Quickstart

[mrbluecoat]

Similar to gamemann/XDP-Firewall#4 , I put together a quickstart but it isn't working as expected:

apt -t buster-backports install -y -qq dnsutils libsodium-dev llvm clang libelf-dev libconfig-dev cmake git build-essential
git clone --recursive https://github.com/Barricade-FW/Firewall.git
cd Firewall
make && make install
cd ..

/sbin/ldconfig -v

EXAMPLEIP=$(dig +short example.com)

cat > /etc/bfw/bfw.conf <<EOF
{
    "interface": "eth0",
    "updatetime": 15,
    "stats": true,

    "filters": [
        {
            "enabled": true,
            "dstip": "${EXAMPLEIP}",
            "action": 0
        }
    ]
}
EOF

service bfw start && service bfw status

Service appears to be running okay. I then run curl example.com expecting it to be blocked but it loads fine.

I've also tried

cat > /etc/bfw/bfw.conf <<EOF
{
    "interface": "eth0",
    "updatetime": 15,
    "stats": true,

    "filters": [
        {
            "enabled": true,
            "dstip": "${EXAMPLEIP}",
            "action": 0,
            "tcpopts": [
                {
                    "enabled": true
                }
            ]
        }
    ]
}
EOF

but it gives me the same result

[mrbluecoat]

Also tried this without luck:

{
    "interface": "eth0", 
    "stats": true, 
    
    "filters": [
        {
            "enabled": true, 
            "action": 0, 
            
            "tcp_enabled": true, 
            "tcp_dport": 80, 
            
            "blocktime": 15
        }
    ]
}

[gamemann]

Hm, I've tried both configurations on my VM with the latest changes from the repo and it is blocking packets fine for me. Can you try execute bfw -l as root and provide the outputs?

[mrbluecoat]

# bfw -l
Details:
Interface Name => eth0
Update Time => 15
Stats: 1
Backbone IP: 
Backbone Port: 0

Filter #1:
ID => 1
Enabled => 1
Action => 0 (0 = Block, 1 = Allow).
Source IP => 0.0.0.0
Destination IP => 93.184.216.34
Max Length => 65535
Min Length => 0
Max TTL => 255
Min TTL => 0
TOS => 0
PPS => 0
BPS => 0
Block Time => 1

TCP Enabled => 0
TCP Source Port => 0
TCP Destination Port => 0
TCP URG Flag => 0
TCP ACK Flag => 0
TCP RST Flag => 0
TCP PSH Flag => 0
TCP SYN Flag => 0
TCP FIN Flag => 0

UDP Enabled => 0
UDP Source Port => 0
UDP Destination Port => 0

ICMP Enabled => 0
ICMP Code => 0
ICMP Type => 0

Some other log notes:

Jul 25 11:59:12 bfw[718]: libbpf: Kernel error message: underlying driver does not support XDP in native mode
Jul 25 11:59:12 bfw[718]: XDP-Native may not be supported with this NIC. Using SKB instead.
Jul 25 11:59:12 bfw[718]: Error connecting to backbone :: Network is unreachable.

Perhaps my NIC is just not compatible...

[gamemann]

The NIC's driver doesn't support XDP-native, but it did attach successfully with XDP generic (SKB mode) from the looks of it. So it should still be blocking packets still. I'm guessing the blocked statistic stays at 0 when attempting to access the site?

[mrbluecoat]

Correct. Also, one CPU is pegged at 100% due to bfw according to htop

[gamemann]

I've pushed a commit that should resolve that. It was due to the unfinished TCP client code for communication to the backbone. I've disabled that code for now.

I'm going to do some testing with the firewall shortly.

[gamemann]

I've setup two public VMs. One running Ubuntu 20.04 and the other running CentOS 8. I installed NGINX on both VMs along with a simple HTML website. I then installed the Barricade Firewall via git and tried the following config:

{
    "interface": "ens3",
    "stats": true,

    "filters": [
        {
                "enabled": true,
                "action": 0,

                "tcp_enabled": true,
                "tcp_dport": 80
        },
        {
                "enabled": true,
                "action": 1,

                "tcp_enabled": true,
                "tcp_dport": 443
        }
    ]
}

I've confirmed my packets were being blocked when accessing the website via HTTP (port 80) and packets were being allowed through when accessing via HTTPS (port 443):

https://g.gflclan.com/3045-07-25-2020-RgNV0B5C.png

https://g.gflclan.com/3046-07-25-2020-AldCOiN8.png

The CentOS 8 VM is running on kernel 5.7.10-1.el8.elrepo.x86_64 and the Ubuntu 20.04 VM is running on kernel 5.4.0-37-generic (default).

