https://home.regit.org/tags/nftables/ Recent content in Nftables on To Linux and beyond ! Hugo fr Wed, 24 Sep 2014 12:12:25 +0000 https://home.regit.org/2014/09/using-dom-with-nftables/ Wed, 24 Sep 2014 12:12:25 +0000 https://home.regit.org/2014/09/using-dom-with-nftables/ <h4 id="dom-and-ssh-honeypot">DOM and SSH honeypot</h4> <p><a href="https://github.com/regit/DOM">DOM</a> is a solution comparable to <a href="http://www.fail2ban.org/wiki/index.php/Main_Page">fail2ban</a> but it uses <a href="http://suricata-ids.org/">Suricata</a> SSH log instead of SSH server logs. The goal of DOM is to redirect the attacker based on its SSH client version. This allows to send attacker to a honeypot like <a href="https://home.regit.org/2014/06/pshitt-collect-passwords-used-in-ssh-bruteforce/">pshitt</a> directly after the first attempt. And this can be done for a whole network as Suricata does not need to be on the targeted box.</p> <h4 id="using-dom-with-nftables">Using DOM with nftables</h4> <p>I’ve pushed a <a href="https://github.com/regit/DOM/commit/d3fb3946b2b9c63cc638bad55b954e30706900d8">basic nftables support</a> to <a href="https://github.com/regit/DOM">DOM</a>. Instead of adding element via ipset it uses a <a href="http://wiki.nftables.org/wiki-nftables/index.php/Sets">nftables set</a>.</p> https://home.regit.org/2014/02/suricata-and-nftables/ Wed, 05 Feb 2014 09:03:28 +0000 https://home.regit.org/2014/02/suricata-and-nftables/ <h4 id="iptables-and-suricata-as-ips">Iptables and suricata as IPS</h4> <p><a href="https://home.regit.org/2011/01/building-a-suricata-compliant-ruleset/">Building a Suricata ruleset</a> with iptables has always been a complicated task when trying to combined the rules that are necessary for the IPS with the firewall rules. Suricata has always used <a href="https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/">Netfilter advanced features</a> allowing some more or less tricky methods to be used.</p></p> <p>For the one not familiar with IPS using Netfilter, here’s a few starting points:</p> <ol> <li>IPS receives the packet coming from kernel via rules using the NFQUEUE target</li> <li>The IPS must received all packets of a given flow to be able to handle detection cleanly</li> <li>The NFQUEUE target is a terminal target: when the IPS verdicts a packet, it is or accepted (and leave current chain) </ol> </p> https://home.regit.org/2014/01/why-you-will-love-nftables/ Mon, 20 Jan 2014 11:57:35 +0000 https://home.regit.org/2014/01/why-you-will-love-nftables/ <h4 id="linux-313-is-out">Linux 3.13 is out</h4> <p>Linux 3.13 is out bringing among other thing the first official release of <a href="http://netfilter.org/projects/nftables/">nftables</a>. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables.<br> nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions.<br> It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.</p> https://home.regit.org/2013/03/pablo-neira-ayuso-nftables-strikes-back/ Tue, 12 Mar 2013 10:13:42 +0000 https://home.regit.org/2013/03/pablo-neira-ayuso-nftables-strikes-back/ <h4 id="introduction">Introduction</h4> <p>This is a new kernel packet filtering framework. The only change is on iptables. Netfilter hooks, connection tracking system, NAT are unchanged.<br> It provides a backward compatibility. nftables was released in March 2009 by Patrick Mchardy. It has been revived in the precedent months by Pablo Neira Ayuso and other hackers.</p> <h4 id="architecture">Architecture</h4> <p>It uses a pseudo-state machine in kernel-space which is similar to BPF:</p> <ul> <li>4 registers: 4 general purpose (128 bits long each) + 1 verdict</li> <li>provides instruction set (which can be extended)</li> </ul> <p>Here’s a example of existing instructions:</p>