RFE: socket UID and GID matching

Bogdan107 commented 3 years ago

I am using a firewall on my laptop and I have no relationship to networking.

Production routers:

have fixed set of software and not focused to controll activity of programs, which runned inside the router system;
focused on serving external, forwarded network packets.

Personal laptop:

have high probability to run unpriviledged programs at any time and admin need to controll programs activity too;
mostly need to control input/output network packets, not forwarded packets.

Long time I using self-writted script for control nftables daemon. Now I am learning firewald and have some troubles due to the fact that firewalld does not have some feature, because focused to serving forwarded network packets as many others firewall's...

I usу DENY policy by default, and allow network usage only for controlled list of system users. Users with uid>=1000 can connect to internet only over local proxy (like squid or privoxy), and each user program (web-browser, torrent, media-player) for network activity outside the laptop must have their own login/password for proxy authentification.

Some lines from my script:

# Prepare sets: nft add rule inet filter output tcp dport @tcp_port_out_allow ct state new counter accept; nft add rule inet filter input tcp dport @tcp_port_in_allow ct state new counter accept; nft add rule inet filter output udp dport @udp_port_out_allow ct state new counter accept; nft add rule inet filter input udp dport @udp_port_in_allow ct state new counter accept; nft add rule inet filter output meta skuid @user_out_allow ct state new counter accept; nft add rule inet filter input meta skuid @user_in_allow ct state new counter accept;

nft add rule inet filter output tcp dport @tcp_port_out_deny ct state new counter drop; nft add rule inet filter input tcp dport @tcp_port_in_deny ct state new counter drop; nft add rule inet filter output udp dport @udp_port_out_deny ct state new counter drop; nft add rule inet filter input udp dport @udp_port_in_deny ct state new counter drop; nft add rule inet filter output meta skuid @user_out_deny ct state new counter drop; nft add rule inet filter input meta skuid @user_in_deny ct state new counter drop;

# Allow basic network activity for all users: nft add element inet filter udp_port_out_allow { 53, 123, 1900 }; nft add element inet filter tcpp_port_out_allow { 53, 123, 1900, 6667 };

# Allow full network activity for list of users: nft add element inet filter user_out_allow { root, portage, sync, ddclient, ntp, dnscrypt-proxy, miredo, i2pd, tor, privoxy };

# Allow limited network activity for 'squid' user: nft add rule inet filter output meta skuid { squid } tcp dport { 21, 80-88, 443 } ct state new counter accept;

I need command line options for:

control network usage per-user (list of users);
control network usage per-port (list of ports/diapazon of ports) per-user (list of users).

erig0 commented 3 years ago

What's missing is skuid and skgid matching. Then you could use rich rules. e.g.

# firewalld -cmd --add-rich-rule='port port=1234 protocol=tcp socket uid=1000 accept'

Firewalld currently lacks the socked uid=1000 support. We should also be able to support actual user names, e.g. socket uid=root.

ragnvaldf commented 3 years ago

I also need skuid and skgid matching on puppet-managed RHEL with firewalld+nftables. Is there any known workarounds for this use case?

erig0 commented 3 years ago

I also need skuid and skgid matching on puppet-managed RHEL with firewalld+nftables. Is there any known workarounds for this use case?

No. If you want to DROP traffic based on skuid/skgid, then you can use a direct rule. But ACCEPT won't work as the packet still needs to pass through nftables.

ragnvaldf commented 3 years ago

Thank you for advice @erig0 . This solved my current problem: firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 443 -m owner ! --uid only_allowed_user -j REJECT --reject-with icmp-port-unreachable

Talkless commented 2 years ago

+1 for skuid/skgid matching support!

erig0 commented 2 years ago

PSA: upstream nftables has proposed patches for INPUT and OUTPUT socket matching. Currently skuid/skgid matching is limited to OUTPUT only.

INPUT support means we could say things like "only apache can accept https connections".

Bogdan107 commented 2 years ago

PSA: upstream nftables has proposed patches for INPUT and OUTPUT socket matching. Currently skuid/skgid matching is limited to OUTPUT only.

INPUT support means we could say things like "only apache can accept https connections".

