Need help on ziti firewall

Currently, my device has two LAN networks configured:

  • eth0 - connected to the internet
  • eth2 - connected to the internal network

The current configuration in the ebpf_config.json file is as follows:

{"InternalInterfaces":[{"Name":"eth2", "OutboundPassThroughTrack": true, "PerInterfaceRules": false}],
 "ExternalInterfaces":[]}

I need assistance with setting up eth0 so that all incoming requests are blocked, while outgoing connections are allowed only to the Ziti controller's DNS IP. Can you help me configure this using zfw command into user_rules.sh?

Here is README file that can help you with what you are trying to do. GitHub - netfoundry/zfw: An EBPF based IPv4/IPv6 firewall with integrations for OpenZiti Zero-Trust Framework edge-routers and tunnellers

i tried this but something is missing

 sudo zfw -L -z egress
EGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                				interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
accept 0000000000000000000000	udp	0.0.0.0/0           	35.xx.xx.xx/32                  dpts=53:53       	PASSTHRU to 35.xx.xx.xx/32      [eth0]
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [eth0]
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [eth0]
accept 0000000000000000000000	tcp	0.0.0.0/0           	35.xx.xx.xx/32                  dpts=443:443     	PASSTHRU to 35.xx.xx.xx/32      [eth0]
sudo zfw -L -z ingress
INGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                				interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 0000000000000000000000	udp	0.0.0.0/0           	100.64.0.2/32                   dpts=53:53       	TUNMODE redirect:ziti0          []
accept 4OcvMNhXglb0bDxTCUZ4f1	tcp	0.0.0.0/0           	100.64.0.3/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 25PKCSIMbIHYqUbw6evT8K	tcp	0.0.0.0/0           	100.64.0.4/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
Rule Count: 6 / 250000
prefix_tuple_count: 5 / 100000

ebf config file


{"InternalInterfaces":[{"Name":"eth2", "OutboundPassThroughTrack": true, "PerInterfaceRules": false}],
 "ExternalInterfaces":[{"Name":"eth0", "OutboundPassThroughTrack": true, "PerInterfaceRules": true}]}

user_rules.sh

#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N eth0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N eth0

# Reapply the egress rules
sudo zfw -I -c 35.xx.xx.xx -m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N eth0
sudo zfw -I -c 35.xx.xx.xx -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N eth0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N eth0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N eth0
sudo systemctl restart ziti-fw-init.service

sudo systemctl restart ziti-wrapper.service

sudo systemctl restart ziti-edge-tunnel.service

I would expect normal dns should fail, and i want to resolve only my custom domains
But still this is not using my firewall rule. help me fixing this?
I need assistance with setting up eth0 so that all incoming requests are blocked, while outgoing connections are allowed only to the Ziti controller's DNS IP. Can you help me configure this using zfw command into user_rules.sh?

 telnet google.com 443
Trying 2404:6800:4004:801::200e...
Trying 172.217.26.238...
Connected to google.com.
Escape character is '^]'

Hi Vinoth:

You will want to add “eth0” as an external interface and in /opt/openziti/bin/user/ you will want to copy user_rules.sh.sample to user_rules.sh. Then add the following lines to user_rules.sh. Note you will also want to add rules for other outbound traffic i.e. dns servers so add as needed. Note ssh is enabled inbound by default “zfw --disable-ssh ” disables it. If you want to allow ssh into eth0 do not add this line.

/opt/openziti/bin/zfw -I -c -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N eth0
/opt/openziti/bin/zfw -I -c -m 32 -l -h -t 0 -p tcp -z egress -N eth0
/opt/openziti/bin/zfw --outbound-filter eth0
/opt/openziti/bin/zfw --disable-ssh

Assuming that you followed the install instructions at GitHub - netfoundry/zfw: An EBPF based IPv4/IPv6 firewall with integrations for OpenZiti Zero-Trust Framework edge-routers and tunnellers. You will then want to restart the firewall. Depending on which deployment type this is how:

You can either reboot the device i.e “sudo reboot” or if

Standalone fw:

sudo systemctl restart fw-init.service

If ziti-router deployment

sudo systemctl restart ziti-router.service

If ziti-edge-tunnel:

sudo systemctl restart ziti-edge-tunnel.service

Note at quick glance what you are likely missing is
sudo zfw —outbound-filter eth0.

