ardje
commented
3 years ago That's a good issue. I have numerous of working setups. I just need to anonymize the details and change it to a simple use case somewhere. Give me some time ;-).
Open tst2005 opened 3 years ago
ardje
commented
3 years ago That's a good issue. I have numerous of working setups. I just need to anonymize the details and change it to a simple use case somewhere. Give me some time ;-).
tst2005
commented
3 years ago No problem, It is not urgent, you have 2 hours ! :P
tst2005
commented
3 years ago Hello,
This is a simple "default" config for ferm.
How can do this with fw-lua ?
domain (ip ip6) {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
}
}
}# Generated by ferm 2.4 on Wed Dec 2 16:53:08 2020
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT --match state --state INVALID --jump DROP
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
-A INPUT --in-interface lo --jump ACCEPT
-A INPUT --protocol icmp --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
-A OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
COMMIT
# Generated by ferm 2.4 on Wed Dec 2 16:53:08 2020
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT --match state --state INVALID --jump DROP
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
-A INPUT --in-interface lo --jump ACCEPT
-A INPUT --protocol icmpv6 --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
-A OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
COMMIT/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -F
/sbin/iptables -t filter -X
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -A INPUT --match state --state INVALID --jump DROP
/sbin/iptables -t filter -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
/sbin/iptables -t filter -A INPUT --in-interface lo --jump ACCEPT
/sbin/iptables -t filter -A INPUT --protocol icmp --jump ACCEPT
/sbin/iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT
/sbin/iptables -t filter -A OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
/sbin/ip6tables -t filter -P FORWARD ACCEPT
/sbin/ip6tables -t filter -P INPUT ACCEPT
/sbin/ip6tables -t filter -P OUTPUT ACCEPT
/sbin/ip6tables -t filter -F
/sbin/ip6tables -t filter -X
/sbin/ip6tables -t filter -P FORWARD DROP
/sbin/ip6tables -t filter -P INPUT DROP
/sbin/ip6tables -t filter -A INPUT --match state --state INVALID --jump DROP
/sbin/ip6tables -t filter -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
/sbin/ip6tables -t filter -A INPUT --in-interface lo --jump ACCEPT
/sbin/ip6tables -t filter -A INPUT --protocol icmpv6 --jump ACCEPT
/sbin/ip6tables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT
/sbin/ip6tables -t filter -A OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPTHi,
It's not intended to be simple :-). root@fw2:/etc/fw/rules# cat *|wc -l 2514 root@fw2:/etc/fw/rules# ls|wc -l 25
I've pushed a very dressed down example directory. Anyway, the essence is: once you get a hang of it, it's handy for even a single network. But it really is very useful if you start to have cross dependencies between multiple networks, internal and external.
The rules are a reincarnation of a bash based builder that I had, and a test with those old rules resulted in subsecond execution speed vs 2...3 minutes compilation in bash.
Anyway, I hope the examples help a bit... A lot is not yet described... If you want more examples I will add them.
Have fun!
ardje
commented
3 years ago Hi,
On Wed, Dec 2, 2020 at 11:44 PM Ard van Breemen kwaakert@gmail.com wrote:
A lot is not yet described... If you want more examples I will add them.
Or maybe add issues with "describe how to add a service". As it's almost a one liner to dnat a specific service to a specific host, and actually describing it as a service. Unfortunately that does not work for keepalived/lvs, but for keepalived/lvs I can also give you examples. (For keepalived you need to add NOTRACK targets in another chain and filter on service source port, as keepalived/lvs means asymmetric conntrack handling: lvs services are not kept in conntrack so returning packets must be kept out).
Anyway, Try it, I will help, because I need more eyes.
My target for fw-lua are unfortunately systems from 2014 till now. So no chance for using cqueues to be able to do dns resolving and cache that.
Hello, I don't find any sample of use. I only see interesting code... :D Can you provide a sample ? Best Regards