Rules in incoming.d and outgoing.d use small action files that are shell scripts to create commands for nftables rules. A sample version of the template file used on my gateway machine is supplied in the source distribution.Įditable nftables commands. The use of a template allows for local changes, perhaps to support internal LAN interfaces on a gateway machine. nftfw uses the template on every firewall build, using 'includes' to pull in its own rules. A user editable template provides the framework for nftables. If just the blacklist or whitelist sets alter, then only the changed sets are reloaded.Ĭonfigurable nftables template. Blacklist and whitelist rules use nftables sets, and nftfw tries not to perform a full firewall reload until it's needed. The whitelist scanner looks in the system's wtmp file for logins from users and automatically whitelists their IP address.įull use of nftables sets. The blacklist scanner can be told how to scan the syslog file looking for log entries from nftables and updates the blacklist database when a blocked IP address returns, keeping it in the firewall until it stops being active.Īutomatic whitelisting. This can be used to block access to specific countries, or unwanted access from organisations.įirewall feedback. The system may be supplied with lists of IP address ranges used to block all the addresses in the ranges. The nftfw configuration file controls the number of matched lines needed for blocking and how long to wait before removing the IP address from the blacklist.īlacklisting by address range. Pattern files are small text files, easy to add and edit, and the system contains a method of testing them. Files to scan, the relevant ports to block for the file and the regular expressions for matching are all contained in a set of files in patterns.d. The system contains a log file scanner that uses regular expressions to detect unwanted access and then creates files in the blacklist.d directory to block access to any matched IP address. or Quick Users' Guide gives a more task oriented description.Īutomatic blacklisting. The directory contents are described in detail in the User's Guide, while the How do I. Changing the firewall is simply a matter of making or removing a file in one of these directories. The final directory, blacknets.d can contain files with lists of IP address ranges and makes rules that block access to all the addresses. These files can contain ports, modifying the action of the rule. Two more directories, blacklist.d and whitelist.d, contain IP addresses, blocking or allowing access for named addresses. These files are usually empty, but can contain IP addresses to make the rule more specific. Two directories, incoming.d and outgoing.d, supply rules allowing access to ports for incoming and outgoing connections. Placing files in the directories create firewall rules configured from the file names. The value is parameterised and can be altered in config.ini.Įasy-to-use firewall admin. The /112 mask includes all the address apart from the last block in the IPv6 address. The change mirrors a similar alteration in the Sympl firewall made because the /64 mask was found to be too aggressive. Change the default mask used when automatically adding blacklisted IPv6 addresses from /64 to /112.New in current releaseįor update information see the Changelog. See the installation document Install nftfw from Debian package for a how-to guide. For safety, nftfw needs some configuration after installation. Nftfw can be installed from a Debian binary package, there is a zip file called nftfw_current.zip in the package directory containing the most recent version. The package is written in Python 3 and needs at least the 3.6 release. It should work on other Linux distributions. Nftfw doesn't need Sympl or Symbiosis, it's stand-alone and will run on any Debian Buster system or later. To block an IP address with a specific set of ports, you just add a file. The firewall is controlled using files in a directory structure that maps onto the parts of the firewall. The model was created for the iptables based firewall package supplied as part of Bytemark's Symbiosis hosting package and also for Sympl, a fork of Symbiosis. The system creates a simple and easy-to-use configuration model for firewall management. The nftfw package builds firewalls for nftables. Nftfw - Nftables firewall builder for Debian
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |