[BlueOnyx:26288] Re: Saving APF Blacklist opens firewall

Michael Stauber mstauber at blueonyx.it
Tue Jun 13 12:12:23 -05 2023 

Hi John,

> (On 5209r)
> I have noticed if I add an ip address to the APF Blacklist and press 
> Save, the firewall is open during the save process.
> There are a lot of addresses in the firewall, and it takes several 
> seconds to process the saving of the list.
> The firewall should be delaying traffic, not permitting traffic that 
> should be blocked while the rules are activated.
> 
> I believe under the hood you are using iptables?
> overly simplified operations should be:
> 
> iptables -P INPUT DROP         # disable until all block rules are in place
> iptables -P FORWARD DROP # disable until all block rules are in place
> iptables -P OUTPUT DROP    # disable until all block rules are in place
> iptables -F  # flush rules
> # add blocking rules for blacklist
> # add rule at end to permit www traffic not already blocked


Indeed, APF uses "iptables" and it's the oldest firewall solution we 
offer for BlueOnyx. It has since then been superseded by "Firewalld", 
which is included in the purchase of APF, but only offered for download 
if the target server is a BlueOnyx 5210R or BlueOnyx 5211R.

On BlueOnyx 5209R only the iptables based APF is a practical choice.

And you're right: When APF is restarted, it first flushes all rules and 
then sets up the new rules one by one in a large loop. If you have many 
rules active, then this might take a moment and during that time the 
server is unprotected or (as more rules kick in) then gradually more and 
more protected.

If IPs are added/removed to the whitelist or blacklist, then a full 
restart of APF isn't necessary. Instead just the relevant rules will be 
added/removed and the rest remains undisturbed. But when saving in the 
GUI we sort of have to hit the whole thing on the head and let APF do a 
full flush of the rules. We can't really avoid that.

There are naturally two different general approaches possible and these 
revolve around different philosophies. For some users a full on and 
complete inaccessibility of the server during a firewall restart might 
be acceptable, but for most it isn't. In fact I'll always be sweating 
blood and water if a server I'm working on just drops off the net and 
stops responding. We're not really in the business of giving people 
heart attacks. :o)

So yeah: The way it is? That's intentional to minimize disruptions and 
to not "rock the boat" too much.

As for Firewalld on 5210R and 5211R? That uses "nftables", which is the 
modern replacement of "iptables". One of the really *great* benefits of 
it is that we can use IPsets to quickly load *massive* IP blacklists 
into the firewall.

You can see this here for example:

https://shop.blueonyx.it/catalog/product/gallery/image/216/id/200/

When you blacklist a whole country from accessing your server 
(especially if it's a large one such as China), then this would result 
in a ridiculously impractical and massive amount of iptables rules. The 
current ruleset we use for China has 8673 IP address ranges in it. But 
if we load those blocked 8673 IP address ranges as IPSet? Then it's just 
a single firewall related transaction that gets performed. And that's 
blazingly fast and efficient.

Our Firewalld implementation also flushes the rules during a restart and 
therefore "opens up" briefly on a restart. But it's so much faster that 
you almost don't notice it.

So yeah: We do it this way to not rock the boat. APF is great, but it's 
really "old technology" and once you move to a newer version of 
BlueOnyx, be sure to try "Firewalld" instead. Your APF purchase already 
gives you access to it if you'd link it to a 5210R or 5211R.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list