Firewall
The Configuration reference provides the full configuration reference and the sections following after describe the most relevant firewall configuration sections with more elaborated examples.
Configuration reference
Anapaya appliance configuration (firewall only)
firewall object
The firewall section applies ONLY to non-IP-in-SCION tunneling traffic! The section contains the configuration for the Anapaya appliance firewall to filter non-IP-in-SCION tunneling traffic. The Anapaya appliance firewall makes use of the Linux kernel packet classification framework nftables, thus it is highly recommended that you familiarize yourself with nftables by reading the following short overview: nftables in 10 minutes.
The Anapaya appliance's firewall configuration contains tables of chains, which in turn contain the actual rules for enforcing the desired filtering.
The firewall mode declares how the Anapaya appliance handles firewall rules. Depending on the mode, the Anapaya appliance either generates a default set of rules, prepends some custom rules, or uses only the specified custom rules.
| Enum Value | Description |
|---|---|
| AUTO | 'AUTO' is the default mode, it generates set of rules based on the rest of the Anapaya appliance configuration. The Anapaya appliance uses the default table called 'appliance' of type INET with the generated rules. The mode locks down the Anapaya appliance to only allow traffic required for the Anapaya appliance to function properly. If you do not have any special requirements, this is the recommended mode. No customizations are possible in this mode. If you want to specify the mode explicitly the tables section must be empty. |
| CUSTOM | 'CUSTOM' mode does not generate any rules and allows the user to configure the Anapaya appliance firewall from scratch. This mode is useful if you want to have full control over the Anapaya appliance firewall. Be cautious when using this mode. |
| PREPEND | 'PREPEND' mode uses the rules generated by the 'AUTO' mode and allows prepending additional rules to the generated ones. The configuration only allows a single table named 'appliance' of type 'INET'. This mode is useful if you want to add custom rules to the Anapaya appliance firewall without having to reconfigure the whole firewall. To prepend rules, add them in the table 'appliance' and in chains named 'default_input', or 'default_forward'. For other hooks, no specific naming of chains is required, but there can only be one chain per hook. |
| UNMANAGED | 'UNMANAGED' mode disables the Anapaya appliance firewall and does not interfere with existing firewall configurations. This mode should only be used when transitioning from iptables to the Anapaya appliance-managed firewall. |
Possible values: [AUTO, PREPEND, CUSTOM, UNMANAGED]
tables object[]
Define the nftables tables that should be configured on the system. A table is a top-level container within an nftables ruleset, they hold chains and counters. A table belongs to exactly one family.
chains object[]
Chains defined within the nftables table.
The type and usage of the chain. This must be set for base chains and unset for regular chains.
| Enum Value | Description |
|---|---|
| FILTER | The chain type is Filter. |
| NAT | The chain type is NAT. |
| ROUTE | The chain type is Route. |
Possible values: [FILTER, ROUTE, NAT]
The packet processing step during which the chain should be executed. This must be set for base chains and unset for regular chains. For more information on the chain hooks, please refer to Base chain hooks.
| Enum Value | Description |
|---|---|
| FORWARD | The chain should be executed on all incoming packets that are not addressed to the local system. |
| INPUT | The chain should be executed when an incoming packet is adddressed to and has been routed to the local system and processes running there. |
| OUTPUT | The chain should be executed on packets that have originated from processes in the local machine system. |
| POSTROUTING | The chain should be executed after routing, just before the packet leaves the local system. |
| PREROUTING | The chain should be executed when receiving any incoming packet, before any routing decision has been made. |
Possible values: [PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING]
The name of the chain.
The default policy that will be applied to packets that reach the end of the chain. For more information on chain policies, please refer to Base chain policy.
| Enum Value | Description |
|---|---|
| ACCEPT | The chain policy is Accept, which means that the packet will keep traversing the network stack. |
| DROP | The chain policy is Drop, which means that the packet will be discarded if it reaches the end of hte base chain. |
Possible values: [ACCEPT, DROP]
The priority of the chain. This must be set for base chains and unset for regular chains.
rules object[]
Rules defined as part of a chain within a firewall table.
Description, or comment, for the firewall rule.
The rule definition consists of expressions and statements in string format. The expressions are evaluated from left to right and if the packet matches the expressions the statement is executed. For information on the supported syntax for expressions and statements, please refer to Expressions: Matching packets and Statements: Acting on packet matches.
The sequence ID determines the order in which sequence the firewall rules are applied. The sequence ID must be unique for each entry. Target devices apply the rules in order of ascending sequence ID (low to high).
1counters object[]
Optional named counters defined within the nftables table.
The name of the counter.
The family type of the nftables. For more information on table families, please refer to Nftables families.
| Enum Value | Description |
|---|---|
| INET | The table is applied to IPv4 and IPv6 packets |
| IP | The table is applied to IPv4 packets |
| IP6 | The table is applied to IPv6 packets |
Possible values: [IP, IP6, INET]
Name of the nftables table.
Automatic firewall rule generation
In AUTO and PREPEND mode, the appliance generates a set of firewall
rules based on the other sections of the appliance configuration. The following
traffic is allowed by default:
- All established and related connections, i.e., connections that are initiated from the appliance itself.
- Traffic on the default loopback interface
lo. - Traffic on wireguard interfaces.
- Traffic for port 22 (SSH) and the port of the management API (443 by default) on the management addresses.
- Traffic for the configured telemetry endpoints.
- SCION control plane and appliance cluster synchronization traffic.
- BGP traffic for the configured BGP peers.
- ICMP echo and neighbor discovery traffic.
- Traffic to the management API over the shuttle interface, if a shuttle interface is specified in the interfaces section.
- Traffic is forwarded to/from the shuttle interface for allowed_destinations when a shuttle server is configured.
Any other traffic that is not explicitly allowed by the rules above is dropped.
Limitations
As the appliance firewall is tightly coupled to nftables, the following limitations apply:
- Similar to the counters,
nftablessupports sets. However, the appliance firewall does not support named sets but only anonymous sets. So if you want to use sets (e.g.tcp dport { 22, 23 }), you have to define them within the rule.
Examples of firewall configuration in different modes
PREPEND
The example below shows how to configure the Anapaya appliance firewall in PREPEND mode by
defining a custom rule that gets executed before the generated rules for the default_input and
default_forward chains. Furthermore, it defines a base chain for the POSTROUTING hook and a
regular chain that can be reached via a jump statement.
CUSTOM
The example below shows how to configure the appliance firewall in CUSTOM mode.
Named counters
Each rule can include a non-verdict counter statement. Nftables distinguishes between anonymous and
named counters. Named counters are defined on the table level and can be referenced in rules by
their name (e.g. counter name "my_counter"). Anonymous counters are defined within the rule and
can only be used in this rule.