Currently, my device has two LAN networks configured:
eth0 - connected to the interneteth2 - connected to the internal network
The current configuration in the ebpf_config.json file is as follows:
{"InternalInterfaces":[{"Name":"eth2", "OutboundPassThroughTrack": true, "PerInterfaceRules": false}],
"ExternalInterfaces":[]}
I need assistance with setting up eth0 so that all incoming requests are blocked, while outgoing connections are allowed only to the Ziti controller's DNS IP. Can you help me configure this using zfw command into user_rules.sh?
i tried this but something is missing
sudo zfw -L -z egress
EGRESS FILTERS:
type service id proto origin destination mapping: interface list
------ ---------------------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
accept 0000000000000000000000 udp 0.0.0.0/0 35.xx.xx.xx/32 dpts=53:53 PASSTHRU to 35.xx.xx.xx/32 [eth0]
deny 0000000000000000000000 tcp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [eth0]
deny 0000000000000000000000 udp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [eth0]
accept 0000000000000000000000 tcp 0.0.0.0/0 35.xx.xx.xx/32 dpts=443:443 PASSTHRU to 35.xx.xx.xx/32 [eth0]
sudo zfw -L -z ingress
INGRESS FILTERS:
type service id proto origin destination mapping: interface list
------ ---------------------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
deny 0000000000000000000000 udp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enp1s0]
deny 0000000000000000000000 tcp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enp1s0]
accept 0000000000000000000000 udp 0.0.0.0/0 100.64.0.2/32 dpts=53:53 TUNMODE redirect:ziti0 []
accept 4OcvMNhXglb0bDxTCUZ4f1 tcp 0.0.0.0/0 100.64.0.3/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 25PKCSIMbIHYqUbw6evT8K tcp 0.0.0.0/0 100.64.0.4/32 dpts=443:443 TUNMODE redirect:ziti0 []
Rule Count: 6 / 250000
prefix_tuple_count: 5 / 100000
ebf config file
{"InternalInterfaces":[{"Name":"eth2", "OutboundPassThroughTrack": true, "PerInterfaceRules": false}],
"ExternalInterfaces":[{"Name":"eth0", "OutboundPassThroughTrack": true, "PerInterfaceRules": true}]}
user_rules.sh
#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N eth0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N eth0
# Reapply the egress rules
sudo zfw -I -c 35.xx.xx.xx -m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N eth0
sudo zfw -I -c 35.xx.xx.xx -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N eth0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N eth0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N eth0
sudo systemctl restart ziti-fw-init.service
sudo systemctl restart ziti-wrapper.service
sudo systemctl restart ziti-edge-tunnel.service
I would expect normal dns should fail, and i want to resolve only my custom domainseth0 so that all incoming requests are blocked, while outgoing connections are allowed only to the Ziti controller's DNS IP. Can you help me configure this using zfw command into user_rules.sh?
telnet google.com 443
Trying 2404:6800:4004:801::200e...
Trying 172.217.26.238...
Connected to google.com.
Escape character is '^]'
Hi Vinoth:
You will want to add “eth0” as an external interface and in /opt/openziti/bin/user/ you will want to copy user_rules.sh.sample to user_rules.sh. Then add the following lines to user_rules.sh. Note you will also want to add rules for other outbound traffic i.e. dns servers so add as needed. Note ssh is enabled inbound by default “zfw --disable-ssh ” disables it. If you want to allow ssh into eth0 do not add this line.
