Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

How to refactor the firewall script while being sure there are no iptables or nftables changes

Instructions[edit]

1) Store current iptables rules to file a.

sudo iptables-save-deterministic > a

2) Refactor the Kicksecure firewall code.

3) Reload Kicksecure Firewall.

4) Store current iptables rules to file b.

sudo iptables-save-deterministic > b

5) Compare files a and b.

Use console diff viewer or...

diff a b

Use a graphical diff viewer.

meld a b

6) There should be no diff.

nftables[edit]

sudo nft --stateless list ruleset > nftables-old

sudo nft --stateless list ruleset > nftables-new

systemcheck iptables test[edit]

Does not exist yet.

• "systemcheck (which is somewhat a replacement for the lack of test suite) could indeed be useful to check if the loaded iptables rules match a hardcoded iptables dump. Yes, with additional firewalll add-ons that would be hard. Then these firewall add-ons could ship a dump that also gets verified. (iptables-dumps.d folder checked by systemcheck or so.) But then multiple firewall add-ons gets hard. Mutliple firewall add-ons and dumping, that kind of flexibility might be stretching what the Kicksecure project may be able to implement." (From (Forum) Bolt on for whonix_firewall - best place to put files? )
  • systemcheck could use this iptables diff facility to warn the user of non-standard / unexpected rules present. And, just like unwanted packages, could ask the user to run e.g. iptables-save-whonix to establish a new baseline. systemcheck would then pass, unless something else had changed things user unexpectedly, at which point systemcheck would again warn.

Split Kicksecure Firewall Script for better readability[edit]

From Patrick:
" I have been wondering for some time now if the firewall script should be split. A lot sections are being used by multiple packages, the firewall and vpn-firewall. Eventually further in future (corridor-gateway to be created one day)...

• error_handler
• source config folder
• IPv4 DEFAULTS
• IPv4 PREPARATIONS
• IPv4 DROP INVALID INCOMING PACKAGES
• IPv4 FORWARD
• IPv6
• more minor stuff (iptables_cmd, ip6tables_cmd)

Converted to shell functions. And added to helper-scripts.

The risk of changing firewall rules while refactoring is minimal because it can be verified:

However, the goal is to make the firewall scripts easier to read. Not more difficult to audit. I am not sure which style (all in one file vs split) makes it simpler at this point. "

• Early files in firewall config foleder could contain bash scripting of the form:

function ScriptFuncPreloadElement1() { script lines, e.g. $iptables_cmd ''blah''}

• • Optionally followed, for inline / immediate execution rather than hooking in later within firewall script, with:

ScriptFuncPreloadElement1
# (Within the same file == calling main().)

• • This separates code definition from code execution.
• "The other question with firewall code injection, pre/post hooks is when to dispatch them? When you want to dispatch them depends on what you actually want to implement."
• e.g.

if [ "$(type -t firewall_input_hook_end)" = "function" ]; then
   firewall_input_hook_end
fi

• • However, such would only allow a single call per hook. (User would have to chain all calls within whonix_firewall.d) Perhaps array variables instead. Code would then be something like ScriptFuncPreloadElement1() as above, then

firewall_input_hook_end[${#firewall_input_hook_end[@]}]=ScriptFuncPreloadElement1

• • • It would be up to the user to appropriately manage the array ordering.
  • Hooks within the firewall would then walk the appropriate array at the appropriate time.

Reference: (Forum) torrents, and being a good tor citizen
Solution, part b demonstrates an example sample set of iptables rules that could be injected, within the firewall. (Proof of concept, only.)

Reference: (Forum) Favourite (whonix?) bash script boilerplate template?

• (begins) a corralling of a standard scripting framework.

See Also[edit]

• Firewall Unloading

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!