Page MenuHomeVyOS Platform
Create Task
Maniphest T6040

Implement a firewall blacklisting solution
Open, LowPublicFEATURE REQUEST
Actions

Description

Before VyOS 1.4 and the move to NFTables we (ADESTIS) had a blacklisting solution for VyOS which was based on script files and the task scheduler.
During that time it was easy to manipulate ipsets.

With VyOS 1.4 and NFTables it's different and my plan was to implement a blacklisting solution within VyOS itself
which can be configured through the VyOS config.
The plan is to create a python module for the implementation itself so that if needed it could be reused from other parts of VyOS.

In order to discuss the features I think it's a good starting point to outline the configuration structure because it makes it easier to understand the different parts:

firewall
    blacklisting
        settings
            abuseipdb
                key
        group <group-name>
            scheduling
                task <task-name>
            sources
                generic-source <url>
                abuseipdb
                    - confidence-level <level>
            filter
                network <prefix>
                firewall-group <group-name>
            destination
                file <location>
                firewall-group <group-name>
            events
                - after-update
                    - script <location>
                    - [arguments]
                - before-update
                    - script <location>
                    - [arguments]

(common entries like description and disable are not named here but planned for all nodes/tagnodes)

The plan is to have one or multiple blacklisting groups which itself can query either generic urls or specific (at the moment we only have AbuseIP DB).
The collection and aggregation of the data is done according to the schedules.
Here it would be nice to reuse the existing system task-scheduler but for the moment it could get hard because it is not implemented as module.
(So there might be a separate task to first make it modular)

The aggregated data could then be filtered to remove whitelisting entries.
The filtered data could then be pushed out to either a file or to an firewall group.
For the last option another type of firewall group is required (if https://vyos.dev/T5493 will then exists already, maybe this could be used).

I am currently planing with events so that before and after updates custom actions could be triggered.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

adestis created this task.Feb 13 2024, 3:21 PM
adestis created this object in space S1 VyOS Public.
adestis updated the task description. (Show Details)Feb 13 2024, 3:34 PM
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Feb 13 2024, 3:42 PM
pasik added a subscriber: pasik.Feb 13 2024, 3:43 PM
adestis mentioned this in T5493: Add capability to use local and external dynamic-lists for firewall rules but also for various policies such as access-list, route-maps etc..Feb 13 2024, 4:20 PM
adestis added a subscriber: c-po.Feb 13 2024, 4:25 PM

@c-po in task T4797 (https://github.com/vyos/vyos-1x/pull/1648) you mentioned that the author should use the system task-scheduler feature.
I would understand this the same way as the author did:
The implementation of scheduling should be a module which could be reused by other features/extensions but the "cron" data should be stored separate from
what the user can schedule via the config.
But maybe you see it differently?

Giggum added a subscriber: Giggum.Mar 10 2024, 2:07 PM
hsw0 added a subscriber: hsw0.Mar 11 2024, 11:05 PM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 12:47 PM
adestis added a comment.Mon, Apr 15, 6:26 AM

I probably can continue here in summer at first.

Giggum added a comment.EditedFri, Apr 26, 2:06 AM

@adestis did your previous solution account for non-IP address characters in a given blocklist? For example the https://www.spamhaus.org/drop/dropv6.txt list has a bunch of stuff that would need to be ignored.

If not, to save you some trouble, I found some reference code in ipgrep that works well in processing files like above. One small edit is needed to include the โ€˜/โ€˜ character in the exclusion along with swapping ip_address for ip_network. Those two changes let it handle CIDR notation.

https://github.com/n-st/ipgrep.py

adestis added a comment.Fri, Apr 26, 7:28 AM

Hi Giggum,
our previous solution was IPv4 only and not so nice integrated in VyOS,
therefore there are several reasons why a rework is a good idea.

I like your hint about text (comments) in the output.
I will take into account that there is not only an IP address but also comments.
We probably work with a regex, so this should not be the problem as long as there are not more than one IP per line.

IPv4 and IPv6 must also be treated differently because they need to end up in different firewall groups.

Fortunately, the script you found has an MIT license which means that we can use it and add additional code on top.

Regards
Markus