Re: [DNG] nftables firewall and fail2ban replacement.
onefang said on Wed, 12 Jan 2022 23:49:39 +1000 >I've been using shorewall and fail2ban for a while now, but nftables is >soon replacing iptables, so it's time to consider some options. I can't tell whether you're addressing the firewall on a single computer, or the firewall between your LAN and the Internet. If the former, now that https://www.tomsguide.com/news/router-attack-netusb-flaw , I'm going to replace the firewall functions of my Spectrum Cable Modem with an OpenBSD PF firewall. An excellent documentation set of PF is at https://www.tomsguide.com/news/router-attack-netusb-flaw , and there's an excellent sample firewall config at https://www.openbsd.org/faq/pf/filter.html#example . Having looked at pfSense, iptables, nftables, IPFire, Openwall, and OPNsense, I find plain old pf superior for a firewall appliance. If you need the same machine to be a DHCP server, I'd just install a BSD DHCP server on the same machine. If I wanted a DNS server on the firewall machine (I don't) instead of on one of my LAN machines (which I do), I'd install unbound and nsd on the BSD machine. == If you meant the firewall on one Linux machine, you obviously can't use the BSD-onlty pf. I've found iptables to be quite useable, and haven't yet tried nftables. I tried Shorewall and found it to add tremendous complication to iptables and it seems to outsmart itself when trying to do something out of the ordinary, so I just resorted to iptables. I haven't tried fail2ban, and would like to hear more about it. SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
> On 16 Jan 2022, at 19:41, onefang wrote: > > On 2022-01-16 17:23:29, wirelessduck--- via Dng wrote: >> >> On 16 Jan 2022, at 12:54, Bob Proulx via Dng wrote: >>> Any suggestions? >>> >>> I am not really happy with any of the programs I have looked at >>> either. >>> >>> Ubuntu really pushes ufw but it feels too complicated to me. (Joking >>> because it is supposed to be the Uncomplicated Firewall.) But I don't >>> like that one shapes ufw in bits and pieces like crafting clay on a >>> pottery table. I would much rather have a file with the rules (or at >>> least most of them) in one place that then could get version >>> controlled and copied around. ufw does maintain files behind the >>> scenes though so perhaps one could hack at those files directly and >>> avoid the command line interface. >>> >>> Bob >> >> Have you tried firehol? It uses configuration files to set firewall rules >> for both inbound and outbound connections. >> >> https://firehol.org/ > > firehol doesn't support nftables. Yet, looks like they been thinking > about it for years. Ahh thanks. I just read the bug report and looks like it might not happen anytime soon. https://github.com/firehol/firehol/issues/48 I looked at ferm but that appears to be similar and won’t be updated to support nftables. There was a bug filed to netfilter for some usability improvements that might be useful if switching to plain nftables configuration files. https://bugzilla.netfilter.org/show_bug.cgi?id=1434 I also found APF which might be a good alternative frontend. https://www.rfxn.com/projects/advanced-policy-firewall/___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
On 2022-01-16 17:23:29, wirelessduck--- via Dng wrote: > > > > On 16 Jan 2022, at 12:54, Bob Proulx via Dng wrote: > > > >> Any suggestions? > > > > I am not really happy with any of the programs I have looked at > > either. > > > > Ubuntu really pushes ufw but it feels too complicated to me. (Joking > > because it is supposed to be the Uncomplicated Firewall.) But I don't > > like that one shapes ufw in bits and pieces like crafting clay on a > > pottery table. I would much rather have a file with the rules (or at > > least most of them) in one place that then could get version > > controlled and copied around. ufw does maintain files behind the > > scenes though so perhaps one could hack at those files directly and > > avoid the command line interface. > > > > Bob > > Have you tried firehol? It uses configuration files to set firewall rules for > both inbound and outbound connections. > > https://firehol.org/ firehol doesn't support nftables. Yet, looks like they been thinking about it for years. -- A big old stinking pile of genius that no one wants coz there are too many silver coated monkeys in the world. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