/opt/openziti/bin/zfw -I -c -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N eth0
Assuming that you followed the install instructions at GitHub - netfoundry/zfw: An EBPF based IPv4/IPv6 firewall with integrations for OpenZiti Zero-Trust Framework edge-routers and tunnellers . You will then want to restart the firewall. Depending on which deployment type this is how:
You can either reboot the device i.e “sudo reboot” or if
Standalone fw:
sudo systemctl restart fw-init.service
If ziti-router deployment
sudo systemctl restart ziti-router.service
If ziti-edge-tunnel:
sudo systemctl restart ziti-edge-tunnel.service
Note at quick glance what you are likely missing is
Can you provide output of “sudo zfw -L -E”
rcsoleng:
sudo zfw -L -E
sudo zfw -L -E
lo: 1
--------------------------
icmp echo :1
pass non tuple :1
ipv6 enable :1
verbose :0
ssh disable :0
outbound_filter :0
per interface :0
tc ingress filter :0
tc egress filter :0
tun mode intercept :0
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
enp1s0: 2
--------------------------
icmp echo :0
pass non tuple :0
ipv6 enable :0
verbose :0
ssh disable :0
outbound_filter :0
per interface :1
tc ingress filter :1
tc egress filter :1
tun mode intercept :1
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
enp3s0: 3
--------------------------
icmp echo :0
pass non tuple :0
ipv6 enable :0
verbose :0
ssh disable :0
outbound_filter :0
per interface :0
tc ingress filter :1
tc egress filter :1
tun mode intercept :1
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
wlo1: 4
--------------------------
icmp echo :0
pass non tuple :0
ipv6 enable :0
verbose :0
ssh disable :0
outbound_filter :0
per interface :0
tc ingress filter :0
tc egress filter :0
tun mode intercept :0
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
ziti0: 5
--------------------------
verbose :0
cidr :100.64.0.0
resolver :100.64.0.2
mask :10
--------------------------
Looks like that is what’s missing
sudo zfw —outbound-filter eth0
updated user.sh
#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N enp1s0
# Reapply the egress rules
#sudo zfw -I -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
#sudo zfw -I -c 35.xxx.xx.x -m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N enp1s0
sudo zfw —outbound-filter enp1s0
sudo zfw -L -E
Should now show outbound_filter: 1 for enp1s0
[quote="rcsoleng, post:9, topic:3295"]
sudo zfw -L -E
lo: 1
--------------------------
icmp echo :1
pass non tuple :1
ipv6 enable :1
verbose :0
ssh disable :0
outbound_filter :0
per interface :0
tc ingress filter :0
tc egress filter :0
tun mode intercept :0
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
enp1s0: 2
--------------------------
icmp echo :0
pass non tuple :0
ipv6 enable :0
verbose :0
ssh disable :0
outbound_filter :1
per interface :1
tc ingress filter :1
tc egress filter :1
tun mode intercept :1
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
enp3s0: 3
--------------------------
icmp echo :0
pass non tuple :0
ipv6 enable :0
verbose :0
ssh disable :0
outbound_filter :0
per interface :0
tc ingress filter :1
tc egress filter :1
tun mode intercept :1
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
wlo1: 4
--------------------------
icmp echo :0
pass non tuple :0
ipv6 enable :0
verbose :0
ssh disable :0
outbound_filter :0
per interface :0
tc ingress filter :0
tc egress filter :0
tun mode intercept :0
vrrp enable :0
eapol enable :0
ddos filtering :0
masquerade :0
--------------------------
ziti0: 6
--------------------------
verbose :0
cidr :100.64.0.0
resolver :100.64.0.2
mask :10
--------------------------
and
#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N enp1s0
# Reapply the egress rules
sudo zfw -I -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
sudo zfw -I -c 35.xxx.xx.x -m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N enp1s0
sudo zfw --outbound-filter enp1s0
telnet google.com 443google.com .
im expecting only
telnet ziti-controller.xxx.ai 443
but its resolving everything how to restrict that?
sorry i think its not resolving any domains now
telnet ziti-controller.xxx.ai 443
telnet: could not resolve ziti-controller.xxx.ai/443: Temporary failure in name resolution
this is my users.sh file
#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N enp1s0
# Reapply the egress rules
sudo zfw -I -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
sudo zfw -I -c 35.xxx.xx.x-m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N enp1s0
sudo zfw --outbound-filter enp1s0
Is 35.243.77.2 the IP address of the Netfoundry controller or a public DNS server? If it’s not a public DNS server then you need to change the first rule to a reachable public dns server i.e 1.1.1.1 or 8.8.8.8 etc.
thats not public dns, thats the ip of ziti-controller. how to update that? and i need to make sure it resolves only my domain? not google or anything?
tried adding this
but still the same result
telnet ziti-controller.xxxx.ai 443
The controller is not a dns server. You can configure your own dns and sync with public if you want custom domain filtering. The firewall does not filter application layer specific reply types only tcp/udp port level. You can issue the same command with -D instead of -I to remove an entry i.e.
