224 lines
9.2 KiB
HTML
224 lines
9.2 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml"><head>
|
|
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<link rel="stylesheet" href="main.css" type="text/css" />
|
|
<link rel="stylesheet" href="blog.css" type="text/css" />
|
|
<link rel="alternate" type="application/rss+xml" title="Subscribe to this page..." href="feed.rss" />
|
|
<title>Firewalld kernel requirements</title>
|
|
</head><body>
|
|
<div id="divbodyholder">
|
|
<div class="headerholder"><div class="header">
|
|
<div id="title">
|
|
<h1 class="nomargin"><a class="ablack" href="http://zigford.org/index.html">zigford.org</a></h1>
|
|
<div id="description"><a href="about.html">About</a><a href="links.html"> | Links</a><a href="scripts.html"> | Scripts</a><br>Sharing linux/windows scripts and tips</br></div>
|
|
</div></div></div>
|
|
<div id="divbody"><div class="content">
|
|
<!-- entry begin -->
|
|
<h3><a class="ablack" href="firewalld-kernel-requirements.html">
|
|
Firewalld kernel requirements
|
|
</a></h3>
|
|
<!-- bashblog_timestamp: #202003062216.53# -->
|
|
<div class="subtitle">March 06, 2020 —
|
|
Jesse Harris
|
|
</div>
|
|
<!-- text begin -->
|
|
<p>I wanted to work out the minimum kernel requirements to run Firewalld with
|
|
nftables backend running in Gentoo. Here I've documented my findings.</p>
|
|
<hr />
|
|
<h2 id="update">Update</h2>
|
|
<p>After running with this config a couple of days I finally got to starting a vm
|
|
under libvirtd which failed miserably. Additional modules required:</p>
|
|
<pre><code> CONFIG_NETFILTER_INGRESS=y
|
|
CONFIG_NF_CONNTRACK_TFTP=m
|
|
CONFIG_NF_NAT_TFTP=m
|
|
CONFIG_NETFILTER_XT_NAT=m
|
|
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
|
|
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
|
|
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
|
|
CONFIG_NETFILTER_XT_MATCH_STATE=m
|
|
CONFIG_IP_NF_FILTER=m
|
|
CONFIG_IP_NF_TARGET_REJECT=m
|
|
CONFIG_IP_NF_NAT=m
|
|
CONFIG_IP_NF_TARGET_MASQUERADE=m
|
|
CONFIG_IP_NF_MANGLE=m
|
|
CONFIG_IP6_NF_FILTER=m
|
|
CONFIG_IP6_NF_TARGET_REJECT=m
|
|
CONFIG_IP6_NF_MANGLE=m
|
|
CONFIG_IP6_NF_NAT=m
|
|
CONFIG_IP6_NF_TARGET_MASQUERADE=m
|
|
</code></pre>
|
|
<h2 id="original-post">Original post</h2>
|
|
<p>My laptop is running Gentoo with luks/dmcrypt encrypted root/home, btrfs hourly
|
|
snapshots and backed up to an encrypted external drive, systemd and linux kernel
|
|
5.4. The last step in becoming a fully secure enterprise desktop is the
|
|
firewall.</p>
|
|
<p>For a time I ran my own iptables script, but that quickly became difficult to
|
|
manage when libvirtd (managing my VMs for KVM) would add rules overtop and make
|
|
an ugly mess in the iptables.</p>
|
|
<p>nftables is the modern replacement to iptables and I had tried to merge
|
|
firewalld onto my system in the past with horrible results. The problem has
|
|
always being identifying the correct kernel configuration. Firewalld ebuild
|
|
itself identifies a few components, but even <a href="https://bugs.gentoo.org/692944">those are not
|
|
correct</a></p>