Are you able to perform a TCP dump (e.g. running the command tcpdump -i any port 80 -nne) and confirm the packets are coming through the interface you attached the XDP program to without being blocked by the XDP program? I'd make sure to compare the destination MAC address from the TCP dump with the interface you're attaching the XDP program to and ensure it's coming in on the right interface.

[mrbluecoat]

The CPU bug has been fixed - thanks! Here's the test you requested:

EXAMPLEIP=$(dig +short example.com)

cat > /etc/bfw/bfw.conf <<EOF
{
    "interface": "eth0",
    "updatetime": 15,
    "stats": true,

    "filters": [
        {
            "enabled": true,
            "dstip": "${EXAMPLEIP}",
            "action": 0
        }
    ]
}
EOF

# curl -s example.com | grep illustrative
    <p>This domain is for use in illustrative examples in documents. You may use this

# tcpdump -i any port 80 -nne
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
07:57:13.879568 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 76: 192.168.31.134.57484 > 93.184.216.34.80: Flags [S], seq 818443804, win 64240, options [mss 1460,sackOK,TS val 3263957362 ecr 0,nop,wscale 7], length 0
07:57:13.900906  In ec:41:18:0b:81:8b ethertype IPv4 (0x0800), length 68: 93.184.216.34.80 > 192.168.31.134.57484: Flags [S.], seq 4273464640, ack 818443805, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
07:57:13.901038 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 56: 192.168.31.134.57484 > 93.184.216.34.80: Flags [.], ack 1, win 502, length 0
07:57:13.901200 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 131: 192.168.31.134.57484 > 93.184.216.34.80: Flags [P.], seq 1:76, ack 1, win 502, length 75: HTTP: GET / HTTP/1.1
07:57:13.927245  In ec:41:18:0b:81:8b ethertype IPv4 (0x0800), length 62: 93.184.216.34.80 > 192.168.31.134.57484: Flags [.], ack 76, win 128, length 0
07:57:13.927841  In ec:41:18:0b:81:8b ethertype IPv4 (0x0800), length 1516: 93.184.216.34.80 > 192.168.31.134.57484: Flags [.], seq 1:1461, ack 76, win 128, length 1460: HTTP: HTTP/1.1 200 OK
07:57:13.927934 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 56: 192.168.31.134.57484 > 93.184.216.34.80: Flags [.], ack 1461, win 495, length 0
07:57:13.927842  In ec:41:18:0b:81:8b ethertype IPv4 (0x0800), length 187: 93.184.216.34.80 > 192.168.31.134.57484: Flags [P.], seq 1461:1592, ack 76, win 128, length 131: HTTP
07:57:13.928001 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 56: 192.168.31.134.57484 > 93.184.216.34.80: Flags [.], ack 1592, win 501, length 0
07:57:13.928392 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 56: 192.168.31.134.57484 > 93.184.216.34.80: Flags [F.], seq 76, ack 1592, win 501, length 0
07:57:13.954681  In ec:41:18:0b:81:8b ethertype IPv4 (0x0800), length 62: 93.184.216.34.80 > 192.168.31.134.57484: Flags [F.], seq 1592, ack 77, win 128, length 0
07:57:13.954782 Out 02:07:d5:79:64:45 ethertype IPv4 (0x0800), length 56: 192.168.31.134.57484 > 93.184.216.34.80: Flags [.], ack 1593, win 501, length 0

