketswith
the.send_ip_packet()method.

firewall.py
Thisisthefilecontainingtheskeletonforthecodeyouneedtoimplement.Thismodulecurrentlydoesnot
doanything,andallpacketsbetweentheintandextinterfaceswillbedropped.Yourtaskistocomplete
theFirewallclassinthefilesothatpacketscanbefilteredoutbasedonthefirewallrulesfile.The
skeletonoftheclasslooksasfollows.

class Firewall:
def __init__(self, config, timer, iface_int, iface_ext):
self.iface_int = iface_int
self.iface_ext = iface_ext
...
def handle_packet(self, pkt_dir, pkt):
pass

__init__():
Youshouldloadtherulesfile(thefilenameisgiveninconfig[rule]).
Alsoreadgeoipdb.txthere.

handle_packet():
Wheneverapacketiscaptured,thishandlerwillbeinvoked.
pkt_dirindicatesthedirectionofthepacket.Itcanbeeitherofthefollowingtwovalues:
PKT_DIR_INCOMING:Thepackethasbeenreceivedfromtheextinterface.Youshould
callself.iface_int.send_ip_packet()topassthispacket.
PKT_DIR_OUTGOING:Thepackethasbeenreceivedfromtheintinterface.Youshould
callself.iface_ext.send_ip_packet()topassthispacket.
pktisaPythonstringthatcontainstheactualIPpacket,includingtheIPv4header.
Todropthepacket,simplyomitthecallto.send_ip_packet().

RulesFileFormat
Afirewallruledescribesatypeofpacketsthatthefirewallshouldpass/drop.Arulesfilecontainsfirewall
rules,eachofwhichiswritteninasingleline.rules.confwillbeusedbydefault,unlessspecified
otherwiseinthecommandline.Therulesfiledecideswhethertodropapacketornot,whenthepacket
content/headermatchesonethedefinedrules.Ifmultiplerulesarematched,usethelastone.Thereare
twotypeoffirewallrules:Protocol/IP/PortrulesandDNSrules.

Notethatthecontentoftherulesfilecanbearbitrary.Theprovidedrules.conffileintheproj3
directoryisjustanexample,andvariousrulesfileswillbeusedtogradeyoursolution.Yourfirewallshould
workcorrectlywithanyrulefilesthatconformtothefollowingformat.

Protocol/IP/PortRules
YouapplyProtocol/IP/PortrulesforeverypacketthatFirewall.handle_packet()takes.All
protocol,externalIPaddress,andexternalportfieldsmustmatchtoapplytheverdict.Externalmeans
outside,thusitmayrepresenteitherthesourceordestinationIPaddress/port,dependingonthepacket
direction.Forexample,ifanincomingpackethasaUDP/IPheader8.8.4.4:5310.0.2.15:32154,the
externalIPis8.8.4.4andtheexternalportis53.

Format:<verdict><protocol><externalIPaddress><externalport>

Field

Possiblevalues/formats

Description

verdict

1. pass
2. drop

protocol

1. tcp
2. udp
3. icmp

externalIP
address

1. any
2. a2bytecountrycode
3. asingleIPaddress
(e.g.,128.32.244.172)
4. anIPprefix
(e.g.,123.34.128.0/17)

external
port

1. any
2. asinglevalue
3. arange
(e.g.,2000-3000)

passmeansthatamatchedpacketshouldbe
handedovertotheinterfaceontheotherside,
withthesend_ip_frame()method
(e.g.,tointifreceivedfromext).
dropdiscardsthepacket
ThisfieldexaminestheProtocolfieldinthe
IPv4headerofpackets.

Forcountrycodes,seetheGeoIPDB
section.
anyisidenticalto0.0.0.0/0
1.2.3.4isidenticalto1.2.3.4/32

ItspecifiesTCP/UDPportnumbers.For
ICMPpackets,itisfortheICMPTypefield.
Therangeisinclusive(i.e.,2000-3000
includes2000,2001,,and3000)
9

DNSRules
Format:<verdict>dns<domainname>
verdict:passordrop
domainname:e.g.,bar.foo.com(fulldomainname)or*.gov(wildcarddomainname)
Afulldomainnameisforexactmatch.
*.govmatchesnotonlyfda.govbutalsowww.fda.gov.
*.foo.comdoesnotmatchfoo.com
Theasterisk(*)canonlybeusedattheleftmostDNSlabel,alone.
Goodsyntax:*,*.net,*.google.com,...
Badsyntax:mail.*.com,*.foo.*.org,www*.salary.com,...

