Simple config language firewall

Kernels & Hardware, configuring network, installing services

Simple config language firewall

Postby dryden » 2018-02-06 18:52

I will try to keep this succinct.

Problem: minimalistic firewall with persistent config
Constraint: not using Ansible
Environment: injecting config into a container
Current style: bind mounting configuration into the container and then running symlinking scripts inside the container.

So I have e.g. Apache config sitting in a tree like etc/apache2/config-available/file. For Apache it is very easy to symlink this tree into the actual system because Apache allows directory-style overrides.

There are also tools that do not allow this. I am trying to avoid having to change persistent config files.

So I change some config, either manually or with scripts, when I install the container, or I plan to repeat it using scripts.

Ultimately my goal is to have better Ansible-like automatic setup but I don't want to go there now because I like to edit files in place, instead of just playbooks.

That is to say: if I am inside the container, and I edit /etc/apache2/file, what actually happens is that I edit a real file on the host that is bind mounted into the container and then symlinked into place.

This is a pleasant way of doing things instead of constantly having to edit some playbook and then rerunning it.

At least for now, in any case, the current problem:

  • iptables-persistent does work based on pluggable config files but by default generates them on the host, can only be prevented with debconf ahead of time, and is not a pleasant configuration format but more a "save what you've done" style of operation
  • ferm is an extremely powerful configuration language but modification of the default settings does require changing the config file and the default config, although the program supports directory plugs, does not feature the include for it.
    Also for my use case the format is so similar to iptables that I might just as well write iptables directly.
  • if-pre-up.d allows you to easily code something but is not a pleasant solution
  • rc.local doesn't actually work in a Stretch container
  • uruk is pluggable but uses an ugly environment variables language
  • ufw is meant for scripting and as such would require executing commands on the container to then save the actual config on the host, which is also going to be in iptables-save format and would also require deleting some config files

Honestly I would have gone for rc.local if only it worked.

Stuff I haven't tested yet:

  • apf-firewall
  • firehol
  • uif
  • ipkungfu
  • fiaif

I know it sound silly to have the constraint of not executing some additional scripts to check things, ie. for safety I do not allow the symlinking script to unlink normal files and directories, only symlinks, but I could enhance that.

I could also just run container-specific scripts from the config tree.

But removing existing config files is going to bite me on package updates in the sense of upgrade questions.

I have been reading https://wiki.debian.org/ConfigPackages and realize that the typical way of going about this would probably be to just dpkg-divert the conf-files that I want to be out of the way.

This would have to be part in a rudimentary sense of the container setup scripts (package installation scripts) or find some standard way of checking the diversion using the re-symlinking scripts.

I realize that I am somewhat in between playbook and persistent config.

Ferm is actually pretty nice, but I haven't checked the other ones yet.
dryden
 
Posts: 80
Joined: 2015-02-04 08:54

Re: Simple config language firewall

Postby dryden » 2018-02-07 20:29

Thus far

  • ipkungfu also uses BASH variable syntax
  • apf-firewall is so complicated and the help document so difficult to read that you might just as well use shorewall or something like that instead
  • uif uses such a macabre configuration language that you're better off with anything else

So that only leaves firehol and fiaif on my list, I have seen firehol before and it is reasonably good although a bit hard to get started with maybe but mainly useful if you use the statistics gathering package that goes with it.

  • fiaif also uses a BASH variable configuration which renders it basically unusable
  • firehol is an excellently simple program but the language is more designed for dummies.

So for everything I have seen here, only ferm and firehol pass the grade for being good config-file based firewalls, uwf, I guess, is good for scripting, and other than that you are probably looking at more advanced firewalls such as shorewall.
dryden
 
Posts: 80
Joined: 2015-02-04 08:54


Return to System configuration

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable