Download Docs News Forums

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Your support makes all the difference!

We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!

How to refactor the firewall script while being sure there are no iptables changes

Instructions[edit]

1) Store current iptables rules to file a.

sudo iptables-save-deterministic > a

2) Refactor the Kicksecure ™ firewall code.

3) Reload Kicksecure ™ Firewall.

4) Store current iptables rules to file b.

sudo iptables-save-deterministic > b

5) Compare files a and b.

Use console diff viewer or...

diff a b

Use a graphical diff viewer.

meld a b

6) There should be no diff.

systemcheck iptables test[edit]

Does not exist yet.

• "systemcheck (which is somewhat a replacement for the lack of test suite) could indeed be useful to check if the loaded iptables rules match a hardcoded iptables dump. Yes, with additional firewalll add-ons that would be hard. Then these firewall add-ons could ship a dump that also gets verified. (iptables-dumps.d folder checked by systemcheck or so.) But then multiple firewall add-ons gets hard. Mutliple firewall add-ons and dumping, that kind of flexibility might be stretching what the Kicksecure ™ project may be able to implement." (From (Forum) Bolt on for whonix_firewall - best place to put files? )
  • systemcheck could use this iptables diff facility to warn the user of non-standard / unexpected rules present. And, just like unwanted packages, could ask the user to run e.g. iptables-save-whonix to establish a new baseline. systemcheck would then pass, unless something else had changed things user unexpectedly, at which point systemcheck would again warn.

Split Kicksecure ™ Firewall Script for better readability[edit]

From Patrick:
" I have been wondering for some time now if the firewall script should be split. A lot sections are being used by multiple packages, the firewall and vpn-firewall. Eventually further in future (corridor-gateway to be created one day)...

• error_handler
• source config folder
• IPv4 DEFAULTS
• IPv4 PREPARATIONS
• IPv4 DROP INVALID INCOMING PACKAGES
• IPv4 FORWARD
• IPv6
• more minor stuff (iptables_cmd, ip6tables_cmd)

Converted to shell functions. And added to helper-scripts.

The risk of changing firewall rules while refactoring is minimal because it can be verified:

However, the goal is to make the firewall scripts easier to read. Not more difficult to audit. I am not sure which style (all in one file vs split) makes it simpler at this point. "

• Early files in firewall config foleder could contain bash scripting of the form:

function ScriptFuncPreloadElement1() { script lines, e.g. $iptables_cmd ''blah''}

• • Optionally followed, for inline / immediate execution rather than hooking in later within firewall script, with:

ScriptFuncPreloadElement1
# (Within the same file == calling main().)

• • This separates code definition from code execution.
• "The other question with firewall code injection, pre/post hooks is when to dispatch them? When you want to dispatch them depends on what you actually want to implement."
• e.g.

if [ "$(type -t firewall_input_hook_end)" = "function" ]; then
   firewall_input_hook_end
fi

• • However, such would only allow a single call per hook. (User would have to chain all calls within whonix_firewall.d) Perhaps array variables instead. Code would then be something like ScriptFuncPreloadElement1() as above, then

firewall_input_hook_end[${#firewall_input_hook_end[@]}]=ScriptFuncPreloadElement1

• • • It would be up to the user to appropriately manage the array ordering.
  • Hooks within the firewall would then walk the appropriate array at the appropriate time.

Reference: (Forum) torrents, and being a good tor citizen
Solution, part b demonstrates an example sample set of iptables rules that could be injected, within the firewall. (Proof of concept, only.)

Reference: (Forum) Favourite (whonix?) bash script boilerplate template?

• (begins) a corralling of a standard scripting framework.

See Also[edit]

• Firewall Unloading

Kicksecure ™ A secure by default operating system with the latest security research in place.

Donate

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

Dark mode

At Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.

Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Kicksecure ENCRYPTED SUPPORT LP, 2023

Donate

Kicksecure is free from corporate interest by being user funded. Thank you so much!

Scan the QR code or use the wallet address below.