Closed mrbluecoat closed 4 years ago
I don't have any quickstart guide written at the moment, but I can make one when I have the time. What is your goal with the above config? Are you trying to allow traffic to $EXAMPLEIP?
No, I'm trying to block example.com (as a test case)
P.S. I noticed your config filters
section uses parenthesis "( ... )" which I thought was odd syntax and then I noticed https://github.com/Barricade-FW/Firewall uses the more familiar "[ ... ]" array syntax. Can I use "[ ... ]" in XDP-Firewall?
The reason the above config isn't working is because you need to specify a protocol at the moment. So since the above is HTTP traffic (TCP), you can do something like this:
interface = "eth0";
updatetime = 15;
filters = (
{
enabled = true,
dstip = "${EXAMPLEIP}",
action = 0,
tcpopts = (
{
enabled = true
}
)
}
);
I just tested this on my own website on a VM I have with the following and it worked:
interface = "ens18";
updatetime = 15;
filters = (
{
enabled = true,
action = 0,
dstip = "10.50.0.5",
tcpopts = (
{
enabled = true
}
)
}
);
I'd imagine you'd prefer an option where you don't have to specify the protocol (especially for filters where you only want to block IPs). Therefore, I will be looking into implementing this shortly (I'll make it so the config you posted above works as expected).
As for the filters syntax in the config file, I understand it's a bit confusing right now with the protocol options. Unfortunately, it doesn't support []
at the moment since we're using the LibConfig library to parse the config. I've cleaned up the syntax in my Barricade Firewall and also started using JSON.
I've pushed a commit to the project that should allow layer 3-only filtering. Therefore, your initial config should work properly after pulling the latest changes. I've tested this on a vanilla Ubuntu VM (20.04) as well and it was working fine for me. I also made sure protocol-specific filtering was still working.
Awesome, thanks! I'm switching over to your Barricade Firewall for the performance gains so if you could enable that feature there as well that would be great.
I just pushed a commit to that project as you posted that :)
And you're welcome!
Is there a quickstart guide to test basic functionality? Here's mine, which isn't working as expected: