Branch to New Policy Chains | FWCloud Forum

Branch to New Policy Chains

There doesn't seem to be a way in fwbuilder to create additional policy chains or to branch to them as the action on a rule.

This is a function we use extensively in fwbuilder. We have complex firewalls with policies that control traffic based on egress interface. The initial policy branches to these based on the direction and interface.

There doesn't seem to be any way to replicate this configuration in fwcloud today.

Is that something that is planned for a future release?

Thanks.
 

Carles Munyoz

Administrator
Staff member
Hi,
At this moment it is not possible to create your own policy chains. The FWCloud IPTables/NFTables compiler generates the required custom chains for every rule you create using the FWCloud user interface, but you can not create your own custom chains.

Is that something that is planned for a future release?

Yes, it is a feature included in our roadmap.

Can you give us some examples of this complex policies?
Maybe you can create them using the hook scripts feature.
 
Thank you for the reply. It's good to know that's on the roadmap.
I can't share specific examples of our policies but I'll try and explain the general setup we use.

Rather than having an "inside" and "outside" our firewalls have multiple interfaces facing different tenants & networks and all inter-VLAN traffic transits the firewalls.

The only time we use the INPUT & OUTPUT chains is to protect the firewall's own loopback interface. The FORWARD has a single rule with a branch to a chain we call "Firewall".

The "Firewall" chain has a couple of rules to control ICMP and established sessions, and then a rule for each interface that branches to a chain specific to that interface where we apply the actual policies for the network the interface connects to.

We usuall apply policy by egress interface because it's the only way we've found to be able to easily reason about chain-based firewall configurations. If you know the IP you know the route, therefore the egress interface, therefore the chain that controls traffic to it.

Our firewalls typically have between 15 and 30 chains on them, not including NAT, and 3-5000 lines of policy.

Thanks.
 

Carles Munyoz

Administrator
Staff member
I understand, thank you for the detailed explanation.

Then, for do it with FWCloud you need:
  • Feature for create you own chains.
  • Allow the use of custom chains in the actions column.
Is it correct or do you need something more?
 
Thanks for your reply.

The ability to create chains and to fully utilise the "branch" action of iptables/nftables should be all that's needed.
 

Carles Munyoz

Administrator
Staff member
We have already added this feature to our roadmap and will be available soon, in one of the next releases.
Thank you very much for your feedback.
 
Top