Dev/Firewall Refactoring

From Kicksecure
< Dev
Jump to navigation Jump to search

How to refactor the firewall script while being sure there are no iptables changes

Instructions[edit]

1) Store current iptables rules to file a.

sudo iptables-save-deterministic > a

2) Refactor the Kicksecure firewall code.

3) Reload Kicksecure Firewall.

If you are using Kicksecure ™ inside Qubes, complete the following steps.

Qubes App Launcher (blue/grey "Q")Kicksecure ProxyVM (commonly named kicksecure)Reload Kicksecure Firewall

If you are using a graphical Kicksecure, complete the following steps.

Start MenuApplicationsSystemReload Kicksecure Firewall

If you are using a terminal-only Kicksecure, run. sudo kicksecure_firewall

4) Store current iptables rules to file b.

sudo iptables-save-deterministic > b

5) Compare files a and b.

Use console diff viewer or...

diff a b

Use a graphical diff viewer.

meld a b

6) There should be no diff.

nftables[edit]

sudo nft --stateless list ruleset > nftables-old

sudo nft --stateless list ruleset > nftables-new

systemcheck iptables test[edit]

Does not exist yet.

  • "systemcheck (which is somewhat a replacement for the lack of test suite) could indeed be useful to check if the loaded iptables rules match a hardcoded iptables dump. Yes, with additional firewalll add-ons that would be hard. Then these firewall add-ons could ship a dump that also gets verified. (iptables-dumps.d folder checked by systemcheck or so.) But then multiple firewall add-ons gets hard. Mutliple firewall add-ons and dumping, that kind of flexibility might be stretching what the Kicksecure project may be able to implement." (From (Forum) Bolt on for whonix_firewall - best place to put files?archive.org )
    • systemcheck could use this iptables diff facility to warn the user of non-standard / unexpected rules present. And, just like unwanted packages, could ask the user to run e.g. iptables-save-whonix to establish a new baseline. systemcheck would then pass, unless something else had changed things user unexpectedly, at which point systemcheck would again warn.

Split Kicksecure Firewall Script for better readability[edit]

From Patrick:
" I have been wondering for some time now if the firewall script should be split. A lot sections are being used by multiple packages, the firewall and vpn-firewall. Eventually further in future (corridor-gateway to be created one day)...

  • error_handler
  • source config folder
  • IPv4 DEFAULTS
  • IPv4 PREPARATIONS
  • IPv4 DROP INVALID INCOMING PACKAGES
  • IPv4 FORWARD
  • IPv6
  • more minor stuff (iptables_cmd, ip6tables_cmd)


Converted to shell functions. And added to helper-scripts.

The risk of changing firewall rules while refactoring is minimal because it can be verified:

However, the goal is to make the firewall scripts easier to read. Not more difficult to audit. I am not sure which style (all in one file vs split) makes it simpler at this point. "

  • Early files in firewall config foleder could contain bash scripting of the form:
function ScriptFuncPreloadElement1() { script lines, e.g. $iptables_cmd ''blah''}
    • Optionally followed, for inline / immediate execution rather than hooking in later within firewall script, with:
ScriptFuncPreloadElement1
# (Within the same file == calling main().)
    • This separates code definition from code execution.
  • "The other question with firewall code injection, pre/post hooks is when to dispatch them? When you want to dispatch them depends on what you actually want to implement."
  • e.g.
if [ "$(type -t firewall_input_hook_end)" = "function" ]; then
   firewall_input_hook_end
fi
    • However, such would only allow a single call per hook. (User would have to chain all calls within whonix_firewall.d) Perhaps array variables instead. Code would then be something like ScriptFuncPreloadElement1() as above, then
firewall_input_hook_end[${#firewall_input_hook_end[@]}]=ScriptFuncPreloadElement1
      • It would be up to the user to appropriately manage the array ordering.
    • Hooks within the firewall would then walk the appropriate array at the appropriate time.

Reference: (Forum) torrents, and being a good tor citizenarchive.org
Solution, part b demonstrates an example sample set of iptables rules that could be injected, within the firewall. (Proof of concept, only.)


Reference: (Forum) Favourite (whonix?) bash script boilerplate template?archive.org

  • (begins) a corralling of a standard scripting framework.

See Also[edit]


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!