Can you provide output of “sudo zfw -L -E”

sudo zfw -L -E
lo: 1
--------------------------
icmp echo               :1
pass non tuple          :1
ipv6 enable             :1
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :0
tc egress filter        :0
tun mode intercept      :0
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

enp1s0: 2
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :1
tc ingress filter       :1
tc egress filter        :1
tun mode intercept      :1
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

enp3s0: 3
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :1
tc egress filter        :1
tun mode intercept      :1
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

wlo1: 4
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :0
tc egress filter        :0
tun mode intercept      :0
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

ziti0: 5
--------------------------
verbose                 :0
cidr                    :100.64.0.0
resolver                :100.64.0.2
mask                    :10
--------------------------

Looks like that is what’s missing

sudo zfw —outbound-filter eth0

updated user.sh

#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N enp1s0

# Reapply the egress rules
#sudo zfw -I -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
#sudo zfw -I -c 35.xxx.xx.x -m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N enp1s0
sudo zfw —outbound-filter enp1s0

sudo zfw -L -E

Should now show outbound_filter: 1 for enp1s0

[quote="rcsoleng, post:9, topic:3295"]
now i have this

sudo zfw -L -E
lo: 1
--------------------------
icmp echo               :1
pass non tuple          :1
ipv6 enable             :1
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :0
tc egress filter        :0
tun mode intercept      :0
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

enp1s0: 2
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :1
per interface           :1
tc ingress filter       :1
tc egress filter        :1
tun mode intercept      :1
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

enp3s0: 3
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :1
tc egress filter        :1
tun mode intercept      :1
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

wlo1: 4
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :0
tc egress filter        :0
tun mode intercept      :0
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
--------------------------

ziti0: 6
--------------------------
verbose                 :0
cidr                    :100.64.0.0
resolver                :100.64.0.2
mask                    :10
--------------------------

and

#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N enp1s0

# Reapply the egress rules
sudo zfw -I -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
sudo zfw -I -c 35.xxx.xx.x -m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N enp1s0
sudo zfw --outbound-filter enp1s0

telnet google.com 443
Trying 2404:6800:4004:801::200e...
Connected to google.com.
Escape character is '^]'

im expecting only

telnet ziti-controller.xxx.ai 443
Trying 35.xxx.xx.x...
Connected to ziti-controller.xxx.ai.
Escape character is '^]'.

but its resolving everything how to restrict that?

sorry i think its not resolving any domains now

telnet ziti-controller.xxx.ai 443
telnet: could not resolve ziti-controller.xxx.ai/443: Temporary failure in name resolution

this is my users.sh file

#!/bin/bash
#sudo /usr/sbin/zfw -I -c 192.168.1.108 -m 32 -l 8000 -h 8000 -t 0 -p tcp
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z ingress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z ingress -d -N enp1s0

# Reapply the egress rules
sudo zfw -I -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0
sudo zfw -I -c 35.xxx.xx.x-m 32 -l 443 -h 443 -t 0 -p tcp -z egress -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p tcp -z egress -d -N enp1s0
sudo zfw -I -c 0.0.0.0 -m 0 -l 0 -h 65535 -t 0 -p udp -z egress -d -N enp1s0
sudo zfw --outbound-filter enp1s0

Is 35.243.77.2 the IP address of the Netfoundry controller or a public DNS server? If it’s not a public DNS server then you need to change the first rule to a reachable public dns server i.e 1.1.1.1 or 8.8.8.8 etc.

thats not public dns, thats the ip of ziti-controller. how to update that? and i need to make sure it resolves only my domain? not google or anything?

tried adding this
sudo zfw -I -c 1.1.1.1 -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0

but still the same result

telnet ziti-controller.xxxx.ai 443
telnet: could not resolve ziti-controller.xxxx.ai/443: Temporary failure in name resolution

The controller is not a dns server. You can configure your own dns and sync with public if you want custom domain filtering. The firewall does not filter application layer specific reply types only tcp/udp port level. You can issue the same command with -D instead of -I to remove an entry i.e.

sudo zfw -D -c 35.xxx.xx.x -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0

The add new entry

sudo zfw -I -c 8.8.8.8 -m 32 -l 53 -h 53 -t 0 -p udp -z egress -N enp1s0

 sudo zfw -L
INGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                				interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 21wXRWsPgUCHUUEgnq2T62	tcp	0.0.0.0/0           	100.64.0.5/32                   dpts=1514:1514   	TUNMODE redirect:ziti0          []
accept 25PKCSIMbIHYqUbw6evT8K	tcp	0.0.0.0/0           	100.64.0.4/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 4OcvMNhXglb0bDxTCUZ4f1	tcp	0.0.0.0/0           	100.64.0.3/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=55000:55000 	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=1515:1515   	TUNMODE redirect:ziti0          []
accept 0000000000000000000000	udp	0.0.0.0/0           	100.64.0.2/32                   dpts=53:53       	TUNMODE redirect:ziti0          []
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
Rule Count: 8 / 250000
prefix_tuple_count: 7 / 100000
root@aly-gw:~# sudo zfw -L -z egress
EGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                				interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 0000000000000000000000	tcp	0.0.0.0/0           	35.xx.xx.xx/32                  dpts=443:443     	PASSTHRU to 35.xx.xx.xx/32      [enp1s0]
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enp1s0]
accept 0000000000000000000000	udp	0.0.0.0/0           	8.8.8.8/32                      dpts=53:53       	PASSTHRU to 8.8.8.8/32          [enp1s0]

