Bug#990291: ITP: nftfw -- an nftables firewall builder for Debian

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#990291: ITP: nftfw -- an nftables firewall builder for Debian
From: Peter Collinson <support@nftfw.uk>
Date: Thu, 24 Jun 2021 18:16:54 +0100
Message-id: <[🔎] 162455501407.19415.7084996263289212470.reportbug@craggy.hillside.co.uk>
Reply-to: Peter Collinson <support@nftfw.uk>, 990291@bugs.debian.org

Package: wnpp
Severity: wishlist
Owner: Peter Collinson <support@nftfw.uk>

* Package name    : nftfw
  Version         : 0.9.0
  Upstream Author : Peter Collinson <support@nftfw.uk>
* URL             : https://github.com/pcollinson/nftfw
* License         : MIT/X
  Programming Lang: Python
  Description     : an nftables firewall builder for Debian

Introduction
------------
Here is the current text in the debian/control file:

 The nftfw package builds firewalls for nftables. Configuration is
 based on files stored in directories in /etc/nftfw. For example,
 adding a new IP address to the whitelist is done by creating a file
 named for the IP address in the whitelist.d directory. Adding a new
 rule permitting access to a port just takes the addition of a
 suitably named file in incoming.d. Blacklisting address ranges is
 done by adding a CIDR address to a file in blacknets.d.
 .
 nftfw can automatically maintain the blacklist by efficiently scanning
 log files using regular expressions and adding miscreant IP addresses
 into blacklist.d. It maintains a database of activity and will
 timeout the entries after a user-defined period. When an IP is
 blocked, nftfw allows for feedback from nftables to notice and
 maintain blocking for frequent attempts from unwanted visitors.
 .
 nftfw makes extensive use of nftables sets to maintain exclusion and
 inclusion lists. It tries to minimise changes to the live firewall by
 only updating sets that have changed. It adds its created statements
 to an nftables template that can be modified to extend the firewall
 setup if needed.
 .
 After installation, some configuration is needed to make the system active,
 see /usr/share/doc/nftfw/README.Debian
 .
 The package is written and developed in Python 3.7.

More information can be found on Github, there are several documents
in the 'docs' directory that I've written first for manual
installation and recently Debian packaging. These are in .md, HTML and
PDF formats.

Once I have this bug number I will be uploading the binary package to github.

What's the history of this project?
-----------------------------------

nftfw is based on work done by Patrick Cherry for his hosting company
in the UK, Bytemark. His system was written in Ruby and was part of a
complete management system called Symbiosis for Debian servers. The
firewall part drove iptables. The company was sold and the buyer
wasn't really interested. Mythic Beasts forked Symbiosis into Sympl and I
moved to this new company as a customer.

At pretty much the same time, Debian Buster was released with the
switch to nftables. I wanted to fix some of the problems that I saw in
the original system and decided to start from scratch writing a new
firewall system in Python and aiming it at nftables.

What I liked about Patrick's approach was the use of what is perhaps
the original UNIX philosophy - everything is done in files. This
firewall is controlled by an nft template file, which is editable so
it can be extended - and then a bunch of specifically named files
controlling the firewall in known locations.

nftfw makes extensive use of sets, and tries never to reload the complete
firewall when a set is changed. There are problems in nftables with
some types of set, (I've reported that upstream and they will
eventually be fixed I understand) that mean that under some
circumstances partial loading doesn't work - and the whole table needs
reloading.

The system includes a module to scrape log files for attacks, and
injects the IP address into blacklist. It can also can scan kernel
logs for nftables logging so that sites that keep repeatedly returning
can be kept out until they stop. Feedback from the scanner is a big
win, bots keep bashing at the door and they are kept out.

Log scanning and blocking is also done by fail2ban of course. The
nftfw system is implemented because it was part of the original system
and I was looking for a drop-in alternative for the Symbiosis system.
Also, starting with nftables as a target has meant a re-appraisal of
how the system should work.

Where is the project?
--------------------

I started nftfw because I was sick of my systems being under attack
from all and sundry. It's been running on two different machines that
I run for a little over 18 months, and also has been used by some
others sys admins who are Mythic Beast customers. There are a few
stars on Github, but I have no idea if these people are using it.

nftfw was originally installed on these machines from github source.
It didn't seem to fit the Python packaging model because it's part of
a system and not an application or library. It was loaded into Github
in April of 2020 and has been largely stable since then. There has
been the odd coding error, or misunderstanding of how to do things,
but I would say that the code is well exercised now.

Once it was in Github, it provoked significant attacks from all over
the world, and mostly from CN. At one point on my public machine,
where its website lives (https://nftfw.uk) it was blocking over 3K IP
addresses and several hundred were in the firewall. This frenzy has
reduced in recent times. I do have some repeat visitors that have
been trying for over a year.

I started to investigate and implement Debian packaging in April of
this year, and now have a preliminary packaged system - which will
be online on github soon.

What do you get?
---------------

The Python code provides:

   nftfw - the main script which manages the firewall, it loads, provides
           scanning of files and manages the sqlite3 database.
   nftfwls - which lists the sqlite database that nftfw maintains
             I run this from websites, it will output HTML too.
   nftfwedit - which allows inspection, addition and deletion of
               ip addresses
   nftwadm - which is really intended as an installation aid when
             you want to retain a working firewall on installation

There are manual pages for all these, and also some section 5 manual pages
describing the config file and the file formats and naming rules.

What to I need?
---------------

I am happy to maintain this package, but obviously need a sponsor. I
would welcome input on the Python, which very probably breaks the 'way
of doing things' in many ways. Also, I have undoubtedly unwittingly
broken some packaging rules and/or there are better ways to do things.

I have intentionally not distributed a live system. Some activation by
hand is needed to get things working.

What would I like?
------------------

I'd like to see this as a Debian package in the near future.

Reply to:

Prev by Date: Re: What are desired semantics for /etc/shells?
Next by Date: Re: What are desired semantics for /etc/shells?
Previous by thread: Bug#990289: ITP: django-pglocks -- Django based context manager for PostgreSQL advisory locks
Next by thread: Work-needing packages report for Jun 25, 2021
Index(es):
- Date
- Thread