Firewall Blocking Rules For Both Wifi and Ethernet

pschmitt / pia-tools

Shell script to automate privateinternetaccess port forwarding and starting/stopping transmission when connected/disconnected and other stuff

https://aur.archlinux.org/packages/pia-tools

GNU General Public License v3.0

132 stars 23 forks source link

Firewall Blocking Rules For Both Wifi and Ethernet #7

Closed noctuid closed 9 years ago

noctuid commented 9 years ago

I think it might be better to set firewall rules for both (maybe turn DEV_NET into DEV_NET_WIFI and DEV_NET_ETHERNET) in the case of switching or just because one would want it to block whichever they were using without having to manually choose one each time. In the latter case, if DEV_NET isn't set, it could be set to whatever is active (maybe ip link show up | awk -F ": " '/state UP/ {print $2}').

I'm not sure how well doing this kind of thing to guess device names would work. As for defaults if a variable for wifi was added, I think iw dev | awk '/Interface/ {print $2}' should generally work. Assuming standard naming, it might be easier (though maybe not the best way) to just do ls /sys/class/net | grep en and ls /sys/class/net | grep wl.

pschmitt commented 9 years ago

I like the idea, I won't be having much time to commit this though (work). PRs are welcome.

noctuid commented 9 years ago

Okay, I did. I hope it's acceptable.

pschmitt commented 9 years ago

God job. But I'd really like to remove all the hardcoded interface names like you suggested in the first place. I shouln't have included any in the first place. I'm not really sure on how to make this work with complex network setups (multiple NICs, bonding and other virtual network devices like the one used by docker). Maybe a config file would be the best way to achieve this. Like:

WIRELESS_DEVICES="wlp0 wlp1"
ETHERNET_DEVICES="ens32 enp101s3"

or maybe just:

NETWORK_DEVICES="wlp0 wlp1 ens32 enp101s3"

We could try to guess these interfaces when running the setup.

noctuid commented 9 years ago

If there are going to be multiple devices for either, it would probably be best to just use the space separatedNETWORK_DEVICES with something like

for i in $NETWORK_DEVICES; do
    ufw deny out on $i 
    ...
done

Changing the output record separator to a spaces makes the method I used for guessing work with that. If w is looked for instead of wl, it could add rules for both a wwan device and a wlan device for example. As for something like multiple en devices, I have no idea. I have a very simple network setup. Anything that shows up with ifconfig wouldn't be a problem getting if NETWORK_DEVICES wasn't set. I don't know if there's a better way.

e.g.
NETWORK_DEVICES=$(ifconfig | awk -F ":" 'BEGIN {ORS = " "} /(^e|^w)/ {print $1}')

With a more complicated setup, I think it should be on the user to manually add what they want to NETWORK_DEVICES. What do you think?

noctuid commented 9 years ago

I don't know if this is exactly what you had in mind, but this commit just uses NETWORK_DEVICES and is how I'm doing things now.

pschmitt commented 9 years ago

I'd merge that!