YouapplyDNSrulesonlyforDNSquerypackets.Morespecifically,thepacketshouldsatisfyallofthe
followingconditionstobeconsideredforDNSrulematching.
ItisanoutgoingUDPpacketwithdestinationport53.
IthasexactlyoneDNSquestionentry.
Theremaybeothernonemptysections(Answer,Authority,andAdditional)
ThequerytypeoftheentryiseitherAorAAAA(QTYPE==1orQTYPE==28),and
TheclassoftheentryisInternet(QCLASS==1).

Example
SupposethatStarbuckswantstoprovidefreeWiFi,butwithveryrestrictiverulesasfollows.

% allow ping, but no other types of ICMP packets

drop icmp any any
pass icmp any 0
pass icmp any 8
% allow DNS packets only to Google DNS servers
drop udp any any
pass udp 8.8.8.8 53
pass udp 8.8.4.4 53
% allow only HTTP(80), HTTPS(443), and Skype(1024-65535)
drop tcp any any
pass tcp any 80
pass tcp any 443
pass tcp any 1024-65535
% punish Italy (for not having Starbucks) and MIT (for the greedy /8 address block)
drop tcp it any
drop tcp 18.0.0.0/8 any
% ahem
drop dns peets.com
drop dns *.peets.com

10

TherulesimplementedabovedonotallowanyTCP/UDP/ICMPpacketsbydefault,butwithsome
explicitexceptions.

Performance
Performanceisoneofthemostimportantaspectsofafirewall.Typically,commercialfirewallscan
processmorethanmillionsofpacketspersecond.Forthisproject,however,wewillfocusonits
functionalityandcorrectness,ratherthanperformance.Afterall,thefirewallissoftwarebased,runsina
virtualizedenvironment,andwillbeimplementedinPythonitwouldbeimpossibletomatchthe
performanceofcommercialfirewalls.

However,therewillbeminimumperformancerequirements.Ifyourfirewallimplementation
underperformsbyafactoroffivewhencomparedtoourreferenceimplementationwiththe
sameruleset,youmaylosesomepoints.Theperformancewillbemeasuredinthenumberof
processedpackets,foracertainperiodoftime(>20seconds,includingstartuptime).Ourreference
implementationdoesnotincorporateanysophisticatedoptimizations,soyoudonotneedtoworrymuch
unlessyourimplementationisveryinefficient.

11

Notes

Rulematching:
Ifnoneoftherulesmatch,justpassthepacket.
ThusyoushouldalwayspassnonTCP/UDP/ICMPpackets.
Ifmultiplerulesmatch,applythelastonesverdictintherulesfile.
DNSrequestpacketsareinspectednotonlybyDNSrules,butalsobyProtocol/IP/Port
rules.
DNSrulesmayappearbeforeProtocol/IP/Portrules.
Forthisproject,wewillnothavemorethan30rulesinthefile,solinearscanningoverthe
rulesforeverypacketisperfectlyfine.
Thewildcarddomainnamematchingdescribedheredoesnotconformtothestandard
(RFC4592).
Analyzingpackets
handle_packet()willbecalledonlyfornonfragmentedIPv4packets.
DonotworryaboutpacketswithwrongTCP/IPchecksum.
Ifapacketissomalformedthatyoucannotdecodethepacketforrulematching,simply
dropthepacket.
Also,ifaDNSquerypacket(UDPwithdestinationport53)istoomalformedto
decode,youshoulddropthepacket,evenifthereisnoDNSrules.
IfaDNSpackethasnonquestionentries,youshouldconsiderthepacketforDNSrules,
aslongasQDCOUNT==1andthequestionentryconformstotheDNSrulematching
conditions.
Forexample,digwillincludeoneAdditionalentryinitsDNSpackets,butyour
firewallshouldapplyDNSrulesforthosepackets.
Yourprogramshouldnotcrash.
Watchoutforendianness.Mostnetworkprotocolsfollownetworkorder.
http://en.wikipedia.org/wiki/Endianness#Endianness_in_networking
Parsingtherulesfile:
Allrulesarecaseinsensitive,includingdomainnamesandcountrycodes.For
example,tcp,TCP,andtCpmustbeallallowed.
Youcanassumethatthesyntax/formatofthefileisalwayscorrect.Forexample,wewill
nottrickyouwith128.50.132.20/24,whichhasbadIPprefixsyntax.
Ignoreemptylinesandcommentlines(linesbeginningwith%)

12

GeoIPDB

Intheproj3directory,weprovidethedatabasefilegeoipdb.txtthathasgeolocationmapping
informationoftheIPaddressspace.Youshouldusethisfiletoimplementthecountrybasedblockingin
yourfirewall.Inthefile,eachlinerepresentsanIPv4addressrangeanditscorrespondingcountrycode,in
thefollowingformat.

