Help defining the next system firewall configuration

[gustavo-iniguez-goya]

Hi all,

Right now we can add system rules (i.e.: iptables/nftables rules) by adding them to the file /etc/opensnitchd/system-fw.json.
It has served well to workaround some problems (like allowing ICMP), and for adding extra functionality without having to modify the code (like intercept connections initiated by apps from containers).

The current implementation has 3 downsides: doesn't work with nftables, you cannot create custom chains/targets, and you cannot configure policies (only rules).

In order to solve these problems we need to modify the current json:

{
    "SystemRules": [
        {
            "Rule": {
                "Description": "Allow icmp",
                "Table": "mangle",
                "Chain": "OUTPUT",
                "Parameters": "-p icmp",
                "Target": "ACCEPT",
                "TargetParameters": ""
            }
        }
    ]
}

by something like:

{
    "Enabled": true,
    "SystemRules": [
            "Chains": [
                {
                    "Name": "customchain",
                    "Table": "filter",
                    "Family": "ip",
                    "Rules": [
                        {
                            "Enabled": true,
                            "Description": "Test custom chains",
                            "Parameters": [
                                "log prefix custom-chainn-test"
                            ],
                            "Target": "return",
                            "TargetParameters": ""
                        }
                    ]
                },
                {
                    "Name": "input",
                    "Table": "filter",
                    "Family": "inet",
                    "Priority": "",
                    "Type": "filter",
                    "Hook": "INPUT",
                    "Policy": "drop",
                    "Rules": [
                        {
                            "Enabled": true,
                            "Description": "DROP invalid packets",
                            "Expressions": [
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "ct",
                                        "Values":[
                                            {
                                                "Key": "state",
                                                "Value": "invalid"
                                            }
                                        ]
                                },
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "log",
                                        "Values":[
                                            {
                                                "Key": "prefix",
                                                "Value": "invalid-ct-state"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "Target": "drop",
                            "TargetParameters": ""
                        },
                        {
                            "Enabled": true,
                            "Description": "Allow ssh server",
                            "Expressions": [
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "tcp",
                                        "Values":[
                                            {
                                                "Key": "dport",
                                                "Value": "22"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "Target": "accept",
                            "TargetParameters": ""
                        },
                        {
                            "Enabled": true,
                            "Description": "Allow UDP navigation when INPUT policy is DROP",
                            "Expressions": [
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "udp",
                                        "Values":[
                                            {
                                                "Key": "sport",
                                                "Value": "67,68"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "Target": "accept",
                            "TargetParameters": ""
                        },
                        {
                            "Enabled": true,
                            "Description": "Allow localhost connections when INPUT policy is DROP",
                            "Expressions": [
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "iifname",
                                        "Values":[
                                            {
                                                "Key": "lo"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "Target": "accept",
                            "TargetParameters": ""
                        },
                        {
                            "Enabled": true,
                            "Description": "Allow TCP navigation when INPUT policy is DROP",
                            "Expressions": [
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "ct",
                                        "Values":[
                                            {
                                                "Key": "state",
                                                "Value": "established"
                                            },
                                            {
                                                "Key": "state",
                                                "Value": "related"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "Target": "accept",
                            "TargetParameters": ""
                        }
                {
                    "Name": "postrouting",
                    "Table": "mangle",
                    "Family": "ip",
                    "Priority": "",
                    "Type": "mangle",
                    "Hook": "postrouting",
                    "Policy": "accept",
                    "Rules": [
                        {
                            "Enabled": true,
                            "Description": "",
                            "Expressions": [
                                {
                                    "Statement": {
                                        "Op": "",
                                        "Name": "icmp",
                                        "Values":[
                                            {
                                                "Key": "type",
                                                "Value": "echo-request"
                                            },
                                            {
                                                "Key": "type",
                                                "Value": "echo-reply"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "Target": "accept",
                            "TargetParameters": ""
                        },

(This ^ is a working fw configuration that I'm using right now)

With iptables we can simply compose the rule and execute the command. But for nftables I decided to use google/nftables lib, not to depend on the nft binary.

The problem is that while the first half and the end of a nftables rule can be easily mapped to json fields (inet -> Family, input ->Table, filter -> Type, ... accept -> Target), mapping aaall the options of each protocol would create a json from the hell.
That's why I decided to add the field "Parameters", and parse it by code.

Features and doubts:

• This won't be a frontend to nftables/iptables. We won't support all the options that those utilities offer. It'll be a tool to complement opensnitch (block all incoming connections while allowing published services (ssh, web server, samba, nfs, ...), redirect ports/IPs, and not much else)
• Rules and chains will be confgurable from a GUI.
• Users should be able to add comments, and enable/disable rules, as well as chains.
• Users should be able to create group of rules (TODO):
  • Zones: DMZ, Work, Public, LAN, etc.
• Rules should have an unique ID, to allow easily reference them (from groups for example).
• Should we split configurations into smaller files? /etc/opensnitchd/system-fw.d/input.json, ....

Notes:

• The json format should not change much if at all, to avoid having to migrate configurations, versioning...
• We should still load old rules for some time.
• We should coexist with other firewall utilities.

Important:

• Since iptables is deprecated, and nftables available since a long time ago, we'll only generate nftables rules, for simplicity a mental sanity.
• In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains. [0]
• Convention is though to use the iptables names by default [1]

iptbles-nft creates the same rules structure than iptables:

iptables -t mangle -I FORWARD ->

table ip mangle {
	chain OUTPUT {
        }
        chain FORWARD {
        }
}

But firewalld creates its own structure, so I have no idea what chain/rule will take precedence if it's duplicated on different tables.

