Package: wnpp Severity: wishlist Owner: Peter Collinson <supp...@nftfw.uk>
* Package name : nftfw Version : 0.9.0 Upstream Author : Peter Collinson <supp...@nftfw.uk> * URL : https://github.com/pcollinson/nftfw * License : MIT/X Programming Lang: Python Description : an nftables firewall builder for Debian Introduction ------------ Here is the current text in the debian/control file: The nftfw package builds firewalls for nftables. Configuration is based on files stored in directories in /etc/nftfw. For example, adding a new IP address to the whitelist is done by creating a file named for the IP address in the whitelist.d directory. Adding a new rule permitting access to a port just takes the addition of a suitably named file in incoming.d. Blacklisting address ranges is done by adding a CIDR address to a file in blacknets.d. . nftfw can automatically maintain the blacklist by efficiently scanning log files using regular expressions and adding miscreant IP addresses into blacklist.d. It maintains a database of activity and will timeout the entries after a user-defined period. When an IP is blocked, nftfw allows for feedback from nftables to notice and maintain blocking for frequent attempts from unwanted visitors. . nftfw makes extensive use of nftables sets to maintain exclusion and inclusion lists. It tries to minimise changes to the live firewall by only updating sets that have changed. It adds its created statements to an nftables template that can be modified to extend the firewall setup if needed. . After installation, some configuration is needed to make the system active, see /usr/share/doc/nftfw/README.Debian . The package is written and developed in Python 3.7. More information can be found on Github, there are several documents in the 'docs' directory that I've written first for manual installation and recently Debian packaging. These are in .md, HTML and PDF formats. Once I have this bug number I will be uploading the binary package to github. What's the history of this project? ----------------------------------- nftfw is based on work done by Patrick Cherry for his hosting company in the UK, Bytemark. His system was written in Ruby and was part of a complete management system called Symbiosis for Debian servers. The firewall part drove iptables. The company was sold and the buyer wasn't really interested. Mythic Beasts forked Symbiosis into Sympl and I moved to this new company as a customer. At pretty much the same time, Debian Buster was released with the switch to nftables. I wanted to fix some of the problems that I saw in the original system and decided to start from scratch writing a new firewall system in Python and aiming it at nftables. What I liked about Patrick's approach was the use of what is perhaps the original UNIX philosophy - everything is done in files. This firewall is controlled by an nft template file, which is editable so it can be extended - and then a bunch of specifically named files controlling the firewall in known locations. nftfw makes extensive use of sets, and tries never to reload the complete firewall when a set is changed. There are problems in nftables with some types of set, (I've reported that upstream and they will eventually be fixed I understand) that mean that under some circumstances partial loading doesn't work - and the whole table needs reloading. The system includes a module to scrape log files for attacks, and injects the IP address into blacklist. It can also can scan kernel logs for nftables logging so that sites that keep repeatedly returning can be kept out until they stop. Feedback from the scanner is a big win, bots keep bashing at the door and they are kept out. Log scanning and blocking is also done by fail2ban of course. The nftfw system is implemented because it was part of the original system and I was looking for a drop-in alternative for the Symbiosis system. Also, starting with nftables as a target has meant a re-appraisal of how the system should work. Where is the project? -------------------- I started nftfw because I was sick of my systems being under attack from all and sundry. It's been running on two different machines that I run for a little over 18 months, and also has been used by some others sys admins who are Mythic Beast customers. There are a few stars on Github, but I have no idea if these people are using it. nftfw was originally installed on these machines from github source. It didn't seem to fit the Python packaging model because it's part of a system and not an application or library. It was loaded into Github in April of 2020 and has been largely stable since then. There has been the odd coding error, or misunderstanding of how to do things, but I would say that the code is well exercised now. Once it was in Github, it provoked significant attacks from all over the world, and mostly from CN. At one point on my public machine, where its website lives (https://nftfw.uk) it was blocking over 3K IP addresses and several hundred were in the firewall. This frenzy has reduced in recent times. I do have some repeat visitors that have been trying for over a year. I started to investigate and implement Debian packaging in April of this year, and now have a preliminary packaged system - which will be online on github soon. What do you get? --------------- The Python code provides: nftfw - the main script which manages the firewall, it loads, provides scanning of files and manages the sqlite3 database. nftfwls - which lists the sqlite database that nftfw maintains I run this from websites, it will output HTML too. nftfwedit - which allows inspection, addition and deletion of ip addresses nftwadm - which is really intended as an installation aid when you want to retain a working firewall on installation There are manual pages for all these, and also some section 5 manual pages describing the config file and the file formats and naming rules. What to I need? --------------- I am happy to maintain this package, but obviously need a sponsor. I would welcome input on the Python, which very probably breaks the 'way of doing things' in many ways. Also, I have undoubtedly unwittingly broken some packaging rules and/or there are better ways to do things. I have intentionally not distributed a live system. Some activation by hand is needed to get things working. What would I like? ------------------ I'd like to see this as a Debian package in the near future.
