How to Calculate Network Firewalls in NS2

To calculate and replicate the performance of the network firewalls using NS2 (Network Simulator 2) that needs to executing the rules which describe packets are permitted or denied, just like a real firewall. Although NS2 does not natively contains the Layer 4 firewalls then we can be replicated the firewall-like behaviour by applying the packet filtering mechanisms and physically applying the rules in the simulation script. Here’s a simple procedure to compute and simulate the firewall’s performance within NS2:

Steps to Calculate Network Firewalls in NS2:

  1. Set Up the Simulation in NS2

Initially, setup a network topology in which a central node performs as a firewall. This node will check traffic and decide whether to forward or drop packets rely on particular rules.

The following is an instance of an NS2 simulation script where a node is configure as a firewall:

Example NS2 Script to Simulate a Firewall

# Create NS2 simulator instance

set ns [new Simulator]

# Open trace file for output

set tracefile [open out.tr w]

$ns trace-all $tracefile

# Define nodes (firewall is n1)

set n0 [$ns node]

set firewall [$ns node]   ;# Node acting as firewall

set n2 [$ns node]

# Create duplex links between nodes

$ns duplex-link $n0 $firewall 1Mb 10ms DropTail

$ns duplex-link $firewall $n2 1Mb 10ms DropTail

# Set up UDP traffic from n0 to n2

set udp0 [new Agent/UDP]

$ns attach-agent $n0 $udp0

set null0 [new Agent/Null]

$ns attach-agent $n2 $null0

$ns connect $udp0 $null0

set cbr0 [new Application/Traffic/CBR]

$cbr0 set packetSize_ 500

$cbr0 set interval_ 0.01

$cbr0 attach-agent $udp0

# Start and stop traffic

$ns at 0.5 “$cbr0 start”

$ns at 4.5 “$cbr0 stop”

# Define firewall rules (example: block all UDP traffic from n0 to n2)

proc firewall_filter {src dst type} {

if {$src == “n0” && $dst == “n2” && $type == “UDP”} {

return 0  ;# Block the packet

}

return 1  ;# Allow the packet

}

# Override the forwarding logic with the firewall rule

$ns at 0.5 “$ns set-forwarding-filter firewall_filter”

# End simulation

$ns at 5.0 “finish”

proc finish {} {

global ns tracefile

$ns flush-trace

close $tracefile

exit 0

}

# Run the simulation

$ns run

  1. Simulate Firewall Behaviour

In the above example, the firewall_filter procedure replicates a firewall rule, which blocks all UDP traffic from node n0 to node n2. We can develop this process to make more difficult filtering rules, like:

  • Blocking packets from a particular IP or port.
  • Enabling only specific traffic types (e.g., TCP or ICMP).
  • Logging dropped or accepted packets.
  1. Capture Data from the Trace File

The NS2 trace file (out.tr) logs key events like packet enqueue (+), dequeue (-), and drop (d). We can be evaluated this trace file to calculate the firewall’s performance such as packet drops, forwarded packets, and throughput.

Example trace file entry:

+ 0.500000 0 1 udp 500 ——- 1 0.0 0.0 1.0

– 0.510000 0 1 udp 500 ——- 1 0.0 0.0 1.0

d 0.520000 0 1 udp 500 ——- 1 0.0 0.0 1.0  # Packet drop due to firewall rule

  1. Calculate Firewall Performance Metrics

Packet Drops

We can be computed how many packets were dropped by the firewall by counting the d (drop) events in the trace file.

Given below is an AWK script to estimate the number of dropped packets:

awk ‘

{

if ($1 == “d” && $3 == “firewall”) {  # Count drops at the firewall node

dropped_packets++;

}

}

END { print “Total Dropped Packets by Firewall:”, dropped_packets; }’ out.tr

This script counts the total number of packets were dropped at the firewall.

Throughput of Allowed Packets

To estimate the throughput of the packets are permitted by the firewall (i.e., packets forwarded by the firewall), count the effectively forwarded packets.

Here’s an AWK script to compute throughput:

awk ‘

{

if ($1 == “-” && $3 == “firewall” && $4 == “n2”) {  # Forwarded by firewall to n2

total_bytes += $6;  # Count total bytes forwarded by firewall

}

}

END { print “Throughput of Allowed Packets:”, total_bytes / 5.0, “bytes/sec”; }’ out.tr

This script estimates the total number of bytes are forwarded by the firewall and divides it by the simulation time (5 seconds) to compute the throughput in bytes per second.

Firewall Efficiency

Firewall efficiency can evaluated by comparing the number of forwarded packets to the total number of received packets. It provides an idea of how much traffic is being filtered out.

Below is an AWK script to calculate the firewall’s efficiency:

awk ‘

{

if ($1 == “+” && $4 == “firewall”) {

total_received++;

}

if ($1 == “-” && $3 == “firewall” && $4 == “n2”) {

total_forwarded++;

}

}

END {

efficiency = (total_forwarded / total_received) * 100;

print “Firewall Efficiency:”, efficiency, “%”;

}’ out.tr

This script evaluates the percentage of packets are forwarded by the firewall relation to the total number of packets were received.

  1. Expand the Firewall Rules

We can be improved the firewall rules to filter rely on various parameters like:

  • Protocol type: Block or permit TCP, UDP, or ICMP.
  • Source and destination ports: Block particular port ranges (e.g., block all traffic on port 80).
  • Packet size: Permit or deny traffic depends on packet size.

To replicate port-based filtering, change the firewall_filter procedure like this:

proc firewall_filter {src dst type src_port dst_port} {

if {$src == “n0” && $dst == “n2” && $type == “UDP” && $dst_port == 80} {

return 0  ;# Block UDP traffic to port 80

}

return 1  ;# Allow all other traffic

}

  1. Visualize Firewall Performance

We can be plotted the metrics such as packet drop rate, throughput, and firewall efficiency using the tools such as Python (matplotlib) or Excel.

Example Python Plot for Packet Drops Over Time:

import matplotlib.pyplot as plt

# Example data for packet drops over time

time = [0.5, 1.0, 1.5, 2.0, 2.5, 3.0, 3.5, 4.0, 4.5]

dropped_packets = [0, 5, 10, 15, 20, 25, 30, 35, 40]  # Example packet drop data

plt.plot(time, dropped_packets, marker=’o’)

plt.title(‘Packet Drops Over Time (Firewall)’)

plt.xlabel(‘Time (seconds)’)

plt.ylabel(‘Dropped Packets’)

plt.grid(True)

plt.show()

Summary

To compute and replicate the firewall behaviour in NS2:

  1. Set up the simulation: Make a network topology where a central node performs as a firewall.
  2. Define firewall rules: Execute packet filtering rules using a custom procedure (e.g., block specific traffic types or ports).
  3. Monitor the firewall’s performance: We can be used the trace file to capture packet forwarding, dropping, and other network events.
  4. Calculate firewall metrics: We can use the AWK scripts to compute key metrics such as packet drops, throughput, and firewall efficiency.
  5. Visualize the results: Plot the metrics over time to estimate how successfully the firewall performs.

We followed the above computation steps to replicate and calculate the Network Firewalls using the virtual environment NS2 and also we provide summary of this topic. Additional informations will be delivered, if required.

Let us help you achieve the best results with customized Network Firewalls in NS2 tool implementation. Just share your parameter details, and we’ll assist you with performance analysis.