0
The Next Generation Firewall for
Red Hat Enterprise Linux 7 RC
Thomas Graf
Red Hat
Agenda
● FirewallD – Firewall Management as a Service
● Kernel – New Filtering Capabilities
● Nftables – A Look Ahead
FirewallD
Firewall Management as a Service
Existing Packet Filtering Architecture
iptables
Netfilter
ip6tables ebtablesUser
Land
Kernel
IPv4 IPv6 Bridge
Protocol dep...
IPv4 IPv6 Bridge
FirewallD
Application
D-Bus
User Interface
Graphical
CLI
Firewall Management as a Service
Reports
D-Bus
FirewallD – Policy Abstraction
ZonePolicy
• Default policy
• Enabled services
• Masquerading
• Port forwarding
• ICMP filter
• Rich rules
FirewallD – Zone Definition
• Name
• Description
• Port range
• Destination network/address
• List of required kernel modules
FirewallD – Service Defi...
FirewallD – Graphical User Interface
• Add interface “eth0” to zone “public” permanently:
• List enabled services:
# firewall-cmd --permanent --zone=internal -...
RHEL7 Netfilter Kernel Changes
Scaling of Legacy Applications (xt_cpu)
# iptables -t nat -A PREROUTING -p tcp --dport 80 
-m cpu --cpu 0 -j REDIRECT --to...
Connection Tracking target (xt_CT)
• Disable connection tracking for DNS traffic
(Replacement for NOTRACK target in RHEL6)...
Connection Tracking target (xt_CT)
• Modify connection tracking timeout for TCP traffic
# iptables -t raw -A PREROUTING -p...
IPv6 Connection Tracking & NAT
• Available targets:
• SNAT, DNAT, MASQUERADE, NETMAP, REDIRECT
• Available Connection Trac...
CT Helpers in User Space
• No need for kernel module to support (proprietary) protocols
• Rapid development
• Avoid comple...
SYNPROXY (xt_SYNPROXY)
• Protection against SYN flood attacks
• Lightweight proxy for TCP three-way handshake
# iptables -...
Extended Accounting (xt_nfacct)
• Kernel based meter providing packet and byte statistics
• Avoids need to perform expensi...
Connection Labeling (xt_connlabel)
• Label connection tracking entries with rule:
• ... then match on labels:
# iptables -...
•Matches if a reply to a packet would be sent via the incoming
interface
•Drop packets that failed reverse path filtering:...
Berkley Packet Filter (xt_bpf)
• Match packets based Berkley Packet Filter (BPF) filters
• Use tcpdump to generate the byt...
New ipset Features
• Automatic range to subnets translations (IPv4 only)
• Exceptions in sets:
# ipset new test hash:net
#...
IDLETIMER target (xt_IDLETIMER)
• Define timers and restart them via rules
• Example Usage:
•Detect idle interfaces and pu...
TEE target (xt_TEE)
• Clone & send packet to local machine for logging
# iptables -t mangle -A PREROUTING -i eth0 
-j TEE ...
NFQUEUE performance optimizations
• Zero copy Netlink to user space
• CPU Fanout: CPU # selects queue #:
# iptables -A INP...
Generic Address Type Filter (xt_addrtype)
• Match type of source and/or destination address:
# ip6tables -A INPUT -m addrt...
nftables (Tech Preview)
A Look Ahead
nftables – State Machine Based Packet Filtering
• New packet filtering subsystem to replace {ip,ip6,arp,eb}tables
• Byte c...
nftables – Features Summary
• Heavy code reduction in kernel, minimal protocol awareness
• No kernel change required to su...
nftables – Want to try it out?
• Included in RHEL7.0 RC2 kernel (Tech Preview)
• Userspace packages likely included in fut...
Q&A
Slides: http://slidesha.re/1maiHxL
Contact: tgraf@redhat.com
Backup
Explicit Congestion Notification (xt_ecn)
• Match ECN bits on IPv4/IPv6 and TCP header (RFC3168):
# iptables -A INPUT -i e...
Compat Support
• Run 32bit iptables on 64bit kernel
Match on IPVS properties
• Combine full NAT functionality with IPVS properties:
# iptables -t nat -A POSTROUTING 
-m ipvs ...
Upcoming SlideShare
Loading in...5
×

The Next Generation Firewall for Red Hat Enterprise Linux 7 RC

5,639

Published on

The Linux packet filtering technology, iptables, has its roots in times when networking was relatively simple and network bandwidth was measured in mere megabits. Emerging technologies, such as distributed NAT, overlay networks and containers require enhanced functionality and additional flexibility. In parallel, the next generation of network cards with speeds of 40Gb and 100Gb will put additional pressure on performance.