Format
<startIPaddress><endIPaddress><2charactercountrycode>

startIPaddress,endIPaddress:ThesearedotseparatedIPv4addresses.ThegivenIPaddress
rangeisinclusiveinthatitincludesbothstartandendIPaddresses.
2charactercountrycode:
ISOstandardcountrycodes:http://en.wikipedia.org/wiki/ISO_31661_alpha2
Therearealsononstandardcountrycodes:A1,A2,EU,AP.
Weusethesamecountrycodesfortherulesfile(again,caseinsensitive!)

ThedatabasefileshouldbeloadedintomemoryinFirewall.__init__().

Notes
1. Notethatwemayuseadifferentversionofthedatabasefileforgrading.However,thefollowing
twoassumptionswillalwayshold:
a. AllIPaddressrangesgiveninthefiledonotoverlapeachother.Hence,nolongestprefix
matchingwillberequired.
b. AllIPaddressrangesaresortedinascendingorderinthefile.
2. SomeIPaddressesmaynotmatchanyrecordsinthedatabase.Itisnormal,sodontworry.
3. Yourlookupcodeforcountrymatchingshouldbereasonablyfast,tomeettheminimum
performancerequirementsdescribedabove.
a. Nolinearsearchovertheentiredatabaseoraspecificcountryforeverypacket!
b. Instead,considerusingmoreefficientalgorithmsanddatastructures,suchasbinary
search,radixtree,etc.
c. Ifloadingofthedatabasetakesmorethanafewseconds,youareprobablynotonthe
righttrack.
4. Forthisproject,weassumethatthedatabaseisalwayscorrectanduptodate.

Theoriginaldatabasewasretrievedfromhere:http://dev.maxmind.com/geoip/legacy/csv/

13

References
Thefollowingdocumentsprovidethedetailedprotocolspecificationstoaccomplishthisproject.

IPv4header:
http://en.wikipedia.org/wiki/IPv4
http://tools.ietf.org/html/rfc791
IPprotocolnumbers:http://tools.ietf.org/html/rfc790
TCPheader:
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
http://tools.ietf.org/html/rfc793
ICMPheader:
http://tools.ietf.org/html/rfc792
DNSpacketformat:
http://tools.ietf.org/html/rfc1035

Youwill(andshould!)spendmoretimefortestingthancoding.Welistsomeofthemosthelpfulnetwork
testingtoolsbelow,allofwhicharepreinstalledintheVM.Therearealotofonlinetutorialsyoucanfind
ontheInternet.

tcpdump/Wireshark
tcpdumpisacommandlinepacketsnifferthatcapturesanddisplaypacketson
networks.Italsodecodespacketheadersforvariousprotocols,whichisveryusefulto
verifythecorrectnessofyourownpacketdecoder.
Wireshark(formerlyknownasEthereal)providessimilarfeatureswithagraphical
userinterface.
Theycanalsobeusedtocheckthebehaviorofyourfirewall.Forexample,ifanoutgoing
packetisseenatbothintandext,itimpliesthatthefirewallsuccessfullyrelayedthe
packetbetweenthoseinterfaces.
AshortYouTubecliponWireshark:http://youtu.be/6X5TwvGXHP0
nslookup/dig
nslookupanddigarecommandlinetoolsforqueryingtheDomainNameSystem.
YoucanusethesetoolstogenerateDNSquerypackets.
wget/curl
wgetandcurlarehandytoolstogenerateHTTPrequestswithoutusingbrowsers.
nc
nc(shortfornetcat)isapopulartoolforgeneratingTCP/UDPconnections.
Refertothispageformorepacketcrafters:http://sectools.org/tag/packetcrafters/

Wewillreleaseanintroductorydocumentfortheseprotocols/toolsatthecoursewebpage.

14

Logistics
CollaborationPolicy
Theprojectisdesignedtobesolvedindependently,butyoumayworkwithatmostonepartnerifyou
wish.Gradingwillremainthesamewhetheryouchoosetoworkaloneorinpartnersbothpartnerswill
receivethesamegraderegardlessofthedistributionofworkbetweenthetwopartners(sochoosea
partnerwisely!).

Bythenatureofthisproject,itcouldbehardtosplittheworkbetweenteammates.Instead,consider
pairprogramming(http://en.wikipedia.org/wiki/Pair_programming),ifyouchoosetoworkinpartners.

