Programming lesson
Building an SDN Firewall with POX: A Step-by-Step Tutorial for CS6250 Fall 2025
Learn to implement a configurable SDN firewall using POX and OpenFlow. This tutorial covers Mininet topology setup, Wireshark packet analysis, and firewall rule configuration for the CS6250 project.
Introduction to SDN Firewalls with POX
Software Defined Networking (SDN) separates the control plane from the data plane, enabling dynamic, programmable network management. In this tutorial, we'll build a configurable firewall using the POX controller and OpenFlow-enabled switches, as required by the CS6250 Fall 2025 project. This approach is widely adopted in modern data centers and cloud environments—similar to how AI-driven networks at events like the 2026 FIFA World Cup will manage traffic in real time.
Understanding the Project Structure
The project provides a zip file containing several key components: sdn-topology.py for Mininet, sdn-firewall.py for the firewall logic, and configure.pol for rule definitions. You'll also use Wireshark to analyze packet captures. The topology consists of four hosts (h1-h4) and one switch, as shown in the diagram.
Part 1: Setting Up the Environment
Start by unzipping the project files and updating POX to the latest branch (ichthyosaur). Use the following commands:
cd /home/mininet/pox
git pull
git checkout ichthyosaur
chown -R mininet:mininet ~/poxThen extract the project:
unzip SDNFirewall-Fall2025.zip -d ~/SDNFirewallThis creates the directory structure with sdn-topology.py, sdn-firewall.py, configure.pol, and other files.
Part 2: Launching the Mininet Topology
Run the topology script to start the network:
sudo python sdn-topology.pyThis creates a switch (s1) and four hosts (h1, h2, h3, h4) with IPs 10.0.0.1–10.0.0.4. Verify connectivity with pingall. If you get a controller error, restart the topology.
Part 3: Capturing Traffic with Wireshark
Open two xterm windows for h1 and h2. On h1, start a server:
python -m SimpleHTTPServer 80On h2, use tshark to capture packets:
sudo tshark -i h2-eth0 -w /tmp/packetcapture.pcapThen from h2, fetch a file from h1:
wget http://10.0.0.1:80/index.htmlStop tshark (Ctrl+C) and open the pcap in Wireshark GUI. Observe the TCP handshake and HTTP request/response. This packet analysis is crucial for defining firewall rules—similar to how cybersecurity experts analyze traffic for threats.
Part 4: Implementing the Firewall in Code
The firewall logic resides in sdn-firewall.py. The controller listens for PacketIn events and matches them against rules from configure.pol. Each rule specifies a source IP, destination IP, protocol, and action (allow/deny). You'll implement a function handle_PacketIn that checks the packet headers and either drops or forwards the packet.
Example Rule in configure.pol
# Deny ICMP from 10.0.0.1 to 10.0.0.2
10.0.0.1 10.0.0.2 ICMP denyIn sdn-firewall.py, parse these rules into a list. When a packet arrives, extract its IP and protocol fields, compare against the rules, and if a deny rule matches, do not install a flow; otherwise, install a flow to forward the packet.
Part 5: Testing the Firewall
After implementing, test by pinging between hosts. For example, if you deny ICMP from h1 to h2, ping should fail. Use the automated testing suite provided with the project. Ensure your firewall correctly handles TCP, UDP, and ICMP as per the rules.
Trend Connection: SDN in 2026
As we approach the 2026 FIFA World Cup, SDN is being used to manage network traffic for live streaming, stadium IoT, and AI-powered security. The same principles you apply here—programmable flow rules, packet inspection, and dynamic policy changes—are used in real-world networks to ensure low latency and high availability.
Conclusion
By completing this tutorial, you've built a functional SDN firewall using POX. This project reinforces core networking concepts and prepares you for advanced topics in network security and software-defined infrastructure. Submit your sdn-firewall.py and packetcapture.pcap as required.