Yes! I want a quick and easy mechanism to limit just OUTPUT traffic! This is an extremely high priority function for me!

With this function, I can allow only WHITELISTED programs. So, any user installed programs, which needs to use internet, must be configured to use system proxy server (in my case - this is Privoxy) or configured personally by firewalld administrator. So, any unconfigured program can-not access internet or can use internel only in very limited mode.

For example:

Rule 1: Allow OUTPUT connections for whitelisted users:

system users: root;
dns servers: unbound, dnsmasq;
proxy servers: privoxy, squid;
overlay networks: miredo, tor, i2p, yggdrasil.

Rule 2: Allow OUTPUT to the internal proxy servers:

allow OUTPUT from localhost to 127.0.0.1:3128 (allow access to the local proxy-server Squid);
allow OUTPUT from localhost to 127.0.0.1:8118 (allow access to the local proxy-server Privoxy);

Rule 3: Allow OUTPUT to the external proxy servers:

allow OUTPUT to /

Rule 4: Disallow OUTPUT connections for non-whitelisted users or non-configured programs:

LIMIT RATE to the some very low value (for example - 8 KB/s);
or deny OUTPUT ALL (to disallow unconfigured connections) (all allowed traffic is configured in rules 1..3).

With this rules:

all system services allowed to use internet connections;
all un-whitelisted users can acces only to local proxy server, like Privoxy/Squid/etc (Rule 2) or to the external proxy server (Rule3);
any non-system program, which need to use internet connection, MUST have his own login/pass pairs, configured in proxy-server config;
any programs, which does not have his own login/pass pair on the proxy server, can use internet only in a very low speed mode (Rule 4) or may be disabled by few clicks (disable LIMIT rule and allow DENY rule).

My proposal:

Add new tab "Limit OUTPUT" into Settings/Zones/\/Limit OUTPUT. This tab has:

a title "This is an alpha version of GUI for control OUTPUT connections. This version control connections only by user/group.";
a checkbox "Use global configuration", selected by default;
a spinbox "Allow output connections for users/groups with skuid/sguid less than:", with 1000 as default value;
a table with a list of users (not id of user) - "Allow OUTPUT for selected users";
a table with a list of groups (not id of group) - "Allow OUTPUT for selected groups";
a buttons "Add User", "Remove User" and "Add group", "Remove Group" near appropriate table;
a single entry or spinbox "Limit rate for OUTPUT connections from unselected users/groups, kB/s. 0 - is disable this feature";
a single checkbox "Deny OUTPUT connections for all unselected users/groups", which is disabled by default;

If user select checkbox "Deny OUTPUT connections from all unselected users/groups", then spinbox with "Limit rate" must be disabled. If user select checkbox "Use global configuration", then config for limit output conenctions per zone must be as in global config for "Limit OUTPUT" (e.g. config for zone must use "jump" to global chain, which configured for control output connections).

Changes by my proposal - is trivial or usual, but not "feat".

erig0 commented 2 years ago

The more I think about socket matching, the more I like the idea of implementing them as a zone source, e.g. --zone apache --add-source gid:apache. Then you can use the zone and policy filtering features.

# firewall-cmd --zone apache --add-service https

This also means different processes groups (e.g. users, cgroups) can be represented by zones.

Talkless commented 2 years ago

I might be really mistaken (as I am not yet firewalld user), but that example firewall-cmd --zone apache --add-service https would not work because skuid/skgid only works for OUTPUT, meanwhile zones in firewalld is about INPUT?

For policies though I do get it, as policies implement OUTPUT / FORWARD filtering, right?

erig0 commented 2 years ago

I might be really mistaken (as I am not yet firewalld user), but that example firewall-cmd --zone apache --add-service https would not work because skuid/skgid only works for OUTPUT, meanwhile zones in firewalld is about INPUT?

IIRC, there were recent nftables patches to allow INPUT socket matching. i.e. meta skuid, meta skgid, and meta cgroup should work on both INPUT/OUTPUT on modern kernel/nftables.

I have not verified this though.

erig0 commented 2 years ago

Adding "blocked" because this requires support in nftables.

firewalld / firewalld