In the latest iteration of my home networking stack I am factoring out my firewall from my router into discrete unit. I decided to try a transparent firewall as this has the advantage of a reduced attack surface. Plus i used it as a chance to try out nftables. <\/p>\n\n\n\n
Hardware: I chose the raspberry pi compute module 4 with the DFRobot dual-nic carrier. This board is able to push about 1Gbit of traffic while consuming less than 2 watts of power! All this in about 2 inches square. To enable the 2nd NIC on this board I had to recompile the kernel – see my Recompiling the Kernel on the Pi Compute Module 4<\/a> post on this.<\/p>\n\n\n\n Once this is done, we enable the serial port so we can manage the firewall out of band. I specifically do not want a listening port on the firewall (remember, its transparent!). To do this I hooked up a FT232 USB->Serial converter to pins to the DFRobot headers. I then connect to the firewall using minicom, using 115200 8N1 for the serial params. Inside the pi ensure you run “raspi-config” and enable the serial port under the interfaces section. <\/p>\n\n\n\n I also turned off dhcpd to ensure the pi is only passing through – not actually on the network. “systemctl disable dhcpcd; systemctl stop dhcpd”<\/p>\n\n\n\n To get nftables, on the pi, I did have to install it: “apt-get install nftables.” Then we write some basic rules. Subjectively speaking, nftables is a lot nicer to write rules for than iptables, ebatables, etc. Here’s a brief sample:<\/p>\n\n\n A brief description of this example is apropos:<\/p>\n\n\n\n Note that for connection tracking inside a bridge<\/strong> i actually had to build my kernel yet again. If you don’t do this youll get “Protocol unsupported” errors if you try to do connection tracking inside a bridge. To enable this module, follow the same steps as in the procedure for adding realtek driver, however the menu item to enable in the kernel is under: “Networking support” -> “Networking options” -> “Network packet filtering framework” -> “IPV4\/IPV6 bridge connection tracking support”. Or just add “CONFIG_NF_CONNTRACK_BRIDGE=m” to your “.config” file inside the linux tree. Once this is done you need to ensure “nf_conntrack_bridge” is loaded: “modprobe nf_conntrack_bridge” should do you. <\/p>\n\n\n\n At this point we can do things like connection tracking INSIDE the bridge. Which is great. I won’t post my actual tableset, but here’s a beginning one that works well, allowing for ssh\/http\/https from the LAN (assuming LAN is on eth1), and only established connections and arp otherwise.<\/p>\n\n\n Unfortunately, all this fun on the pi doesn’t seem as readily available on centos. Cent 7.6 is still on a 3.x version of the kernel, and 8.4 is still on a 4.x version. You can upgrade to kernel using elrepo-kernel (http:\/\/elrepo.org\/tiki\/kernel-ml).<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" In the latest iteration of my home networking stack I am factoring out my firewall from my router into discrete unit. I decided to try a transparent firewall as this has the advantage of a reduced attack surface. Plus i used it as a chance to try out nftables. Hardware: I chose the raspberry pi … Continue reading Making a Transparent Firewall<\/span> \ntable inet firewallip {\n chain c1 {\n type filter hook input priority 0;\n meta nftrace set 1\n policy drop\n ip saddr 10.55.0.10 icmp type echo-request accept\n reject with icmp type host-unreachable\n }\n}\n<\/pre>\n\n\n\ntable bridge firewall {\n chain input {\n type filter hook input priority 0; policy drop;\n }\n chain output {\n type filter hook output priority 0; policy drop;\n }\n chain forward {\n type filter hook forward priority 0; policy drop;\n meta protocol {arp} accept\n ct state established,related accept\n iifname eth1 tcp dport {ssh,http,https} accept\n }\n}\n<\/pre>\n\n\n