|
|
<p>Sometimes the wrong configuration combination would lead to the system not
|
|
booting or nftables hanging. After much trial and error I've found the right
|
|
combo. If you don't want to read about which config options solve which problem,
|
|
I'll provide a list of all required configurations at the end.</p>
|
|
<h2 id="the-base">The base</h2>
|
|
<p>The following options got me a bootable kernel and firewalld attempting to start</p>
|
|
<pre><code> CONFIG_NETFILTER_ADVANCED=y
|
|
CONFIG_NETFILTER_NETLINK=m
|
|
CONFIG_NF_CONNTRACK=m
|
|
CONFIG_NF_TABLES=m
|
|
CONFIG_NFT_CT=m
|
|
CONFIG_NF_DEFRAG_IPV4=m
|
|
CONFIG_NF_DEFRAG_IPV6=m
|
|
CONFIG_NF_CT_NETLINK=m
|
|
CONFIG_NF_NAT=m
|
|
CONFIG_NFT_NET=m
|
|
CONFIG_NETFILTER_XTABLES=m
|
|
CONFIG_IP_SET=m
|
|
CONFIG_IP_SET_MAX=256
|
|
CONFIG_NF_TABLES_IPV4=y
|
|
CONFIG_IP_NF_IPTABLES=m
|
|
CONFIG_IP_NF_RAW=m
|
|
CONFIG_IP_NF_SECURITY=m
|
|
CONFIG_NF_TABLES_IPV6=y
|
|
CONFIG_IP6_NF_IPTABLES=m
|
|
CONFIG_IP6_NF_RAW=m
|
|
CONFIG_IP6_NF_SECURITY=m
|
|
</code></pre>
|
|
<h2 id="the-errors">The errors</h2>
|
|
<p>After booting up and starting firewalld, I checked the status of the service and
|
|
was greeted with this:</p>
|
|
<pre><code>ERROR: '/sbin/nft add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }' \
|
|
failed: Error: Could not process rule: Operation not supported
|
|
</code></pre>
|
|
<p>Which was solved with <code>CONFIG_NF_TABLES_INET=y</code></p>
|
|
<p>After a kernel recompile and reboot, I checked the status of the firewalld
|
|
service and found that the nft command had hung. It was stuck on the following
|
|
command line:</p>
|
|
<pre><code>/sbin/nft --echo --handle add rule inet firewalld filter_INPUT reject with icmpx type admin-prohibited
|
|
</code></pre>
|
|
<p>This took a lot of trial and error but boiled down to the following
|
|
configurations:</p>
|
|
<pre><code> CONFIG_NFT_REJECT=m
|
|
CONFIG_NFT_REJECT_INET=m
|
|
CONFIG_NFT_REJECT_IPV4=m
|
|
CONFIG_NF_REJECT_IPV4=m
|
|
CONFIG_NFT_REJECT_IPV6=m
|
|
CONFIG_NF_REJECT_IPV6=m
|
|
</code></pre>
|
|
<p>As the previous fix only required new modules, I was able to simple restart the
|
|
service to see the next problem. Again, another hung nft command line:</p>
|
|
<pre><code>/sbin/nft --echo --handle insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . \
|
|
iif oif missing drop
|
|
</code></pre>
|
|
<p>And again, hours of trial and error</p>
|
|
<pre><code> CONFIG_NFT_FIB=m
|
|
CONFIG_NFT_FIB_INET=m
|
|
CONFIG_NFT_FIB_IPV4=m
|
|
CONFIG_NFT_FIB_IPV6=m
|
|
</code></pre>
|
|
<p>Again, restart the service to find another hung command line:</p>
|
|
<pre><code>ERROR: '/sbin/nft insert rule inet firewalld raw_PREROUTING icmpv6 type \
|
|
{ nd-router-advert, nd-neighbor-solicit } accept
|
|
</code></pre>
|
|
<p>This time, a single module needed to be compiled: <code>CONFIG_NF_TABLES_SET=m</code></p>
|
|
<p>Finally the last hang was the following command line:</p>
|
|
<pre><code>/sbin/nft --echo --handle add rule inet firewalld filter_IN_home_allow udp dport 137 ct helper set \
|
|
"helper-netbios-ns-udp"
