Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

How to refactor the firewall script while ensuring no unintended nftables changes occur.

Ensuring nftables Rules Remain Unchanged[edit]

1. Store the current nftables rules in the file nftables-old.

sudo nft --stateless list ruleset > nftables-old

2. Do activities, wait, etc.

3. Store the current nftables rules in the file nftables-new.

sudo nft --stateless list ruleset > nftables-new

4. Compare nftables-old and nftables-new.

Use a console diff viewer:

diff nftables-old nftables-new

Or use a graphical diff viewer:

meld nftables-old nftables-new

Ensuring nftables Rules Remain Unchanged During Firewall Refactoring[edit]

1. Store the current nftables rules in the file nftables-old.

sudo nft --stateless list ruleset > nftables-old

2. Refactor the Kicksecure firewall code.

3. Reload Kicksecure Firewall.

4. Store the current nftables rules in the file nftables-new.

sudo nft --stateless list ruleset > nftables-new

5. Compare nftables-old and nftables-new.

Use a console diff viewer:

diff nftables-old nftables-new

Or use a graphical diff viewer:

meld nftables-old nftables-new

systemcheck nftables Test[edit]

This feature does not exist yet.

• "systemcheck (which is somewhat a replacement for the lack of a test suite) could indeed be useful to check if the loaded nftables rules match a hardcoded nftables dump. Yes, with additional firewall add-ons, that would be challenging. These firewall add-ons could ship a dump that also gets verified (e.g., an nftables-dumps.d folder checked by systemcheck). However, managing multiple firewall add-ons with dumping might stretch what the Kicksecure project can realistically implement." (From (Forum) Bolt on for whonix_firewall - best place to put files?)
  • systemcheck could use this nftables diff functionality to warn users about non-standard or unexpected rules. Similar to unwanted package detection, it could prompt users to run a command such as nftables-save-whonix to establish a new baseline. systemcheck would then pass unless further unexpected changes occurred, at which point it would issue another warning.

Splitting the Kicksecure Firewall Script for Better Readability[edit]

From Patrick:
"I have been considering whether the firewall script should be split. Many sections are used by multiple packages, including the firewall and vpn-firewall. In the future, a corridor-gateway might also be introduced.

Sections that could be refactored into helper scripts:

• error_handler
• Source config folder
• IPv4 DEFAULTS
• IPv4 PREPARATIONS
• IPv4 DROP INVALID INCOMING PACKETS
• IPv4 FORWARD
• IPv6
• Additional minor components (nftables_cmd)

These sections could be converted into shell functions and moved to helper scripts.

The risk of altering firewall rules during refactoring is minimal because changes can be verified.

However, the primary goal is to make the firewall scripts easier to read, not harder to audit. I am unsure whether keeping everything in one file or splitting it up would be simpler at this stage."

• Early files in the firewall configuration folder could contain Bash scripting in the form:

function ScriptFuncPreloadElement1() { script lines, e.g. $nftables_cmd ''blah'' }

• • Optionally followed by inline execution within the same file:

ScriptFuncPreloadElement1
# (Within the same file == calling main().)

• • This approach separates code definition from execution.
• "Another question with firewall code injection and pre/post hooks is when they should be dispatched. This depends on what functionality you want to implement."
• Example:

if [ "$(type -t firewall_input_hook_end)" = "function" ]; then
   firewall_input_hook_end
fi

• • However, this would only allow a single call per hook. Users would need to chain all calls within whonix_firewall.d. Perhaps using array variables instead, with code such as:

firewall_input_hook_end[${#firewall_input_hook_end[@]}]=ScriptFuncPreloadElement1

• • • Users would need to manage the array order appropriately.
  • Hooks within the firewall would then iterate through the array at the appropriate execution point.

Reference: (Forum) torrents, and being a good Tor citizen
Solution, part b demonstrates an example set of nftables rules that could be injected within the firewall. (Proof of concept only.)

Reference: (Forum) Favorite (Whonix?) Bash script boilerplate template?

• (Begins) a consolidation of a standard scripting framework.

See Also[edit]

• Firewall Unloading

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!