I’ve been working for some time on replacing the iptables based Symbiosis/Sympl firewall with a version that drives nftables. The system is written in Python 3. It’s now in a late beta state and I’ve had it running for some months on a couple of machines. It’s doing its job.
It’s called nftfw, and you can find it on github:
along with some suggested changes to your mail system
that will make exim4 and dovecot report more information to the firewall to keep the bad guys out. This is based on the files on your sympl system, and so the complete fileset can be dropped in.
There’s a bunch of documentation and explanations of how nftfw works and how to use it. There are installation instructions, and hints in what you need to install, and latterly a test suite.
What’s the deal?
Nftfw uses the same admin interface as Symbiosis/Sympl (because that’s the point), you can drive it from the files installed on your system, but it’s probably a good idea to use a separate set of control files because you’ll get more out of the system.
Nftfw used nftables sets to lookup ip addresses that you want to block. Adding a new ip address to these sets doesn’t mean a complete reload of the firewall, only the sets are reloaded. Sets mean that the ruleset is fairly slim.
The system allows you to provide feedback from firewall rejections to ensure that frequent visitors remain locked out.
The patterns.d directory can contain settings that tell ntffw how to extract log entries made by the nftables system in the logs, and it uses those to update its database. When the bad guys knock at your door again, they stay knocking.
Nftfw allows you to see what is happening on the firewall, who you are locking out. why they are locked out and how long it’s been since they started attacking you. If you install geoip2, you can see what countries they come from.
The listing program can also be inserted into a web page so you can view what’s happening remotely. Do make sure that you password protect the page.
There are several improvements. You can put a file expansion glob statement into the pattern files so one rule set can be used for all your websites under /srv. You can create testing pattern files to check if your regular expressions are working.
If you are interested in installng nftfw, please read the Installation document at least once before you start - the link is at the bottom of the nftfw github Readme page.
What do I want?
Well, please look at the last few paras on the Readme on nftfw github front page. I’m looking for people who are interested in helping to get this tested and in use more widely. Paul Cammish is interested in the
project for Sympl, but I think if it can be used on people’s systems it will help in making it a robust and tested alternative to the current system.
Over to you…