Branch to New Policy Chains | FWCloud Forum

Branch to New Policy Chains

There doesn't seem to be a way in fwbuilder to create additional policy chains or to branch to them as the action on a rule.

This is a function we use extensively in fwbuilder. We have complex firewalls with policies that control traffic based on egress interface. The initial policy branches to these based on the direction and interface.

There doesn't seem to be any way to replicate this configuration in fwcloud today.

Is that something that is planned for a future release?

Thanks.
 

Carles Munyoz

Administrator
Staff member
Hi,
At this moment it is not possible to create your own policy chains. The FWCloud IPTables/NFTables compiler generates the required custom chains for every rule you create using the FWCloud user interface, but you can not create your own custom chains.

Is that something that is planned for a future release?

Yes, it is a feature included in our roadmap.

Can you give us some examples of this complex policies?
Maybe you can create them using the hook scripts feature.
 
Thank you for the reply. It's good to know that's on the roadmap.
I can't share specific examples of our policies but I'll try and explain the general setup we use.

Rather than having an "inside" and "outside" our firewalls have multiple interfaces facing different tenants & networks and all inter-VLAN traffic transits the firewalls.

The only time we use the INPUT & OUTPUT chains is to protect the firewall's own loopback interface. The FORWARD has a single rule with a branch to a chain we call "Firewall".

The "Firewall" chain has a couple of rules to control ICMP and established sessions, and then a rule for each interface that branches to a chain specific to that interface where we apply the actual policies for the network the interface connects to.

We usuall apply policy by egress interface because it's the only way we've found to be able to easily reason about chain-based firewall configurations. If you know the IP you know the route, therefore the egress interface, therefore the chain that controls traffic to it.

Our firewalls typically have between 15 and 30 chains on them, not including NAT, and 3-5000 lines of policy.

Thanks.
 

Carles Munyoz

Administrator
Staff member
I understand, thank you for the detailed explanation.

Then, for do it with FWCloud you need:
  • Feature for create you own chains.
  • Allow the use of custom chains in the actions column.
Is it correct or do you need something more?
 
Thanks for your reply.

The ability to create chains and to fully utilise the "branch" action of iptables/nftables should be all that's needed.
 

Carles Munyoz

Administrator
Staff member
We have already added this feature to our roadmap and will be available soon, in one of the next releases.
Thank you very much for your feedback.
 
We have already added this feature to our roadmap and will be available soon, in one of the next releases.
Thank you very much for your feedback.

Hi Carlos,

Do you have a rough idea when this might become available, or alternatively, can you give us an overview of what changes would be required in the source to implement custom chains and branching?

Thanks.
 

Carles Munyoz

Administrator
Staff member
Hi Alasdair,
In our last release we added a new feature called Hook Script Rules; you can see a video tutorial about it here.

Thanks to this feature you can insert your code in any place of the policy load script generated during the firewall policy compilation process. You can even insert IPTables/NFTables code for crear your own chains and policy rules.

Maybe this feature will fulfill your needs until we implement custom chains.
 
Top