August 16 2023
Integrating with a firewall to block known spammers and hackers was a requirement from the very start. My original intention was to rely on Windows Defender as the firewall. This turned out to be untenable. A lot of time, energy, and frustration was expended trying to make Windows Defender work. I eventually came to the conclusion that Windows Defender is a truly awful piece of crapware that had to be discarded.
External solutions abound. Firewalls have existed for almost as long as the internet. Almost all rely on the perception that firewalls are opaque and complicated to charge a lot of money. EMailV1 is intended to be cheap, so paying a lot of money for an external firewall was never an option.
After discarding all the existing firewall options, I had to figure out how to create a firewall solution on my own. It turned out to be only a couple days' work. Much easier than I expected, and the performance much better.
The key to my own app-level firewall was the WSAAccept() function, which allowed me to specify a callback that could deny the completion of the socket acceptance. A socket that was denied by the callback would appear to the remote initiator exactly like an attempt to connect to a server that did not exist -- just like a hardware firewall. And since this all happened inside the WSAAccept() call, it consumed almost no memory and happened very quickly. Once I had this working, the rest was just a matter of managing banlists and throttling database requests during heavy DDoS attacks.
My firewall can quite comfortably block tens of thousands of incoming requests per second with hardly a blip on the cpu meter. It is likely the incoming IP pipe would saturate before my firewall.
It all worked out well in the end. EMailV1 has a solid built-in firewall that does not rely on any external solutions, allowing it to be installed on a bare-bones server and exposed directly to the wild and wooly internet.