search

gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
558 stars 92 forks source link

usage #13

Closed Tf-arch closed 2 years ago

Tf-arch commented 2 years ago

I am trying to use this firewall but i could not understand completely, first I install image I open config file /etc/xdpfw/xdpfw.conf and change it to interface = "eno1"; updatetime = 0;

filters = ( { enabled = true, action = 0, srcip = "103.22.221.170" dstip = "103.22.221.170" } );

then I was assuming that the packets coming from 103.22.221.170 should be blocked.

then I capture packets from tcpdump from eno1

image

but still i am seeing packets from 103.22.221.170.

but i wanna block that IP 103.22.221.170 packets....

I am missing something or could not understand this?

gamemann commented 2 years ago

Hey and are you trying to block traffic coming from 103.22.221.170? If so, remove the dstip = "103.22.221.170" line since you won't see any packets coming from 103.22.221.170 while going to 103.22.221.170.

I hope the above helps!

Tf-arch commented 2 years ago

Thank you for your response.. Ibut still I am not successful in blocking traffic . I want to block traffic from 103.22.221.170 but my filter config file is not acting image interface = "eno1"; updatetime = 15;

filters = ( { enabled = true, action = 0, srcip="103.22.221.170", blocktime=1000 } ) still I am seeing packets from 103.22.221.170. How could I know or check that xdp-program is loaded on interface eno1??

secondly I could install the xdp-firewall ONLY in root, other wise it was giving permission issues

image

but in root i can install image

gamemann commented 2 years ago

Hey, I apologize for the delay. A lot has been going on recently in my life.

That config looks good and yes, you need perform make install as root.

You can type ip a and look at the eno1 interface to confirm it has an XDP program loaded.

With that said, are you running xdpfw which starts the program? If so, does it start up okay and show packet statistics?

Tf-arch commented 2 years ago

Thanks for your responses. Hope everything goes well in your life.

xdpfw image

now its working and when i capture I cannot see any packet whose srcip 103.22.221.170

image

what will be filter rule if I want to drop those packets as well whose destination IP is 103.22.221.170. This means no packet should come and also go towards 103.22.221.170 from my device.

Secondly how to stop service or unload the program??

gamemann commented 2 years ago

Hey!

Unfortunately, the XDP program only supports inbound/ingress packets so unless if you're running this on a router that routes inbound/outbound packets for the specified machine, you won't be able to block any packets going out from the machine (egress). I'd assume this is running on the machine where the packets are originating from. The most you'll be able to do is block inbound packets since the XDP Firewall doesn't attach to the egress hook. If you want to block egress packets, you'll need to do it at the router level more than likely.

As for stopping the program, sending a keyboard interrupt via the CTRL + C keys is your best bet.

I hope the above helps!