[0] https://wiki.debian.org/nftables#What_are_the_major_differences.3F
[1] https://openwrt.org/docs/guide-user/firewall/misc/nftables

Ideas, comments, things that I overlooked...?

[NRGLine4Sec]

One option I would like to have is the rate limit option like with the ufw tool :

ufw limit "$SSH_Port"/tcp

I can see that it produce these nft rules :

chain ufw-user-limit {
		limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
		counter packets 0 bytes 0 reject
	}

[gustavo-iniguez-goya]

Thank you @NRGLine4Sec , you're right, it's common to rate limiting connections. Hopefully they implemented it so it shouldn't be a problem:
https://github.com/google/nftables/blob/715e31cb3c3147ec5d7f5dba50835cf1e5d0516f/expr/limit.go

(Some features are not implemented (or weren't), like icmp echo and request types, so I had to implement it by myself)

[gustavo-iniguez-goya]

status update:

Finished:

• Configure chains policies: accept, drop.
• Create and use custom chains.
• Allow, Drop, Stop, Return or Reject connections (with custom types: host-unreachable, etc)
• Filter connections by:
  • protocol tcp, udp, icmp, udplite, dccp, sctp
  • icmp type (echo request, reply, etc)
  • ports (dst, src; 1, multiple and ranges)
  • IPs (dst, src; 1, multiple and ranges. networks not yet /24, etc)
  • conntrack mark (set and match)
  • conntrack states (established, new, invalid, etc)
  • ethernet device (in/out)
• Use operators (!= 127.0.0.1, >= 9000, etc)
• Log connections
• Count packets and bytes
• Apply limits (per packets and bytes)
• Appy quotas.
• Redirect connections: dnat, snat, masquerade, tproxy (only to ports)
• Set mark on packets and match packets based on marks.
• Allow to use bridge table/chains.
• Configure from the GUI:
  • Enable/Disable interception, Enable/Disable system firewall rules independently.
  • List, edit, delete and add simple rules (inbound/outbound ports, allow/deny)
  • Allow to exclude a service from being intercepted.
  • Stop/start firewall.
  • Configure Input / Output policies.

TODO:

• configure from the GUI: complex rules, chains and tables (add, edit, delete).
• specific ipv6 rules.
• filter by tcp flags.
• quotas (implemented but not officially on nftables repo. We should send a PR to nftables). DONE
• more conntrack options.
• more log options (debug level)
• more protocol options.
• load configurations from multiple files, in order to apply common configurations: Public wifi -> { incoming DROP; allow established,related; allow tcp 22; drop state invalid } , Home -> {}, etc
• fix bugs. fix bugs fix bugs.

[gustavo-iniguez-goya]

I'll publish a branch soon.

[gustavo-iniguez-goya]

branch published: https://github.com/evilsocket/opensnitch/tree/firewall-policies

Please, if you can compile the branch, test it and post any feedback: if it works, if it's intuitive, if it crashes, etc, etc.

Prerequisites:

• Compile the new branch and install it, both daemon and GUI.
• Change Firewall field to "nftables" in your /etc/opensnitchd/default-config.json file.
• Copy the file system-fw.json from the branch to your /etc/opensnitchd/ directory.

Notes:

• For now you can only add/edit simple rules (input/output, tcp, destination port), change policies and enable/disable firewall from the GUI.
• If you set input policy to drop, you need to add manually 2 rules (allow localhost + allow established connections, take a look at the system-fw.json)
• You can reorder rules from the list of rules and you can press the Delete key to delete rules.

I'll document everything on the System-rules wiki page.

[rusbomber]

works on arch linux. doesn't on ubuntu. weird

[gustavo-iniguez-goya]

what version of ubuntu? exactly what doesn't work?

By the way, thank you for testing this branch! :)

[rusbomber]

You're wellcome)
As I mentioned, I tested it on Ubuntu 22.04
the problem is: after all config changes and restarting services, i still see
"the firewall configuration is outdated, you need to update int to the new format.(link to https://github.com/evilsocket/opensnitch/wiki/System-rules)"
so I cannot add any system rules.
On Arch I can add simple system rules via UI, like on your screeshot above.

BTW, when I switched on my ubuntu from iptables to nftables with rules from your example, all my docker containers became unaccessible because some necessary firewall rules is not present anymore.
So i had to switch back to iptables right now.
Maybe I'll create ubuntu virtual machine in virtualbox and test this branch again

[gustavo-iniguez-goya]

ubuntu 22, noted 📝

to allow docker connections you'll need to add manually this rule under the forward-mangle table:

        {
          "Name": "forward",
          "Table": "mangle",
          "Family": "inet",
          "Priority": "",
          "Type": "mangle",
          "Hook": "forward",
          "Policy": "accept",
          "Rules": [
            {
              "UUID": "21e89250-c3b6-11ec-a07b-3c970e298b0c",
              "Enabled": true,
              "Expressions": [
                {
                  "Statement": {
                    "Op": "",
                    "Name": "ct",
                    "Values": [
                      {
                        "Key": "state",
                        "Value": "new"
                      }
                    ]
                  }
                }
              ],
              "Target": "queue",
              "TargetParameters": "num 0"
            }
       ]

[rusbomber]

As I promised, tested firewall-policies branch on ubuntu 22.04 virtualbox vm.
my 5 cents on build and install process (most of them obvious):

1. qt5-default is no more in ubuntu repos since 21.10, use sudo apt-get install qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools instead
2. go get deprecated, use go install @latest or any version you want
3. during building process, i' ve seen warning about deprecated protobuf, it recommends to use version from google, ignored, ok
4. sudo apt-get install python-pyqt5.qtsql python3-notify2 is nesessary
5. pip3 install qt-material for themes suport
   after changing settings firewall to nftables, editing nftables.conf and restarting services UI works as expected