Would pcn-iptables be suitable for hardware firewall?

[averyfreeman]

Hi,

I'm incredibly excited about the pcn-iptables project, I've been looking for a legacy-compatible drop-in replacement for iptables that uses bpf for a few years now

However, I'd want to use it for a hardware firewall. Do you think it is suitable for that purpose?

If so, should I build it myself to run bare-metal, or do you think it would be adequate to use docker with --net=host ?

Lastly, if I do build it myself, what platform do you recommend? Is there a specific OS it was developed on that would be most suitable for bare-metal implementation? (e.g. Alpine, Ubuntu, CentOS, etc.)

Thanks

[sebymiano]

Hi @averyfreeman, thanks for the interest! I am happy you liked the pcn-iptables project.

I suppose that with "hardware firewall" you mean running pcn-iptables directly on the host (e.g., x86 server) and not inside a docker container. In this case, the answer is yes, you can definitely do it. We tested polycube (and pcn-iptables) mainly on Ubuntu systems with a quite recent Linux kernel (I suggest v5.0+). You can have a look at these instructions to understand how to build and deploy pcn-iptables.

If you have other questions, feel free to ask :)

[averyfreeman]

Thanks so much for taking my questions. I will definitely have to try it out now that I have your clarification.

Just one more big-picture question - if there's no dnat/snat in pcn-iptables, is it generally feasible to implement those in polycube for use with a physical LAN, or do recommend running another firewall in front of the polycube network?

Thank you

[sebymiano]

You're welcome!

That's a good question. I would say that, currently, pcn-iptables does not support dnat/snat. However, there is a standalone service in polycube that does exactly that job (pcn-nat). Unfortunately, for the way pcn-iptables has been created it is not possible to just chain the two services (pcn-iptables and pcn-nat to make them work together), but it would require an internal modification to pcn-iptables to integrate the NAT functionality. Something definitely possible, IMHO, but that we did not have time to do in the current phase.

Another alternative would be to use the pcn-firewall service (which internally is almost equivalent to pcn-iptables but with a different syntax) and chain it with pcn-nat. In this case, you will have a dnat/snat + filtering functionality.

Thank you for the question. Of course, if you need help or you find any issues just let us know!

[averyfreeman]

I appreciate the guidance, that is very helpful. I will look into chaining pcn-firewall with pcn-nat. Polycube looks very promising, great concept! Thanks for working on such a groundbreaking project.

[acloudiator]

I appreciate the guidance, that is very helpful. I will look into chaining pcn-firewall with pcn-nat. Polycube looks very promising, great concept! Thanks for working on such a groundbreaking project.

Hi @averyfreeman Just checking if you got it working or we may be of any help to you. Also, please feel free to provide your feedback and suggestion or your experience using PCN-iptables. It would help us make our project better. Thank you!