How to refactor the firewall script while being sure there are no iptables changes[edit]

1) Store current iptables rules to file a.

sudo iptables-save-deterministic > a

2) Refactor the Kicksecure ™ firewall code.

3) Reload Kicksecure ™ Firewall.

4) Store current iptables rules to file b.

sudo iptables-save-deterministic > b

5) Compare files a and b.

Use console diff viewer or...

diff a b

Use a graphical diff viewer.

meld a b

6) There should be no diff.

systemcheck iptables test[edit]

Does not exist yet.

• "systemcheck (which is somewhat a replacement for the lack of test suite) could indeed be useful to check if the loaded iptables rules match a hardcoded iptables dump. Yes, with additional firewalll add-ons that would be hard. Then these firewall add-ons could ship a dump that also gets verified. (iptables-dumps.d folder checked by systemcheck or so.) But then multiple firewall add-ons gets hard. Mutliple firewall add-ons and dumping, that kind of flexibility might be stretching what the Kicksecure ™ project may be able to implement." (From (Forum) Bolt on for whonix_firewall - best place to put files? )
  • systemcheck could use this iptables diff facility to warn the user of non-standard / unexpected rules present. And, just like unwanted packages, could ask the user to run e.g. iptables-save-whonix to establish a new baseline. systemcheck would then pass, unless something else had changed things user unexpectedly, at which point systemcheck would again warn.

Reference: (Forum) Bolt on for whonix_firewall - best place to put files?

Split Kicksecure ™ Firewall Script for better readability[edit]

From Patrick:
" I have been wondering for some time now if the firewall script should be split. A lot sections are being used by multiple packages, whonix-gw-firewall, whonix-ws-firewall and vpn-firewall. Eventually further in future (corridor-gateway to be created one day)...

• error_handler
• source config folder
• IPv4 DEFAULTS
• IPv4 PREPARATIONS
• IPv4 DROP INVALID INCOMING PACKAGES
• IPv4 FORWARD
• IPv6
• more minor stuff (iptables_cmd, ip6tables_cmd)

Converted to shell functions. And added to helper-scripts.

The risk of changing firewall rules while refactoring is minimal because it can be verified:

However, the goal is to make the firewall scripts easier to read. Not more difficult to audit. I am not sure which style (all in one file vs split) makes it simpler at this point. "

• Early files in /etc/whonix_firewall.d could contain bash scripting of the form:

function ScriptFuncPreloadElement1() { script lines, e.g. $iptables_cmd ''blah''}

• • Optionally followed, for inline / immediate execution rather than hooking in later within whonix_firewall, with:

ScriptFuncPreloadElement1
# (Within the same file == calling main().)

• • This separates code definition from code execution.
• "The other question with firewall code injection, pre/post hooks is when to dispatch them? When you want to dispatch them depends on what you actually want to implement."
• e.g.

if [ "$(type -t whonix_firewall_input_hook_end)" = "function" ]; then
   whonix_firewall_input_hook_end
fi

• • However, such would only allow a single call per hook. (User would have to chain all calls within whonix_firewall.d) Perhaps array variables instead. Code would then be something like ScriptFuncPreloadElement1() as above, then

whonix_firewall_input_hook_end[${#whonix_firewall_input_hook_end[@]}]=ScriptFuncPreloadElement1

• • • It would be up to the user to appropriately manage the array ordering.
  • Hooks within whonix_firewall would then walk the appropriate array at the appropriate time.

Reference: (Forum) whonix, torrents, and being a good tor citizen
Solution, part b demonstrates an example sample set of iptables rules that could be injected, within whonix_firewall. (Proof of concept, only.)

Reference: (Forum) Favourite (whonix?) bash script boilerplate template?

• (begins) a corralling of a standard scripting framework.

See Also[edit]

• Firewall Unloading

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure ™ A secure by default operating system with the latest security research in place.

Donate

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software. Learn more.

Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.

Kicksecure ™ is a secure by default operating system with the latest security research in place.

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Kicksecure ENCRYPTED SUPPORT LP, 2022

×

Kicksecure is free from corporate interest by being user funded. Thank you so much!

Scan the QR code or use the wallet address below.

 

Close

Kicksecure ™ is Hardened by Kicksecure ™