- Install bpf-linker:
cargo install bpf-linker
- Blazingly fast
- Filter TCP and UDP with specified PORT
- Specified DNS reslover
- TCP state recognizer
- Aggressive TCP reset on first syn
[Client] [Firewall] [Server]
| | |
| -----> syn -----> | if NEW connection |
| | Firewall will act |
| <--- syn ack ---- | like it's serving |
| | our service |
| ------- ack ----> | |
| |it's actually dummy|
| <----- rst <----- | respone by XDP_TX |
| | |
| ------ syn -------------------------> |
| | |
| <--- syn ack ------------------------ |
| | |
| ------- ack ------------------------> |
| | |
| <-------- ESTABLISHED --------------> |
cargo sfw build-ebpfcargo buildcargo sfw buildRUST_LOG=info cargo sfw run -i <NIC> -c <path-to-config.toml>To perform a release build you can use the --release flag.
You may also change the target architecture with the --target flag.
simple-firewall use simple toml config pattern
tcp_inIncomming-Port a port from outside comming to us.(etc. web-browsing)tcp_outOutgoing-Port a port from our server to outside.(etc. serving website/service)udp_inIncomming-Port a port from outside comming to us.(etc. web-browsing)udp_outOutgoing-Port a port from our server to outside.(etc. serving website/service)
sfwconfig.toml
dns = ["208.67.222.222", "9.9.9.9"]
[tcp_in]
sport = []
dport = [4869,8000,8008]
[tcp_out]
sport = [22000,4869,8000, 8008]
dport = [22,80,443,8181,10022, 20086]
[udp_in]
sport = [22000,21027]
dport = [22000,21027]
[udp_out]
sport = [22000,21027]
dport = [22000,21027, 123, 67, 8443]
# 123 = NTP network time
# 67 = router
# 22 = ssh
# 80,443 = regular http
# 22000 and 21027 = syncthing
git clone https://github.com/vazw/simple-firewall.git && cd simple-firewall
cargo install bpf-linker
cargo sfw install --path <install-path> # Default is /usr/bin/then make a auto-startup script for it with sfw -i <NIC> -c <path-to-config.toml>
in my case I was using pkexec to auto-startup with my SwayWM started
.config/sway/config
exec pkexec sfw -i wlp1s0 -c /etc/sfw/sfwconfig.toml &