SubmissionInstructions
Turnina.tarfilewithbothyouandyourpartnerslastnamesinthelename(Forexample,
project3a-han-lan.tarorproject3-palkar.tar)onaninstructionalmachine.Yourtarfile
shouldinclude:

firewall.py:remember,thisfileshouldincludeallyourcode.
readme.txt
Your(andyourpartners)fullnameandloginname
(optional)Anycomments/concernsontheproject.Thiswillnotaffectgrading.Wewill
collectyouropinionsanonymouslytodesignfutureprojectsbetter.

$ tar
-cf project3a
-han-lan.tar firewall.py readme.txt
$ submit project3a

Regrade&LatePolicy
Yourregraderequestmustbemadewithinsevendaysafterscorerelease.Submityournewtarfileonan
instructionalmachine,thenemailclan@eecs.berkeley.edu.

finalscore=max{oldscore,newscore*(regradingpenalty)}*(youroriginallatepenalty)
regradingpenalty=0.9(codedifferenceintokens)*0.001
Wewillprovideascriptthatmeasurescodedifference.
Ofcourse,regradingpenaltydoesntapplyifitturnsoutbeautogradersfault.
Youhaveonlyoneopportunityforregraderequest.

Thelatepolicyissimplenoslipdates.Ifsubmissionislate,itispenalizedasfollows:
<24hourslate,youlose10%
<48hours,20%
15

<72hours,40%
Morethanthreedayslate,youcannolongerhandintheassignment.

Cheating
Simplyput,DONOTEVERTRYIT.Wewilldoourbesttoprotectourstudentsfromlosingthevalueof
theirhonestlyearnedgradesduetocheaters.Wemayperformmanualinspectionanduseautomatedtools
(donotunderestimatethem)todetectpotentialplagiarismoverallsubmissions.

Refertothecoursewebpageformoreinformation.Ifyouarenotsurewhatmayconstitutecheating,
consulttheinstructororGSIs.Assignmentssuspectedofcheatingorforgerywillbehandledaccordingto
theStudentCodeofConduct2 .Apparently23%ofacademicmisconductcasesatacertainjunior
universityareinComputerScience3,butweexpectyoualltoupholdhighacademicintegrityandpridein
doingyourownwork.

http://sa.berkeley.edu/codeofconduct
http://www.pcworld.com/article/194486/Computer_Science_Students_Cheating.html

16

DOsandDONTs
DOs

Itisokaytouseexternallibrariesorapplicationstotestyourfirewall.
Youcanmodifynotonlyfirewall.pybutalsoothersourcecodefiles,butonlyfordebugging
purposes.
Dorememberthatyouonlysubmitthefirewall.pyfile,anditshouldworkwiththe
originalcodeofotherfiles.
Backupisalwaysagoodidea.
FeelfreetosurftheWebforgeneralideas,suchasPythonlanguage/libraryreferences,network
protocolspecifications,testingtoolusages,anddebuggingtips.
Youcandiscusswithanyoneaboutalgorithms,approaches,andconceptswithoutdetails,butstay
awayfromyourcomputer/codewhiledoingso.
WeencourageyoutoshareteststrategieswithyourfellowstudentsonPiazza,butonlyatthehigh
level(e.g.,notestcode).
WerecommendusingFirefoxintheVM,ratherthaninstallingotherwebbrowsers.TheFirefox
installedintheVMwasspeciallyconfiguredtosuppresssomeseeminglystrangebehaviors.

DONTs

Donotcreateextrathreadsorprocesses.Usetheprovidedtimerfunctionalityinstead.
DonotuseanylibrariesotherthanPython2.7standardmodulestoimplementthefirewall.
DonotalterthenetworkconfigurationsoftheVM.DonotinstallNetworkManagerpackage.
TheVMreliesonmanual/delicateconfigurationstoprovidethefirewallfunctionalities.Youmay
havetoreinstalltheVMifsomeconfigurationgetsbroken.
Allpartsofthesolutioncodemustbeyourowncopyingsomeoneelsescodesnippet
(includingfrompublicrepositoriessuchasGitHub,Pastebin,etc.)isstrictlyprohibited.
Donotshareyourcodewithanyone,otherthanyourprojectpartner.
DonotpostyourcodeonanypublicrepositorieslikeGitHubandPastebin.
DonotpostanyprojectspecificquestionsonInternetforumsotherthanPiazza.
TheprojectisledbyChangLan(main),ShoumikPalkar,andSangjinHan.Avoidaskingother
GSIsaboutprojectspecificquestions.

17