sudo zfw -D -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
The add new entry
sudo zfw -I -c 8.8.8.8 -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
sudo zfw -L
INGRESS FILTERS:
type service id proto origin destination mapping: interface list
------ ---------------------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
deny 0000000000000000000000 tcp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enp1s0]
accept 21wXRWsPgUCHUUEgnq2T62 tcp 0.0.0.0/0 100.64.0.5/32 dpts=1514:1514 TUNMODE redirect:ziti0 []
accept 25PKCSIMbIHYqUbw6evT8K tcp 0.0.0.0/0 100.64.0.4/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 4OcvMNhXglb0bDxTCUZ4f1 tcp 0.0.0.0/0 100.64.0.3/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 1MWGDlo11hNhtKDhjPwfMl tcp 0.0.0.0/0 100.64.0.6/32 dpts=55000:55000 TUNMODE redirect:ziti0 []
accept 1MWGDlo11hNhtKDhjPwfMl tcp 0.0.0.0/0 100.64.0.6/32 dpts=1515:1515 TUNMODE redirect:ziti0 []
accept 0000000000000000000000 udp 0.0.0.0/0 100.64.0.2/32 dpts=53:53 TUNMODE redirect:ziti0 []
deny 0000000000000000000000 udp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enp1s0]
Rule Count: 8 / 250000
prefix_tuple_count: 7 / 100000
root@aly-gw:~# sudo zfw -L -z egress
EGRESS FILTERS:
type service id proto origin destination mapping: interface list
------ ---------------------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
deny 0000000000000000000000 udp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enp1s0]
accept 0000000000000000000000 tcp 0.0.0.0/0 35.xx.xx.xx/32 dpts=443:443 PASSTHRU to 35.xx.xx.xx/32 [enp1s0]
deny 0000000000000000000000 tcp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enp1s0]
accept 0000000000000000000000 udp 0.0.0.0/0 8.8.8.8/32 dpts=53:53 PASSTHRU to 8.8.8.8/32 [enp1s0]
Still it is not resolving
telnet ziti-controller.xxxx.ai 443
telnet: could not resolve ziti-controller.xxxx.ai/443: Temporary failure in name resolution
What Linux distribution are you running are you running under you need to create your dns rule based on the resolver configured on your Linux system if it’s not not 1.1.1.1,8.8.8.8 because it still will not work. If you don’t know I suggest you issue sudo zfw —outbound-filter -d and then use tcpdump to filter a trace on port 53
When you figure out which dns server you are using and enter the correct rule you can return to outbound filtering with sudo zfw —outbound-filtering
Its on my ubuntu OS, I think once i add dns address(1.1.1.1) in netplan for that network it fixed the issue, but problem is ziti DNS is not resolving now
sudo zfw -L
INGRESS FILTERS:
type service id proto origin destination mapping: interface list
------ ---------------------- ----- ----------------- ------------------ ------------------------------------------------------- -----------------
accept 4TNxRdBto8WarCRKehovn4 tcp 0.0.0.0/0 100.64.0.7/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 1MWGDlo11hNhtKDhjPwfMl tcp 0.0.0.0/0 100.64.0.13/32 dpts=55000:55000 TUNMODE redirect:ziti0 []
accept 1MWGDlo11hNhtKDhjPwfMl tcp 0.0.0.0/0 100.64.0.13/32 dpts=1515:1515 TUNMODE redirect:ziti0 []
deny 0000000000000000000000 tcp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enx04ab18fa49ad]
accept 26ZlMZPqTpxdFSOwcXBax6 tcp 0.0.0.0/0 100.64.0.10/32 dpts=5432:5432 TUNMODE redirect:ziti0 []
accept 6t9odGe2YDe0wDR7I1XBEY tcp 0.0.0.0/0 100.64.0.5/32 dpts=443:443 TUNMODE redirect:ziti0 []
deny 0000000000000000000000 udp 0.0.0.0/0 0.0.0.0/0 dpts=0:65535 PASSTHRU to 0.0.0.0/0 [enx04ab18fa49ad]
accept PwNlFLbz8kRdSq9XSfyrU tcp 0.0.0.0/0 100.64.0.4/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept PwNlFLbz8kRdSq9XSfyrU tcp 0.0.0.0/0 100.64.0.4/32 dpts=53:53 TUNMODE redirect:ziti0 []
accept 4TNxRdBto8WarCRKehovn4 tcp 0.0.0.0/0 100.64.0.6/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 4TNxRdBto8WarCRKehovn4 tcp 0.0.0.0/0 100.64.0.8/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 25PKCSIMbIHYqUbw6evT8K tcp 0.0.0.0/0 100.64.0.11/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 4OcvMNhXglb0bDxTCUZ4f1 tcp 0.0.0.0/0 100.64.0.9/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 0000000000000000000000 udp 0.0.0.0/0 100.64.0.2/32 dpts=53:53 TUNMODE redirect:ziti0 []
accept udpU6AKYe9GuzBA7oWO0q tcp 0.0.0.0/0 100.64.0.3/32 dpts=443:443 TUNMODE redirect:ziti0 []
accept 21wXRWsPgUCHUUEgnq2T62 tcp 0.0.0.0/0 100.64.0.12/32 dpts=1514:1514 TUNMODE redirect:ziti0 []
accept 0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=443:443 TUNMODE redirect:ziti0 []
telnet xxxx.xxxx.xxxx.ai 443
Trying 100.64.0.8...
telnet: Unable to connect to remote host: Connection refused
So technically ziti-controller is only public one and all other urls from ziti DNS should also resolves right? but current ziti one is not resolving,
telnet keycloak.xxx.xxx 443
telnet: could not resolve keycloak.xxx.xxx/443: Temporary failure in name resolution