Still it is not resolving

telnet ziti-controller.xxxx.ai 443
telnet: could not resolve ziti-controller.xxxx.ai/443: Temporary failure in name resolution

What Linux distribution are you running are you running under you need to create your dns rule based on the resolver configured on your Linux system if it’s not not 1.1.1.1,8.8.8.8 because it still will not work. If you don’t know I suggest you issue sudo zfw —outbound-filter -d and then use tcpdump to filter a trace on port 53
To determine which dns Server you have configured on the system the firewall does not redirect it only passes dns to the dns resolver you have configured, if the rule matches.

When you figure out which dns server you are using and enter the correct rule you can return to outbound filtering with sudo zfw —outbound-filtering

Its on my ubuntu OS, I think once i add dns address(1.1.1.1) in netplan for that network it fixed the issue, but problem is ziti DNS is not resolving now

sudo zfw -L
INGRESS FILTERS:
type   service id            	proto	origin              	destination                     mapping:                				interface list
------ ----------------------	-----	-----------------	------------------		-------------------------------------------------------	-----------------
accept 4TNxRdBto8WarCRKehovn4	tcp	0.0.0.0/0           	100.64.0.7/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.13/32                  dpts=55000:55000 	TUNMODE redirect:ziti0          []
accept 1MWGDlo11hNhtKDhjPwfMl	tcp	0.0.0.0/0           	100.64.0.13/32                  dpts=1515:1515   	TUNMODE redirect:ziti0          []
deny   0000000000000000000000	tcp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enx04ab18fa49ad]
accept 26ZlMZPqTpxdFSOwcXBax6	tcp	0.0.0.0/0           	100.64.0.10/32                  dpts=5432:5432   	TUNMODE redirect:ziti0          []
accept 6t9odGe2YDe0wDR7I1XBEY	tcp	0.0.0.0/0           	100.64.0.5/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
deny   0000000000000000000000	udp	0.0.0.0/0           	0.0.0.0/0                       dpts=0:65535     	PASSTHRU to 0.0.0.0/0           [enx04ab18fa49ad]
accept PwNlFLbz8kRdSq9XSfyrU 	tcp	0.0.0.0/0           	100.64.0.4/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept PwNlFLbz8kRdSq9XSfyrU 	tcp	0.0.0.0/0           	100.64.0.4/32                   dpts=53:53       	TUNMODE redirect:ziti0          []
accept 4TNxRdBto8WarCRKehovn4	tcp	0.0.0.0/0           	100.64.0.6/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 4TNxRdBto8WarCRKehovn4	tcp	0.0.0.0/0           	100.64.0.8/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 25PKCSIMbIHYqUbw6evT8K	tcp	0.0.0.0/0           	100.64.0.11/32                  dpts=443:443     	TUNMODE redirect:ziti0          []
accept 4OcvMNhXglb0bDxTCUZ4f1	tcp	0.0.0.0/0           	100.64.0.9/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 0000000000000000000000	udp	0.0.0.0/0           	100.64.0.2/32                   dpts=53:53       	TUNMODE redirect:ziti0          []
accept udpU6AKYe9GuzBA7oWO0q 	tcp	0.0.0.0/0           	100.64.0.3/32                   dpts=443:443     	TUNMODE redirect:ziti0          []
accept 21wXRWsPgUCHUUEgnq2T62	tcp	0.0.0.0/0           	100.64.0.12/32                  dpts=1514:1514   	TUNMODE redirect:ziti0          []
accept 0000000000000000000000	tcp	0.0.0.0/0           	100.64.0.0/10                   dpts=443:443     	TUNMODE redirect:ziti0          []
telnet xxxx.xxxx.xxxx.ai 443
Trying 100.64.0.8...
telnet: Unable to connect to remote host: Connection refused

So technically ziti-controller is only public one and all other urls from ziti DNS should also resolves right? but current ziti one is not resolving,

telnet keycloak.xxx.xxx 443
telnet: could not resolve keycloak.xxx.xxx/443: Temporary failure in name resolution