gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
556 stars 91 forks source link

Quickstart guide? #4

Closed mrbluecoat closed 4 years ago

mrbluecoat commented 4 years ago

Is there a quickstart guide to test basic functionality? Here's mine, which isn't working as expected:

apt install -y dnsutils

EXAMPLEIP=$(dig +short example.com)

cat > /etc/xdpfw/xdpfw.conf <<EOF
interface = "eth0";
updatetime = 15;
filters = (
    {
        enabled = true,
        dstip = "${EXAMPLEIP}",
        action = 0
    }
);
EOF

service xdpfw restart

curl -s -L -m 5 http://example.com | grep -q illustrative && echo FAIL || echo PASS

FAIL

gamemann commented 4 years ago

I don't have any quickstart guide written at the moment, but I can make one when I have the time. What is your goal with the above config? Are you trying to allow traffic to $EXAMPLEIP?

mrbluecoat commented 4 years ago

No, I'm trying to block example.com (as a test case)

mrbluecoat commented 4 years ago

P.S. I noticed your config filters section uses parenthesis "( ... )" which I thought was odd syntax and then I noticed https://github.com/Barricade-FW/Firewall uses the more familiar "[ ... ]" array syntax. Can I use "[ ... ]" in XDP-Firewall?

gamemann commented 4 years ago

The reason the above config isn't working is because you need to specify a protocol at the moment. So since the above is HTTP traffic (TCP), you can do something like this:

interface = "eth0";
updatetime = 15;
filters = (
    {
        enabled = true,
        dstip = "${EXAMPLEIP}",
        action = 0,

        tcpopts = (
            {
                    enabled = true
            }
        )
    }
);

I just tested this on my own website on a VM I have with the following and it worked:

interface = "ens18";
updatetime = 15;

filters = (
    {
        enabled = true,
        action = 0,
        dstip = "10.50.0.5",

        tcpopts = (
                {
                        enabled = true
                }
        )
    }
);

I'd imagine you'd prefer an option where you don't have to specify the protocol (especially for filters where you only want to block IPs). Therefore, I will be looking into implementing this shortly (I'll make it so the config you posted above works as expected).

As for the filters syntax in the config file, I understand it's a bit confusing right now with the protocol options. Unfortunately, it doesn't support [] at the moment since we're using the LibConfig library to parse the config. I've cleaned up the syntax in my Barricade Firewall and also started using JSON.

gamemann commented 4 years ago

I've pushed a commit to the project that should allow layer 3-only filtering. Therefore, your initial config should work properly after pulling the latest changes. I've tested this on a vanilla Ubuntu VM (20.04) as well and it was working fine for me. I also made sure protocol-specific filtering was still working.

mrbluecoat commented 4 years ago

Awesome, thanks! I'm switching over to your Barricade Firewall for the performance gains so if you could enable that feature there as well that would be great.

gamemann commented 4 years ago

I just pushed a commit to that project as you posted that :)

And you're welcome!