In the upcoming Red Hat Enterprise Linux 7, a new dynamic firewall service, FirewallD, is planned to provide greater flexibility over iptables by eliminating service disruptions during rule updates, abstraction, and support for different network trust zones. Additionally, a new virtual machine-based packet filtering technology, nftables, addresses the functionality and flexibility requirements of modern network workloads.

In this session you’ll:

Deep dive into the newly introduced packet filtering capabilities of Red Hat Enterprise Linux 7 beta.
Learn best practices.
See the new set of configuration utilities that allow new optimization possibilities.

Published in: Software, Technology

Transcript of "The Next Generation Firewall for Red Hat Enterprise Linux 7 RC"

  1. 1. The Next Generation Firewall for Red Hat Enterprise Linux 7 RC Thomas Graf Red Hat
  2. 2. Agenda ● FirewallD – Firewall Management as a Service ● Kernel – New Filtering Capabilities ● Nftables – A Look Ahead
  3. 3. FirewallD Firewall Management as a Service
  4. 4. Existing Packet Filtering Architecture iptables Netfilter ip6tables ebtablesUser Land Kernel IPv4 IPv6 Bridge Protocol dependent packet filter and utilities
  5. 5. IPv4 IPv6 Bridge FirewallD Application D-Bus User Interface Graphical CLI Firewall Management as a Service Reports D-Bus
  6. 6. FirewallD – Policy Abstraction ZonePolicy
  7. 7. • Default policy • Enabled services • Masquerading • Port forwarding • ICMP filter • Rich rules FirewallD – Zone Definition
  8. 8. • Name • Description • Port range • Destination network/address • List of required kernel modules FirewallD – Service Definition <?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (HTTP)</short> <description>[...]</description> <port protocol="tcp" port="80"/> </service>
  9. 9. FirewallD – Graphical User Interface
  10. 10. • Add interface “eth0” to zone “public” permanently: • List enabled services: # firewall-cmd --permanent --zone=internal --add-interface=eth0 # firewall-cmd --zone=public –list-services dhcpv6-client ipp ipp-client mdns ssh # FirewallD – Command Line Interface
  11. 11. RHEL7 Netfilter Kernel Changes
  12. 12. Scaling of Legacy Applications (xt_cpu) # iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --to-port 8080 # iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --to-port 8081 App instance #1 on 8080 RSS CPU 1 80 8080 REDIRECT App instance #2 on 8081CPU 2 80 8081 REDIRECT App instance #n on 808nCPU n 80 808n REDIRECT
  13. 13. Connection Tracking target (xt_CT) • Disable connection tracking for DNS traffic (Replacement for NOTRACK target in RHEL6) • Define multiple zones to allow for conflicting flow identities # iptables -t raw -A PREROUTING -i eth0 -j CT --zone 10 # iptables -t raw -A PREROUTING -p udp --dport 53 -j CT --notrack # iptables -t raw -A OUTPUT -p udp --sport 53 -j CT --notrack
  14. 14. Connection Tracking target (xt_CT) • Modify connection tracking timeout for TCP traffic # iptables -t raw -A PREROUTING -p tcp -j CT --timeout my-tcp-policy# nfct timeout add my-tcp-policy inet tcp established 100 close 10 close_wait 10 # iptables -t raw -A PREROUTING -p tcp -j CT --timeout my-tcp-policy
  15. 15. IPv6 Connection Tracking & NAT • Available targets: • SNAT, DNAT, MASQUERADE, NETMAP, REDIRECT • Available Connection Tracking Helpers: • SIP, FTP, Amanda # ip6tables -t nat -A POSTROUTING -o eth0 -j SNAT --to 2001:aa::1
  16. 16. CT Helpers in User Space • No need for kernel module to support (proprietary) protocols • Rapid development • Avoid complex string matching and mangling in kernel
  17. 17. SYNPROXY (xt_SYNPROXY) • Protection against SYN flood attacks • Lightweight proxy for TCP three-way handshake # iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -j CT --notrack # iptables -A INPUT -p tcp --dport 80 -m state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 –ecn
  18. 18. Extended Accounting (xt_nfacct) • Kernel based meter providing packet and byte statistics • Avoids need to perform expensive rule set statistics polling # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic # nfacct-add http-traffic # nfacct-get http-traffic = { pkts = 000000008231, bytes = 000044932916 };
  19. 19. Connection Labeling (xt_connlabel) • Label connection tracking entries with rule: • ... then match on labels: # iptables -A INPUT -m connlabel --label customer-bulk-traffic -m connlimit --connlimit-above 2 -j REJECT # iptables -A INPUT -i eth0 -m helper --helper ftp -m connlabel --label customer-bulk-traffic --set # iptables -A INPUT -i eth0 -p tcp --dport 22 -m connlabel --label customer-interactive --set
  20. 20. •Matches if a reply to a packet would be sent via the incoming interface •Drop packets that failed reverse path filtering: • Identical in functionality as net.ipv4.conf.all.rp_filter = 1 Reverse Path Filtering (xt_rpfilter) # iptables -t raw -A PREROUTING -m rpfilter --invert -j DROP
  21. 21. Berkley Packet Filter (xt_bpf) • Match packets based Berkley Packet Filter (BPF) filters • Use tcpdump to generate the bytecode: # iptables -A OUTPUT -m bpf --bytecode "8,40 0 0 12,21 1 0 [...]" -j ACCEPT # tcpdump -ddd vlan 20 and dst port 22 | tr 'n' ',' 26,40 0 0 12,21 1 0 33024,21 0 22 37120 [...]
  22. 22. New ipset Features • Automatic range to subnets translations (IPv4 only) • Exceptions in sets: # ipset new test hash:net # [...] # ipset add test 10.2.0.10/32 nomatch # ipset new test hash:net # ipset add test 10.1.0.0-10.3.49.2
  23. 23. IDLETIMER target (xt_IDLETIMER) • Define timers and restart them via rules • Example Usage: •Detect idle interfaces and put them in power safe mode # iptables -A OUTPUT -o eth0 -j IDLETIMER --timeout 5 --label foo # cat /sys/class/xt_idletimer/timers/foo 4 [...] # cat /sys/class/xt_idletimer/timers/foo 0
  24. 24. TEE target (xt_TEE) • Clone & send packet to local machine for logging # iptables -t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1
  25. 25. NFQUEUE performance optimizations • Zero copy Netlink to user space • CPU Fanout: CPU # selects queue #: # iptables -A INPUT -i eth0 -j NFQUEUE --queue-balance 0:31 --queue-cpu-fanout # iptables -A INPUT -j NFQUEUE --queue-num 3
  26. 26. Generic Address Type Filter (xt_addrtype) • Match type of source and/or destination address: # ip6tables -A INPUT -m addrtype --dst-type MULTICAST -j DROP # ip6tables -A OUTPUT -m addrtype ! --src-type LOCAL -j REJECT
  27. 27. nftables (Tech Preview) A Look Ahead
  28. 28. nftables – State Machine Based Packet Filtering • New packet filtering subsystem to replace {ip,ip6,arp,eb}tables • Byte code execution in kernel pseudo state machine • Unified interface nft to replace protocol aware utilities User space ACL Kernel Byte Code Byte Code Byte Code nft
  29. 29. nftables – Features Summary • Heavy code reduction in kernel, minimal protocol awareness • No kernel change required to support new protocols • Incremental updates • Byte code can be optimized and offloaded • Efficient rule execution and storage • Fast lookups through data structures (e.g. hash tables) • Improved error handling
  30. 30. nftables – Want to try it out? • Included in RHEL7.0 RC2 kernel (Tech Preview) • Userspace packages likely included in future minor release • Fetch them from upstream to get testing •libmnl, libnfnl, nftables
  31. 31. Q&A Slides: http://slidesha.re/1maiHxL Contact: tgraf@redhat.com
  32. 32. Backup
  33. 33. Explicit Congestion Notification (xt_ecn) • Match ECN bits on IPv4/IPv6 and TCP header (RFC3168): # iptables -A INPUT -i eth1 -m ecn ! --ecn-tcp-cwr -j REJECT
  34. 34. Compat Support • Run 32bit iptables on 64bit kernel
  35. 35. Match on IPVS properties • Combine full NAT functionality with IPVS properties: # iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 --vport http -j SNAT [...]
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×