> On 16 Jan 2022, at 12:54, Bob Proulx via Dng wrote: > >> Any suggestions? > > I am not really happy with any of the programs I have looked at > either. > > Ubuntu really pushes ufw but it feels too complicated to me. (Joking > because it is supposed to be the Uncomplicated Firewall.) But I don't > like that one shapes ufw in bits and pieces like crafting clay on a > pottery table. I would much rather have a file with the rules (or at > least most of them) in one place that then could get version > controlled and copied around. ufw does maintain files behind the > scenes though so perhaps one could hack at those files directly and > avoid the command line interface. > > Bob Have you tried firehol? It uses configuration files to set firewall rules for both inbound and outbound connections. https://firehol.org/___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
onefang wrote: > I've been using shorewall and fail2ban for a while now, but nftables is > soon replacing iptables, so it's time to consider some options. Fortunately through the current today's Unstable there is no problem with the use of iptables. But I have also been wondering what I am going to do for a firewall when at some inevitable point I must switch from using Shorewall to something different. > My main problem with fail2ban is that it fails to ban. Or rather it does > ban, for that one rule I wrote myself, but not for any of the built in > rules, but then it releases the ban, even though I have told shorewall to > ban that particular IP. So the IP ends up being unbanned, coz fail2ban > says so. By default fail2ban's packaging only enables one sshd rule. All of the others are disabled by default unless they are explicitly enabled. Here is a look on a test system with everything just now freshly installed. root@turmoil:~# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd My Internet connected systems have more enabled but I only have enabled other local rules that I have written myself. > Right now there's a particular IP hitting that one rule, and no matter > what I do, even completely zapping fail2ban's database and leaving it > turned off, that IP keeps bypassing my firewall somehow. I think something different must be happening because this doesn't match with the way shorewall and fail2ban work with each other. For example with both installed and active there might be the following set of iptables rules. I set up a victim system so that I could work through a test case. iptables -nL | less ... Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- 0.0.0.0/00.0.0.0/0multiport dports 22 net-fw all -- 0.0.0.0/00.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0 DROP all -- 0.0.0.0/00.0.0.0/0ADDRTYPE match dst-type BROADCAST DROP all -- 0.0.0.0/00.0.0.0/0ADDRTYPE match dst-type ANYCAST DROP all -- 0.0.0.0/00.0.0.0/0ADDRTYPE match dst-type MULTICAST LOGall -- 0.0.0.0/00.0.0.0/0limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "INPUT REJECT " reject all -- 0.0.0.0/00.0.0.0/0 [goto] Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 192.168.230.120 0.0.0.0/0reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/00.0.0.0/0 Chain net-fw (1 references) target prot opt source destination dynamicall -- 0.0.0.0/00.0.0.0/0ctstate INVALID,NEW,UNTRACKED tcpflags tcp -- 0.0.0.0/00.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/00.0.0.0/0icmptype 8 ACCEPT icmp -- 0.0.0.0/00.0.0.0/0icmptype 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0multiport dports 22,80,443 ACCEPT udp -- 0.0.0.0/00.0.0.0/0udp dpt:123 DROP all -- 192.168.93.370.0.0.0/0 DROP all -- 0.0.0.0/00.0.0.0/0ADDRTYPE match dst-type BROADCAST DROP all -- 0.0.0.0/00.0.0.0/0ADDRTYPE match dst-type ANYCAST DROP all -- 0.0.0.0/00.0.0.0/0ADDRTYPE match dst-type MULTICAST LOGall -- 0.0.0.0/00.0.0.0/0limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-fw DROP " DROP all -- 0.0.0.0/00.0.0.0/0 In the above I intentionally triggered a fail2ban too many auth failures for sshd so that there would be a f2b-sshd chain created. Packets enter the INPUT chain. For all port 22 ssh packets they proceed down the "f2b-sshd" fail2ban sshd rule chain. That chain has the one IP that I explicitly triggered. Packets in that chain matching the banned IP address are then rejected. Otherwise it falls through to the return and continues processing down the INPUT chain. The next chain is "net-fw" which came from my Shorewall rules file. that chain shows a minimal set of rules to allow other ports. I added a drop rule for IP address 192.168.93.37. It would get dropped there. When the ban expires that IP address will be removed from the f2b-sshd chain. That chain being empty will return immediately to continue processing the INPUT rule chain. Which will then process through the Shorewall definied net-fw chain hitting the
Re: [DNG] nftables firewall and fail2ban replacement.