|
|
</code></pre>
|
|
<p>This one took the longest to solve and contains the most configurations of any
|
|
fix:</p>
|
|
<pre><code> CONFIG_NETFILTER_NETLINK_QUEUE=m
|
|
CONFIG_NETFILTER_NETLINK_OSF=m
|
|
CONFIG_NETFILTER_CONNCOUNT=m
|
|
CONFIG_NF_CT_NETLINK_HELPER=m
|
|
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
|
|
CONFIG_NF_NAT_REDIRECT=y
|
|
CONFIG_NF_NAT_MASQUERADE=y
|
|
CONFIG_NETFILTER_SYNPROXY=m
|
|
CONFIG_NFT_COUNTER=m
|
|
CONFIG_NFT_CONNLIMIT=m
|
|
CONFIG_NFT_LOG=m
|
|
CONFIG_NFT_LIMIT=m
|
|
CONFIG_NFT_MASQ=m
|
|
CONFIG_NFT_REDIR=m
|
|
CONFIG_NFT_TUNNEL=m
|
|
CONFIG_NFT_OBJREF=m
|
|
CONFIG_NFT_QUEUE=m
|
|
CONFIG_NFT_QUOTA=m
|
|
CONFIG_NFT_COMPAT=m
|
|
CONFIG_NFT_HASH=m
|
|
CONFIG_NFT_XFRM=m
|
|
CONFIG_NFT_SOCKET=m
|
|
CONFIG_NFT_OSF=m
|
|
CONFIG_NFT_TPROXY=m
|
|
CONFIG_NFT_SYNPROXY=m
|
|
CONFIG_NETFILTER_XT_CONNMARK=m
|
|
CONFIG_NF_SOCKET_IPV4=m
|
|
CONFIG_NF_TPROXY_IPV4=m
|
|
CONFIG_NF_SOCKET_IPV6=m
|
|
CONFIG_NF_TPROXY_IPV6=m
|
|
</code></pre>
|
|
<p>Some of those may not have been totally nessecary, but I was getting tired and
|
|
just enabled the main nft modules.</p>
|
|
<h2 id="the-final-total-config">The final total config</h2>
|
|
<p>My complete kernel can be found
|
|
<a href="https://github.com/zigford/kernel-configs/blob/master/Precision%205510/Precision%205510">here</a>
|
|
but here are the nftables bits in their entirity.</p>
|
|
<pre><code> CONFIG_NETFILTER_ADVANCED=y
|
|
CONFIG_NETFILTER_NETLINK=m
|
|
CONFIG_NF_CONNTRACK=m
|
|
CONFIG_NF_TABLES=m
|
|
CONFIG_NFT_CT=m
|
|
CONFIG_NF_DEFRAG_IPV4=m
|
|
CONFIG_NF_DEFRAG_IPV6=m
|
|
CONFIG_NF_CT_NETLINK=m
|
|
CONFIG_NF_NAT=m
|
|
CONFIG_NFT_NET=m
|
|
CONFIG_NETFILTER_XTABLES=m
|
|
CONFIG_IP_SET=m
|
|
CONFIG_IP_SET_MAX=256
|
|
CONFIG_NF_TABLES_IPV4=y
|
|
CONFIG_IP_NF_IPTABLES=m
|
|
CONFIG_IP_NF_RAW=m
|
|
CONFIG_IP_NF_SECURITY=m
|
|
CONFIG_NF_TABLES_IPV6=y
|
|
CONFIG_IP6_NF_IPTABLES=m
|
|
CONFIG_IP6_NF_RAW=m
|
|
CONFIG_IP6_NF_SECURITY=m
|
|
CONFIG_NF_TABLES_INET=y
|
|
CONFIG_NFT_REJECT=m
|
|
CONFIG_NFT_REJECT_INET=m
|
|
CONFIG_NFT_REJECT_IPV4=m
|
|
CONFIG_NF_REJECT_IPV4=m
|
|
CONFIG_NFT_REJECT_IPV6=m
|
|
CONFIG_NF_REJECT_IPV6=m
|
|
CONFIG_NFT_FIB=m
|
|
CONFIG_NFT_FIB_INET=m
|
|
CONFIG_NFT_FIB_IPV4=m
|
|
CONFIG_NFT_FIB_IPV6=m
|
|
CONFIG_NF_TABLES_SET
|
|
CONFIG_NF_CONNTRACK_BROADCAST=m
|
|
CONFIG_NF_CONNTRACK_NETBIOS=m
|
|
</code></pre>
|
|
<p><strong>Note</strong> In my case I've configured many options as modules, but it should also
|
|
be fine to include them in the kernel as <code>=y</code></p>
|
|
<p>Tags: <a href='tag_gentoo.html'>gentoo</a>, <a href='tag_linux.html'>linux</a>, <a href='tag_firewalld.html'>firewalld</a></p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!-- text end -->
|
|
<!-- entry end -->
|
|
</div>
|
|
<div id="footer">© <a href="http://twitter.com/zigford_org">Jesse Harris</a> — <a href="mailto:jesse@zigford.org">jesse@zigford.org</a><br/>
|
|
Generated with <a href="https://github.com/cfenollosa/bashblog">bashblog</a>, a single bash script to easily create blogs like this one</div>
|
|
</div></div>
|
|
</body></html>
|