search

metal-stack / firewall-controller

A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
MIT License
47 stars 4 forks source link

Log new connections #117

Closed majst01 closed 2 years ago

majst01 commented 2 years ago

could be easily achieved by adding:

                # state dependent rules
                ct state established,related counter accept comment "accept established connections"
                ct state invalid counter drop comment "drop packets with invalid ct state"
                # this new logs new connection                
                ct state new log prefix "nftables-firewall-new: "
mreiger commented 2 years ago

Wouldn't this log all connection attempts, including the ones that get rejected later on?

I would prefer to log only the accepted connections, like this:

                ct state established,related counter packets 2311353 bytes 27684378950 accept comment "accept established connections"
                ct state invalid counter packets 0 bytes 0 drop comment "drop packets with invalid ct state"
                icmp type echo-request limit rate over 10/second burst 4 packets counter packets 0 bytes 0 drop comment "drop ping floods"
                icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } counter packets 0 bytes 0 log prefix "nftables-firewall-accept: " accept comment "accept icmp"
                ip daddr { 212.34.83.15 } tcp dport { 4314 } counter packets 2 bytes 120 log prefix "nftables-firewall-accept: " accept comment "accept traffic for k8s service kube-system/vpn-shoot"
(...)

This should log only the initial packet as well, because the subsequent packets get caught by the ct state established,related counter accept comment "accept established connections" rule.

majst01 commented 2 years ago

Wouldn't this log all connection attempts, including the ones that get rejected later on?

I would prefer to log only the accepted connections, like this:

                ct state established,related counter packets 2311353 bytes 27684378950 accept comment "accept established connections"
                ct state invalid counter packets 0 bytes 0 drop comment "drop packets with invalid ct state"
                icmp type echo-request limit rate over 10/second burst 4 packets counter packets 0 bytes 0 drop comment "drop ping floods"
                icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } counter packets 0 bytes 0 log prefix "nftables-firewall-accept: " accept comment "accept icmp"
                ip daddr { 212.34.83.15 } tcp dport { 4314 } counter packets 2 bytes 120 log prefix "nftables-firewall-accept: " accept comment "accept traffic for k8s service kube-system/vpn-shoot"
(...)

This should log only the initial packet as well, because the subsequent packets get caught by the ct state established,related counter accept comment "accept established connections" rule.

Yes, but the we must add this log statement to every rule

Gerrit91 commented 2 years ago

Closed through #118.