Antony Stone wrote: > The one feature I'd like to see on fail2ban is multi-server communication, so > that if one of my machines has a reason to block an address, it tells all my > others to block that address as well. That’s also possible to “roll your own”. I was considering this at my last place, but never got round to doing it. The only hard bit is messaging between machines, but my plan was to send a message to the outside router so it could block the address at the perimeter. One thought I had was to use syslog to send certain messages to the router’s syslog so fail2ban could pick them up and apply rules. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
On Thursday 13 January 2022 at 11:41:48, Didier Kryn wrote: > My experience/understanding of fail2ban is that it's intended > against attackers "smart" enough to periodically change their address. I don't care whether it's individual attackers who change their address, or multiple attackers each coming from one address; I use fail2ban to block anyone who's clearly trying to "get in" or at least abuse my services (email, SSH, SIP are th emost common I see) by trying some credentials, failing, and then trying again and failing sufficient times in a short period that it can't be someone who's supposed to get in. I have also (like Simon) written my own rule to scan the fail2ban log file itself, and add repeat offenders to a permanent block list, which also survives reboots. The one feature I'd like to see on fail2ban is multi-server communication, so that if one of my machines has a reason to block an address, it tells all my others to block that address as well. > For fix addresses, custom iptables rules was the "simple" way to go. Now > I guess it's custom nftables rules. Where do you get the list of fixed address to block? Antony. -- The more 'success' you get, the easier it is to be disappointed by not getting things. The only difference is that now no-one feels sorry for you. - Matt Haig Please reply to the list; please *don't* CC me. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
Le 12/01/2022 à 14:49, onefang a écrit : I've been using shorewall and fail2ban for a while now, but nftables is soon replacing iptables, so it's time to consider some options. Apparently fail2ban already supports nftables, but shorewall doesn't and wont - https://shorewall-users.narkive.com/aujuSpJ1/nftables-on-the-roadmap My main problem with fail2ban is that it fails to ban. Or rather it does ban, for that one rule I wrote myself, but not for any of the built in rules, but then it releases the ban, even though I have told shorewall to ban that particular IP. So the IP ends up being unbanned, coz fail2ban says so. Yes, I'm aware you can configure fail2ban to shift from temporary to permanent bans for persistent rule breakers. Would be good if the built in rules actually worked. Right now there's a particular IP hitting that one rule, and no matter what I do, even completely zapping fail2ban's database and leaving it turned off, that IP keeps bypassing my firewall somehow. So I'll eventually need a replacement for shorewall anyway, and I'd like something similar to fail2ban that doesn't fail to ban. So the two replacements have to get along with each other. None of this "bad IP can get through coz the two fight over it" bullshit. This has to run on my servers and desktop, so no GUI. I'm an experienced sysadmin, text config is good. Any suggestions? My experience/understanding of fail2ban is that it's intended against attackers "smart" enough to periodically change their address. For fix addresses, custom iptables rules was the "simple" way to go. Now I guess it's custom nftables rules. -- Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
onefang wrote: > My main problem with fail2ban is that it fails to ban. Or rather it does > ban, for that one rule I wrote myself, but not for any of the built in > rules, but then it releases the ban, even though I have told shorewall to > ban that particular IP. So the IP ends up being unbanned, coz fail2ban > says so. > > Yes, I'm aware you can configure fail2ban to shift from temporary to > permanent bans for persistent rule breakers. Would be good if the built > in rules actually worked. From experience, the built in rules worked last time I set a system up - worth checking all the config files as (again from memory) none of them are enabled by default. But what I did for the persistent offenders was to write my own rule (don’t remember any details now) that basically looked for repeated bans and then blocked them for a long time. That allows for users (or yourself) accidentally triggering the first rule - you just have to wait for it to time out - but will ban persistent offenders quite quickly as they’ll still be hammering the system when the first rule times out. Another thing to be aware of is that applying iptables drop rules to existing connections doesn’t stop the traffic. That’s important when trying to deal with UDP traffic - that may only apply when there is packet mangling (e.g. NAT) and so contract comes into play, or when the traffic terminates on the box you are trying to firewall it on. But TBH it’s a while now since I dealt with th and I don’t recall any details other than needing to clear entries in the contract table to actually stop traffic - I vaguely recall having to log onto the main router and drop it there sometimes. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
A technique I learned is to use the "fail2ban-regex" command with a log file sample containing actual traffic that you want banned. E.g. for Apache logs from the shell prompt: $ fail2ban-regex /path/to/apache/logs/access_log..??.??-??_??_?? /etc/fail2ban/filter.d/apache-404.conf You'll get a report if the regexes in the apache-404.conf or whatever filter you're using is detecting traffic or not, according to whatever jail file is in use. I'm sure that with your experience in Fail2ban, you already double-check all the settings in the jail file like logpath, maxretry, findtime, and bantime. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] nftables firewall and fail2ban replacement.
I've been using shorewall and fail2ban for a while now, but nftables is soon replacing iptables, so it's time to consider some options. Apparently fail2ban already supports nftables, but shorewall doesn't and wont - https://shorewall-users.narkive.com/aujuSpJ1/nftables-on-the-roadmap My main problem with fail2ban is that it fails to ban. Or rather it does ban, for that one rule I wrote myself, but not for any of the built in rules, but then it releases the ban, even though I have told shorewall to ban that particular IP. So the IP ends up being unbanned, coz fail2ban says so. Yes, I'm aware you can configure fail2ban to shift from temporary to permanent bans for persistent rule breakers. Would be good if the built in rules actually worked. Right now there's a particular IP hitting that one rule, and no matter what I do, even completely zapping fail2ban's database and leaving it turned off, that IP keeps bypassing my firewall somehow. So I'll eventually need a replacement for shorewall anyway, and I'd like something similar to fail2ban that doesn't fail to ban. So the two replacements have to get along with each other. None of this "bad IP can get through coz the two fight over it" bullshit. This has to run on my servers and desktop, so no GUI. I'm an experienced sysadmin, text config is good. Any suggestions? -- A big old stinking pile of genius that no one wants coz there are too many silver coated monkeys in the world. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng