Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Vallum application firewall
20wn
Posts: 5
Joined: Fri Dec 30, 2016 3:16 pm

Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby 20wn » Fri Dec 30, 2016 4:09 pm

Hi Hany,

you said the following in another post ("Vallum vs similar tools"):

"Vallum offers interactivity with the PF packet filter allowing to put rules at both application- and network-level, and this is a plus. Then, notification popup alerts are more informative and interactive."

I've purchased the Muru Pro app with Vallum included today (email address ge....@gmx.de). I'm now wondering how to do this - transfer the Vallum rule that I created to Muru, so that I can put it into a vial and then deploy it on other hosts.

I've also noticed that the packet filter in Vallum lets ICMP requests through, although TCP (and possibly UDP, didn't test) are blocked. You can try this by installing VMWare Fusion (or similar), then putting a rule in Vallum that blocks access to e.g. your local subnet (192.168.0.0/16 or similar) for VMWare but allows all other traffic. You cannot browse web pages in your local subnet from the NAT'ed VM, but you can still ping all hosts. Is this intended?

I was hoping to be able to use Vallum / Muru to fully restrict VM access, so that VMs can only communicate with the Internet but not with my local subnet. That would allow me to put untrusted applications in the VM and not worry if they try to attack my local network. I think Vallum is almost there but not quite (e.g. ICMP traffic still gets through).

Thanks, happy new year!

hany
Posts: 380
Joined: Wed Dec 10, 2014 5:20 pm

Re: Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby hany » Thu Jan 05, 2017 10:41 pm

I've purchased the Muru Pro app with Vallum included today (email address ge....@gmx.de). I'm now wondering how to do this - transfer the Vallum rule that I created to Muru, so that I can put it into a vial and then deploy it on other hosts.


Wow, I've never thought about such level of interaction :) Nice idea. For sure we will introduce this thing in a future Murus/Vallum release. However Murus deployment is meant to be a way to configure PF in a massive way thus a vial currently stores only PF rules. You are deploying only PF configuration, Vallum has nothing to do with PF and thus is completely ignored.
Interaction between Murus and Vallum is limited to exchanging addresses or issuing PF rules directly from Vallum notifications.
Another possible feature will be the possibility to exchange groups between Murus and Vallum. This will be possible when we will introduce groups in Vallum.

I've also noticed that the packet filter in Vallum lets ICMP requests through, although TCP (and possibly UDP, didn't test) are blocked. You can try this by installing VMWare Fusion (or similar), then putting a rule in Vallum that blocks access to e.g. your local subnet (192.168.0.0/16 or similar) for VMWare but allows all other traffic. You cannot browse web pages in your local subnet from the NAT'ed VM, but you can still ping all hosts. Is this intended?


Yes, it is. As stated in Vallum manual (somewhere I don't remember where:D) Vallum filters only TCP and UDP protocols.
This is on purpose. We believe that ICMP filtering at application layer has almost no sense, as we thing that this kind of filtering is useful only at system level, thus, at network level. So, in our vision, ICMP filtering is done using PF (Murus) not Vallum.
But we are absolutely open for comments or different point of views :)

I was hoping to be able to use Vallum / Muru to fully restrict VM access, so that VMs can only communicate with the Internet but not with my local subnet. That would allow me to put untrusted applications in the VM and not worry if they try to attack my local network. I think Vallum is almost there but not quite (e.g. ICMP traffic still gets through).


If you run your VM with bridged networking and you assign to each VM a dedicated IP belonging to your real LAN then you can safely use Murus and Vallum (installed on VM) to block all connections to your LAN (except the router...). I would use Vallum for TCP/UDP at app-layer and Murus for ICMP or other network-layer rules.

Happy new year too! :D

20wn
Posts: 5
Joined: Fri Dec 30, 2016 3:16 pm

Re: Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby 20wn » Thu Jan 05, 2017 11:42 pm

Thanks for the long reply, Hany!

Let me explain a bit more what I'm trying to do. I've got a managed environment for Macs, where we control which applications are installed and what rights users have. But not all applications run natively on a Mac, e.g. Microsoft Project, Microsoft Visio, some development environments like Visual Studio. I'd like to be able to deploy these applications in VMs, so that users can easily manipulate documents or run programs that they require for their daily work. I'm however conscious that giving users the ability to run VMs essentially introduces a risk of running arbitrary code in our network. This is due to the fact that I cannot control which VM images are run by users. They could essentially download malware VMs from the internet and run them in our local subnet. As you can see, I can't use Murus or other firewall products on these VMs because they are not controlled by me. I need to filter on the application side.

Basically our network setup restricts users from using bridged mode in VMs because we have 802.1x deployed on the network and the switches won't accept connections from bridged devices. This forces users to use NAT mode if they want network access. Which in turn means, that filtering with Vallum on the VM host will enable us to control network traffic of all client VMs.

So I want to restrict access of these VMs to the local subnet as much as possible, but let them out to the Internet if required so that they can do their daily work (possibly also allow access to other selected hosts in the local subnet that are required - all easily configured in Vallum). If there was a switch in Vallum where you could select which protocol types are blocked, that would be very helpful (e.g. ICMP, IGMP, TCP, UDP).

Is it possible to have user configurable option in Vallum which protocols are blocked (ideally also per application, but a general switch would suffice in the first instance)?

Cheers!

20wn
Posts: 5
Joined: Fri Dec 30, 2016 3:16 pm

Re: Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby 20wn » Thu Jan 05, 2017 11:49 pm

Further to the above, I've tried to limit traffic in Murus coming from vmnet8 (the VMWare Fusion NAT adapter), but that wasn't really successful. If you've got any good rules in Murus how to achieve this, that'd be very welcome. Essentially I'd want to drop all packets coming from vmnet8 that target the local IP range similar to this rule (taken from https://www.freebsd.org/doc/handbook/firewalls-pf.html):

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"

block drop in quick on vmnet8 from $martians to any
block drop out quick on vmnet8 from any to $martians

I tried the rule, but for whatever reason it didn't limit traffic from VMs. Once I've got such a rule working in Murus, I could then use the vials to deploy it.

Cheers!

20wn
Posts: 5
Joined: Fri Dec 30, 2016 3:16 pm

Re: Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby 20wn » Tue Feb 07, 2017 3:17 am

Hi Hany,

Just wondering if you've got any idea how to accomplish this with Murus / Vallum?

Cheers!

hany
Posts: 380
Joined: Wed Dec 10, 2014 5:20 pm

Re: Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby hany » Fri Feb 10, 2017 5:57 pm

sorry for the late answer :) we are busy we the next project :D
with current Vallum version there's nothing you can do. Vallum 2 blocks only TCP and UDP protocols. Using VMWare VMs with shared networking you can manage VMWare.app in Vallum to block access to specific addresses or networks. It should work, it's the only thing you can do. ICMP will always pass.
About PF: I always use VMs bridged networking. But as far as I understand you can't use it so I'm trying to use shared networking with weird result. PF rules for vmnet* interfaces are simply ignored, while blocking the whole system blocks also VMWare. For example you can block ICMP system-wide with a custom PF rule (block out proto icmp all). Pretty weird, I will make some more tests.
However...
our "next project" will allow you to do what you need, but we are in a very early development phase, so it's even to early to talk about it ;)

20wn
Posts: 5
Joined: Fri Dec 30, 2016 3:16 pm

Re: Vallum pf rules integration, Vallum filter deficiencies (ICMP)

Postby 20wn » Thu Mar 09, 2017 10:01 pm

The "next big project" sounds very exciting. I'd be more than happy to beta test it :D


Return to “Vallum”

Who is online

Users browsing this forum: No registered users and 1 guest