Skip to content
/ DAF Public

userspace firewall that matches traffic based on endpoint application identity

License

GPL-3.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RaduMantu/DAF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

107 Commits
configs
configs
 
 
extensions
extensions
 
 
include
include
 
 
scripts
scripts
 
 
src
src
 
 
tests/cve-2022-3602
tests/cve-2022-3602
 
 
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
README.md
README.md
 
 
makefile
makefile
 
 

Repository files navigation

app-fw

A userspace network firewall capable of filtering traffic based on objects mapped in the address space of the processes that generate them.

Usage

First, create iptable rules to divert packages to our firewall through Netfilter Queue. Note that the queue numbers do not need to be 0-2, but these are the defaults used by app-fw in absence of CLI overrides.

# iptables -I OUTPUT  -j NFQUEUE --queue-num 0 --queue-bypass
# iptables -I INPUT   -j NFQUEUE --queue-num 1 --queue-bypass
# iptables -I FORWARD -j NFQUEUE --queue-num 2 --queue-bypass

Optionally, add rules to redirect traffic to/from docker bridge to our firewall.

# iptables -I FORWARD -i docker0 -j NFQUEUE --queue-num 0 --queue-bypass
# iptables -I FORWARD -o docker0 -j NFQUEUE --queue-num 1 --queue-bypass

Next, start the firewall. The only argument that needs to be passed is -e <ebpf_obj>. This eBPF object contains trace programs for certain system calls that can't be monitored by other means (i.e.: Netlink). For fine tuning options, run with --help.

# ./bin/app-fw -e bin/syscall_probe.o

The firewall rules are managed via the ctl-fw companion app. In this example, we want to DROP traffic generated by /usr/bin/curl. To this end, we need to find its SHA256 sum. We recommend using ctl-fw for this, the reason being that it also outputs an aggregate hash if you specify more than one -H parameter. This is useful when you want to filter traffic based not only on one object, but all libraries that are to be loaded at runtime. However, under normal circumstances, sha256sum does the job just as well.

$ sha256sum /usr/bin/curl
6a3cf1c479f446eb0ef266a2607cd4f6751a655937a7103f7657db6cb6b3f49a  /usr/bin/curl

Now knowing the SHA256 sum of curl, adding a new rule to DROP outgoing traffic with the destination of lwn.net (for example) is straightforward:

# ./bin/ctl-fw \
    -A         \
    -c OUTPUT  \
    -v DROP    \
    -d $(dig +short lwn.net) \
    --sng-hash $(sha256sum /usr/bin/curl | awk '{print $1}')

If we send an HTTP request via curl, the traffic will be blocked. You can check the app-fw output for confirmation that this was as a result of our firewall. However, if you try accessing the same IP from a browser, the request will pass through.

About

userspace firewall that matches traffic based on endpoint application identity

Topics

firewall xtables netfilter-queue snort3

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Languages