Feature #7701
openfirewall: configurable default policies
Description
For discussion. There are 2 ideas here:
1. allow different actions than plain drop: e.g. reject.
2. allow default accept:hook hooks so we can insert new hooks w/o breaking existing rulesets
Also, so far it seems like the request_started/response_started hooks would most likely fit a default accept:hook as well.
VJ Updated by Victor Julien 8 months ago
- Related to Story #7583: 9.0.0: usecase: improve firewall usecase added
VJ Updated by Victor Julien 3 months ago
- Has duplicate Feature #8203: firewall: add configuration option for a reject default action. added
VJ Updated by Victor Julien 2 months ago
- Has duplicate Feature #8281: Add reject as a default action for firewall mode added
JL Updated by Jamie Lavigne about 1 month ago
It kind of combines 1 and 2, but allowing a default action of accept:hook combined with visibility into what the default action matches would be very valuable for testing new rulesets in a non-destructive way before enabling enforcement.
Inserting a firewall into an existing environment is a potentially dangerous operation if it ends up blocking traffic unintentionally. The two ideas above would allow a user to first configure the firewall in a way that evaluates rules and tells you what it would block but does not take any blocking action, so the user can validate the ruleset before switching the default action to blocking.
VJ Updated by Victor Julien 18 days ago
How about a simple YAML structure like this?
firewall:
policies:
packet:
filter: "drop:packet"
pre_flow: "accept:hook"
pre_stream: "accept:hook"
app:
http1:
request_started: "accept:hook"
request_line: "accept:hook"
request_headers: "drop:flow"
tls:
client_in_progress: "accept:hook"
client_hello_done: "drop:flow"
YD Updated by Yash Datre 13 days ago
We also need configurable alerts on the default action for monitoring.
AP Updated by Aneesh Patel 1 day ago
For default actions we are thinking to have the following settings:
- Verdict scope:
- hook (existing)
- packet (existing)
- flow (existing)
- tx (existing)
In addition to the above, * we would like the equivalent of flow and packet scope that will still send packets to the IPS engine* (flow and packet bypass right now and tx is not a true flow-scoped verdict)
- Action:
- drop (existing)
- accept (existing)
- reject
- accept with alert (this one would accept, but log an alert log as well showing that the default action was hit at that hook)
JL Updated by Jamie Lavigne about 16 hours ago
Victor Julien wrote in #note-5:
How about a simple YAML structure like this?
[...]
I think this would be great to support configuring default actions per hook. I suppose doing that could also help (partially) solve the problem of introducing new hook points later, because Suricata effectively punts that problem to its users. It would be useful to have something like an explicit mode that forces you to fully specify them all in the yaml (no implicit defaults). That would take the surprises out of upgrading because you would be forced to notice the addition of new hook points and to provide a default action for them.
AP Updated by Aneesh Patel about 1 hour ago
I think that makes sense and would definitely fit our use-case - I was envisioning something similar as well