# tshark -i eth0 -f tcp -Y 'http.request' -V
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 12: 129 bytes on wire (1032 bits), 129 bytes captured (1032 bits) on interface 0
    Interface id: 0 (eth0)
        Interface name: eth0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul 27, 2020 08:02:38.316279143 MST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1595862158.316279143 seconds
    [Time delta from previous captured frame: 0.000161165 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.321469865 seconds]
    Frame Number: 12
    Frame Length: 129 bytes (1032 bits)
    Capture Length: 129 bytes (1032 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http]
Ethernet II, Src: MS-NLB-PhysServer-07_d5:79:64:45 (02:07:d5:79:64:45), Dst: XiaomiEl_0b:81:8b (ec:41:18:0b:81:8b)
    Destination: XiaomiEl_0b:81:8b (ec:41:18:0b:81:8b)
        Address: XiaomiEl_0b:81:8b (ec:41:18:0b:81:8b)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: MS-NLB-PhysServer-07_d5:79:64:45 (02:07:d5:79:64:45)
        Address: MS-NLB-PhysServer-07_d5:79:64:45 (02:07:d5:79:64:45)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.31.134, Dst: 93.184.216.34
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 115
    Identification: 0x55b7 (21943)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0xcec4 [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.31.134
    Destination: 93.184.216.34
Transmission Control Protocol, Src Port: 57572, Dst Port: 80, Seq: 1, Ack: 1, Len: 75
    Source Port: 57572
    Destination Port: 80
    [Stream index: 1]
    [TCP Segment Len: 75]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 76    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0x166f [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [iRTT: 0.023119555 seconds]
        [Bytes in flight: 75]
        [Bytes sent since last PSH flag: 75]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.023280720 seconds]
        [Time since previous frame in this TCP stream: 0.000161165 seconds]
    TCP payload (75 bytes)
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: example.com\r\n
    User-Agent: curl/7.64.0\r\n
    Accept: */*\r\n
    \r\n
    [Full request URI: http://example.com/]
    [HTTP request 1/1]

[mrbluecoat]

# service bfw status
● bfw.service - Barricade Firewall.
   Loaded: loaded (/etc/systemd/system/bfw.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-07-27 07:53:48 MST; 11min ago
 Main PID: 5205 (bfw)
    Tasks: 1 (limit: 1018)
   Memory: 460.0K
   CGroup: /system.slice/bfw.service
           └─5205 /usr/bin/bfw

Jul 27 07:53:48 orangepioneplus systemd[1]: Started Barricade Firewall..
Jul 27 07:53:52 orangepioneplus bfw[5205]: libbpf: Kernel error message: underlying driver does not support XDP in na
Jul 27 07:53:52 orangepioneplus bfw[5205]: XDP-Native may not be supported with this NIC. Using SKB instead.

[mrbluecoat]

Testing overview:

curl https://example.com:443  <-- loads fine (right)
curl http://example.com:80  <-- loads fine (right)

cat > /etc/bfw/bfw.conf <<EOF
{
    "interface": "eth0",
    "stats": true,

    "filters": [
        {
            "enabled": true,
            "dstip": "$(dig +short example.com)",
            "action": 0
        }
    ]
}
EOF

service bfw start

curl https://example.com:443  <-- loads fine (right)
curl http://example.com:80  <-- loads fine (wrong)

reboot

cat > /etc/bfw/bfw.conf <<EOF
{
    "interface": "eth0",
    "stats": true,

    "filters": [
        {
            "enabled": true,
            "action": 0,
            "tcp_enabled": true,
            "tcp_dport": 80
        }
    ]
}
EOF

service bfw start

curl https://example.com:443  <-- curl: (6) Could not resolve host: example.com (wrong)
curl http://example.com:80  <-- curl: (6) Could not resolve host: example.com (right)

service bfw stop

curl https://example.com:443  <-- curl: (6) Could not resolve host: example.com (wrong)
curl http://example.com:80  <-- curl: (6) Could not resolve host: example.com (wrong)

cat > /etc/bfw/bfw.conf <<EOF
{
    "interface": "eth0",
    "stats": true,

    "filters": [
        {
            "enabled": false,
            "action": 0,
            "tcp_enabled": true,
            "tcp_dport": 80
        }
    ]
}
EOF

service bfw start

bfw -l  <-- confirmed filter is listed as disabled

curl https://example.com:443  <-- curl: (6) Could not resolve host: example.com (wrong)
curl http://example.com:80  <-- curl: (6) Could not resolve host: example.com (wrong)

service bfw stop

curl https://example.com:443  <-- curl: (6) Could not resolve host: example.com (wrong)
curl http://example.com:80  <-- curl: (6) Could not resolve host: example.com (wrong)

reboot

curl https://example.com:443  <-- loads fine (right)
curl http://example.com:80  <-- loads fine (right)