kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9af761640b83a78c9873c3237ac724b3de1e08c1
XDP-Firewall/README.md
Christian Deacon 9af761640b Updated README.
2020-05-06 03:19:30 +00:00

119 lines
4.3 KiB
Markdown
Raw Blame History

# XDP Firewall
## Description
An XDP firewall designed to read filtering rules based off of a config file. This software only supports IPv4 and protocols TCP, UDP, and ICMP at the moment. With that said, the program comes with accepted and blocked packet statistics which can be disabled if need to be.
## Command Line Usage
The following command line arguments are supported:
* `--config -c` => Location to config file. Default => **/etc/xdpfw/xdpfw.conf**.
* `--list -l` => List all filtering rules scanned from config file.
* `--help -h` => Print help menu for command line options.
## Configuration File Options
### Main
* `interface` => The interface for the XDP program to attach to.
* `updatetime` => How often to update the config and filtering rules. Leaving this at 0 disables auto-updating.
* `nostats` => If true, no accepted/blocked packet statistics will show.
### Filters
Config option `filters` is an array. Each filter includes the following options:
**Main**
* `enabled` => If true, this rule is enabled.
* `action` => What action to perform against the packet if matched. 0 = Block. 1 = Allow.
* `srcip` => The source IP to match (e.g. 10.50.0.3).
* `dstip` => The destination IP to match (e.g. 10.50.0.4).
* `min_ttl` => The minimum TTL (time to live) the packet can has to match.
* `max_ttl` => The maximum TTL (time to live) the packet can has to match.
* `max_len` => The maximum packet length the packet can has to match. This includes the entire frame (ethernet header, IP header, L4 header, and data).
* `min_len` => The minimum packet length the packet can has to match. This includes the entire frame (ethernet header, IP header, L4 header, and data).
* `tos` => The TOS (type of service) the packet has to match.
* `payloadmatch` => The payload (L4 data) the packet has to match. The format is in hexadecimal and each byte is separated by a space. An example includes: `FF FF FF FF 59`.
**TCP Options**
The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include:
* `enabled` => If true, check for TCP-specific matches.
* `sport` => The source port the packet must match.
* `dport` => The destination port the packet must match.
* `urg` => If true, the packet must have the `URG` flag set to match.
* `ack` => If true, the packet must have the `ACK` flag set to match.
* `rst` => If true, the packet must have the `RST` flag set to match.
* `psh` => If true, the packet must have the `PSH` flag set to match.
* `syn` => If true, the packet must have the `SYN` flag set to match.
* `fin` => If true, the packetm ust have the `FIN` flag set to match.
**UDP Options**
The config option `udpopts` within a filter is an array including UDP options. This should only be one array per filter. Options include:
* `enabled` => If true, check for UDP-specific matches.
* `sport` => The source port the packet must match.
* `dport` => The destination port the packet must match.
**ICMP Options**
The config option `icmpopts` within a filter is an array including ICMP options. This should only be one array per filter. Options include:
* `enabled` => If true, check for ICMP-specific matches.
* `code` => The ICMP code the packet must match.
* `type` => The ICMP type the packet must match.
**Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config.
## Configuration Example
Here's an example of a config:
```
interface = "ens18";
updatetime = 15;
filters = (
{
enabled = true,
action = 0,
udpopts = (
{
enabled = true,
dport = 27015
}
)
},
{
enabled = true,
action = 1,
tcpopts = (
{
enabled = true,
syn = true,
dport = 27015
}
)
},
{
enabled = true,
action = 0,
icmpopts = (
{
enabled = true,
code = 0
}
)
},
{
enabled = true,
action = 0,
srcip = "10.50.0.4"
}
);
```
## Status
Not Finished.
## Credits
* [Christian Deacon](https://www.linkedin.com/in/christian-deacon-902042186/) - Creator.
Reference in New Issue View Git Blame Copy Permalink