WingNews logo WingNews
top | item 36905764

(no title)

laurowyn | 2 years ago

define zone based?

If wanting internal and external subnets as "zones", iptables/nftables lets you match against incoming and outgoing interfaces. It would be trivial to make match against an incoming interface and jump to a zone specific chain. This is how I manage private subnets. fw-mark is also useful for setting routing rules. Can change which routing table is used by matching rules in iptables.

If wanting to do more stateful things, I'm not aware of any default package, but setting a rule to send packets to an NFQUEUE and implementing some custom logic on that nfqueue would be rather trivial too. I'm sure eBPFs are useable in there somewhere too, but I've very little experience with them.

Obviously iptables/nftables has its own issues, as seen in recent (and not so recent) posts about it being bypassable with raw sockets, but that tends to be host only and not when used as a gateway.

discuss

order

LeBit|2 years ago

> define zone based?

https://support.vyos.io/en/support/solutions/articles/103000...

You create a _zone_. You name it and assign some interfaces to it. For my needs, I only assign 1 interface per zone. Then, you specify with which other zone that zone can receive traffic from. That also comes with the identification of a firewall rulesets to apply to that pair.

So, `'Zone WAN (iface eth0) <- Zone LAN (iface eth1)' => apply fw LAN-TO-WAN`

When you do that, the firewall rules become much simpler to write and maintain.

But, a best practice is to assign every zone to every other zone. This soon becomes a combinatorial nightmare. When you want to add a zone, you have to create 2xN new zone configurations and 2xN new firewall rulesets.

laurowyn|2 years ago

So the equivalent of:

iptables -N eth0toeth1; iptables -P eth0toeth1 DROP; iptables -A FORWARD -i eth0 -o eth1 -j eth0toeth1; iptables -A eth0toeth1 -m tcp -p 80 -j ACCEPT; # add any more rules

Or, as you say to avoid exponential combinations, just make a chain for each zone (interface) and explicitly allow specific protocols/ports to target interfaces. Zones with multiple interfaces are just multiple rules to jump to the same zone chain.