SoftWare Defined FireWall
An approach to define & update iptables rules atomically. No hiccups and easy rollback.
swdfw manages its rules in a separate chain and uses iptables --goto to specify target rule set where to jump to.
All you have to do is allow swdfw to set up jump to its managed input & output chains (SWDFW-INPUT & SWDFW-OUTPUT by default), or set them up by yourself.
TODO: schematic
It's common to disable OS level firewall on cloud providers when provider has its own firewall solution available. However, it appears that some of the providers do not have reasonable firewall (or alternatively named security groups) support.
- Hetzner Robot allows only maximum of 10 incoming rules
- ...
Wiring machines together dynamically using automation (etcd, Consul etc.) means that it's not very convenient to pull the strings on the provider side. Some providers (AWS) take about a minute in my experience (using Terraform) to apply the rules, causing slow configuration rollout.
With swdfw, applying a new set of rules is as fast as machine can swap out the rules.
- Proof of concept output rules generation + integration test
- nftables support (via netlink)
- ipset / named set support (both backends)
- Output rules
- Rules covering all protocols or only handling interfaces
- Rules declaration (file format/structure)
- Try to retain script generation support
- Works fine-ish with iptables already, but nftables might be a problem.
- Tunables
- Default INPUT/OUTPUT policy handling
- DROP instead of REJECT
- Collecting rules targeting same CIDR with different ports into multiport match
- Collecting rules targeting different CIDRs with same ports into ipset
- Limits are not documented
- iptables chain name length is strictly 28. Current update logic needs reserving 6 characters (could do less).
- nftables allows for longer, tested with 70 character name.
- Therefore allow only 16-24 character names for rulesets?
- TOCTOU
- Need locking mechanism between swdfw instances working on same set of rules.
Not determined yet.