Feature #7701
openfirewall: configurable default policies
Description
For discussion. There are 2 ideas here:
1. allow different actions than plain drop: e.g. reject.
2. allow default accept:hook hooks so we can insert new hooks w/o breaking existing rulesets
Also, so far it seems like the request_started/response_started hooks would most likely fit a default accept:hook as well.
VJ Updated by Victor Julien 9 months ago
- Related to Story #7583: 9.0.0: usecase: improve firewall usecase added
VJ Updated by Victor Julien 4 months ago
- Has duplicate Feature #8203: firewall: add configuration option for a reject default action. added
VJ Updated by Victor Julien 3 months ago
- Has duplicate Feature #8281: Add reject as a default action for firewall mode added
JL Updated by Jamie Lavigne about 2 months ago
It kind of combines 1 and 2, but allowing a default action of accept:hook combined with visibility into what the default action matches would be very valuable for testing new rulesets in a non-destructive way before enabling enforcement.
Inserting a firewall into an existing environment is a potentially dangerous operation if it ends up blocking traffic unintentionally. The two ideas above would allow a user to first configure the firewall in a way that evaluates rules and tells you what it would block but does not take any blocking action, so the user can validate the ruleset before switching the default action to blocking.
VJ Updated by Victor Julien about 1 month ago
How about a simple YAML structure like this?
firewall:
policies:
packet:
filter: "drop:packet"
pre_flow: "accept:hook"
pre_stream: "accept:hook"
app:
http1:
request_started: "accept:hook"
request_line: "accept:hook"
request_headers: "drop:flow"
tls:
client_in_progress: "accept:hook"
client_hello_done: "drop:flow"
YD Updated by Yash Datre about 1 month ago
We also need configurable alerts on the default action for monitoring.
AP Updated by Aneesh Patel 21 days ago
For default actions we are thinking to have the following settings:
- Verdict scope:
- hook (existing)
- packet (existing)
- flow (existing)
- tx (existing)
In addition to the above, * we would like the equivalent of flow and packet scope that will still send packets to the IPS engine* (flow and packet bypass right now and tx is not a true flow-scoped verdict)
- Action:
- drop (existing)
- accept (existing)
- reject
- accept with alert (this one would accept, but log an alert log as well showing that the default action was hit at that hook)
JL Updated by Jamie Lavigne 21 days ago
Victor Julien wrote in #note-5:
How about a simple YAML structure like this?
[...]
I think this would be great to support configuring default actions per hook. I suppose doing that could also help (partially) solve the problem of introducing new hook points later, because Suricata effectively punts that problem to its users. It would be useful to have something like an explicit mode that forces you to fully specify them all in the yaml (no implicit defaults). That would take the surprises out of upgrading because you would be forced to notice the addition of new hook points and to provide a default action for them.
AP Updated by Aneesh Patel 20 days ago
I think that makes sense and would definitely fit our use-case - I was envisioning something similar as well
VJ Updated by Victor Julien 20 days ago
- Related to Feature #8480: firewall: allow specifying multiple actions added
VJ Updated by Victor Julien about 4 hours ago
- Status changed from Feedback to In Progress
- Target version changed from TBD to 9.0.0-beta1
VJ Updated by Victor Julien about 1 hour ago
One annoying issue popped up: our yaml parser doesn't like underscores in the keys. So to make it work a snipped would look like this
firewall:
policies:
dns:
request-started:
- "accept:hook"
request-complete:
- "drop:flow"
response-started:
- "accept:hook"
response-complete:
- "drop:flow"
Wonder if that should mean we also update the rule syntax to match it. So
accept:hook dns:request-started any any -> any any (...).VJ Updated by Victor Julien about 1 hour ago
Another thing I didn't realize before: when we invoke the default policy we have no signature, so we can't raise an alert either. I was thinking about adding alert the example above:
firewall:
policies:
dns:
request-started:
- "accept:hook"
request-complete:
- "drop:flow"
- "alert"
response-started:
- "accept:hook"
response-complete:
- "drop:flow"
However that would not make sense currently. Alerts needs signatures. Need to think about that or if that alert is simply the wrong tool here and we need a dedicated log type (#8479).