Setting up a basic firewall with nftables

[ermor]

Hey everyone!

For the last few days, I've been trying to set up a firewall with nftables. Ultimately, it will be for a desktop machine, but right now I'm setting it up so that it only allows the kind of traffic required by Portage to update my system, as an exercise since I'm new to this.

So far, so good, I've been looking into it and it seems to me like I needed to open OUTPUT UDP 53 (for DNS, presumably to get the current IP of the Gentoo server rotation) and, for some reason, 123 (for the Network Time Protocol, I'm not quite sure why it's used, maybe to update my clock, but it's in my syslog). I also opened TCP 80 (HTTP, though I'm not exactly sure it's necessary and I want to try updating without), 443 (HTTPS, same as 80, opening these seems a bit... much, but at the same time I suppose I can't really go around it for basic desktop usage), 873 (rsync is used by Portage for the sync) and 11371 (for OpenPGP HTTP key server, I have a feeling it's used by sync to refresh keys but I'd like to try without to see what happens). I've also allowed established/related connections in my INPUT, and I drop everything else by default. In any case, my current configuration allows Portage to do its job.

That said, I was a bit curious and checked my syslog upon booting, and noticed a few connections being dropped:

OUTPUT protocol ICMPv6, type 133, 135, 143

INPUT protocol ICMPv6, type 134
UDP, sport 67, dport 68

I've done some research and it seems they're involved in the Neighbor Discovery Protocol. The UDP log is also used to obtain an IP address, I think. This suggests that they're all normal and I should allow the necessary OUTPUT. That said, I'm not 100% sure, and I have some trouble finding resources explaining the bare minimum you need to allow for a Linux system, Portage, or a desktop machine. I'm also a bit wary of allowing things based on pure guesswork. I found an interesting forum thread regarding Portage, and I've tried to implement some of the suggestions there when I found them relevant. In addition, I've seen some interesting articles on the ArchLinux wiki regarding what to block to prevent some forms of attack, but they're a bit too technical for me and I'm afraid of implementing anything I don't understand a decent amount. Does anyone have resources for that sort of things? What are the traffic needs of a basic Gentoo machine?

[BurningMemory]

Hello there, I suggest taking a look into "opensnitch" which can be found on github and in the
pentoo overlay. It's a server+gui application that allows you to monitor connections and enforce
rules upon them in real time. You can analyze what you need with that and once you have enough
data, just create the rules you need. Or you can make generic firewall rules and let opensnitch handle
the rest.

Long story short: allow outward, deny inward, drop routed will be enough for most desktop users.

If you want to learn more about what you should allow or shouldn't allow, start with services you
need to run. See what they need.
Having that said, it's pretty safe to allow basic net protocols that handle most functionality
because for the majority of cases anything beyond common firewall rules will be overkill for
a small LAN.

If you are in a "hostile" network environment however, you really need to understand what you
are going to have to deal with before you do anything.

[ermor]

Thank you for your answer, BurningMemory!

No, I'm not in a particularly hostile network, it's just that I don't really know what the usual "fire and forget" desktop firewall blocks. I'll definitely look into opensnitch, seems interesting for my use case!

Yeah, I figured I'd have to allow outward, I couldn't really think of a way around it for my future desktop use. I probably don't need much more than what I already have. The only other thing, potentially, would be SSH, but I'm not even sure I use it right now.

[NeddySeagoon]

ermor,

You can DROP all incoming, there are no messages to senders that way.
Then REJECT all outgoing, so you get messages. Nothing goes anywhere now, which in is a good start.
Then allow only what's needed in both directions.

That's a paranoid firewall. It stops the bad guys phoning home on random ports if they do get it.

I run a boundary firewall, rather than one per system.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[ermor]

Hello NeddySeagoon,

That's what I did, actually. DROP policy on INPUT, OUTPUT and FORWARD, I only allowed the loopback interface and established/related connections in the INPUT chain, and looked at what was happening in my log and terminal when I started a sync/update. That's also why I want to test without 11371 and 80/443: I think I guessed I needed them open on OUTPUT by looking at what was happening in the terminal, but I didn't doublecheck with the syslog and it bothers me a bit. Then again, like BurningMemory said, I'll probably need to allow outward in the end anyway.

But that's reassuring, thanks. Now I know I'm doing something right.

[NeddySeagoon]

ermor,

You may get a few hints from Pi4 Router.

You will need https.
Most sites redirect http requests to https. http should not be required for portage.
Look at your GENTOO_MIRRORS list in make.conf
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[pietinger]

ermor,

first of all, you should know that a firewall can sometimes only warn you (via the log entries; so, yes, logging is very important) and cannot always protect you. And even a FW can't always do that ... at least not when it is alone. What I mean by that is ->

(I just copied the following from: https://forums.gentoo.org/viewtopic-p-8465650.html#8465650 )

[ermor]