SoftWare Defined FireWall
An approach to define & update iptables rules atomically. No hiccups and easy rollback.
swdfw manages its rules in a separate chain and uses iptables --goto
to specify target rule set where to jump to.
All you have to do is allow swdfw to set up jump to its managed input & output chains (SWDFW-INPUT
& SWDFW-OUTPUT
by default), or set them up by yourself.
TODO: schematic
swdfw focses initally on iptables because of It's 2021: nftables still does not integrate. I believe it's better to focus on iptables initially to support wide variety of software out of the box.
nftables support is planned in the future, mainly because Zentria infrastructure uses nftables in some places already.
It's common to disable OS level firewall on cloud providers when provider has its own firewall solution available. However, it appears that some of the providers do not have reasonable firewall (or alternatively named security groups) support.
- Hetzner Robot allows only maximum of 10 incoming rules
- ...
Wiring machines together dynamically using automation (etcd, Consul etc.) means that it's not very convenient to pull the strings on the provider side. Some providers (AWS) take about a minute in my experience (using Terraform) to apply the rules, causing slow configuration rollout.
With swdfw, applying a new set of rules is as fast as machine can swap out the rules.
- Proof of concept output rules generation + integration test
- Output rules
- Rules covering all protocols or only handling interfaces
- Rules declaration (file format/structure)
- Try to retain script generation support
- Works fine-ish with iptables already, but nftables might be a problem.
- Tunables
- Default INPUT/OUTPUT policy handling
- DROP instead of REJECT
- Collecting rules targeting same CIDR with different ports into multiport match
- Collecting rules targeting different CIDRs with same ports into ipset
- ipset support
- nftables support
- Could utilize JSON input/output support
- Limits are not documented
- iptables chain name length is strictly 28. Current update logic needs reserving 6 characters (could do less).
- nftables allows for longer, tested with 70 character name.
- Therefore allow only 16-24 character names for rulesets?
- TOCTOU
- Need locking mechanism between swdfw instances working on same set of rules.
Not determined yet.