SimpleFilrewall Example inbound flow control

App & System Services Networking
mtnview OP
Created Mar ’22
Replies 4
Boosts 0
Views 700
Participants 2

Hi. I have a question from SimpleFirewall for inbound flow control.

let inboundNetworkRule = NENetworkRule(remoteNetwork: nil,
                                                   remotePrefix: 0,
                                                   localNetwork: localNetwork,
                                                   localPrefix: 0,
                                                   protocol: .TCP,
                                                   direction: .inbound)

In this example, I noticed that if I add a specific remoteNetwork instead of nil, the flow doesn't hit the handleNewFlow function at all.

In case of remoteNetwork: "0.0.0.0" and remotePrefix :0, all the inbound flow hit the handleNewFlow but in case of

remoteNetwork: "192.168.41.161" and remotePrefix: 32 won't work

Am I missing something or is it a limitation of the content filter provider?

Besides, is there any way we can catch flow by port ranges?

Replies  4
Boosts  0
Views  700
Participants  2
Systems Engineer OP
Apple
Mar ’22

In this example, I noticed that if I add a specific remoteNetwork instead of nil, the flow doesn't hit the handleNewFlow function at all.

Having nil set for the remoteNetwork will catch everything, so it sounds like when you are adding an address to the remoteNetwork that it's not the correct inbound address.

Regarding:

but in case of remoteNetwork: "192.168.41.161" and remotePrefix: 32 won't work Am I missing something or is it a limitation of the content filter provider?

Try removing the localNetwork and setting it to nil. Then try using the address for 192.168.41.161 without a remotePrefix. I would expect this to work with just the remoteNetwork.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
mtnview OP
Mar ’22

@meaton

If I set localNetwork to nil, I will lose the capability of setting port, and that is not what I want.

       let localNetwork = NWHostEndpoint(hostname: "0.0.0.0", port: "8888")
        let remoteNetwork = NWHostEndpoint(hostname: "192.168.41.161", port: "0")
        let inboundNetworkRule = NENetworkRule(remoteNetwork: remoteNetwork,
                                               remotePrefix: 32,
                                               localNetwork: nil,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)

I would like to make above filter is working, but it is not.

0
Systems Engineer OP
Apple
Mar ’22

Okay, going back just to the example in the SimpleFirewall. If you setup your rules such as:

static let localPort = "8888"
...
let filterRules = ["0.0.0.0", "::"].map { address -> NEFilterRule in
	let localNetwork = NWHostEndpoint(hostname: address, port: FilterDataProvider.localPort)
	let inboundNetworkRule = NENetworkRule(remoteNetwork: nil,
										   remotePrefix: 0,
										   localNetwork: localNetwork,
										   localPrefix: 0,
										   protocol: .TCP,
										   direction: .inbound)
	return NEFilterRule(networkRule: inboundNetworkRule, action: .filterData)
}

Are you able to pickup all inbound connections on port 8888, regardless of whether they match the remote network or not? If so, then this would be a place to start.

You could also set both local and remote networks to nil and then use .any for the direction to see if you are able to gather both incoming and outgoing connections on one rule.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
mtnview OP
Apr ’22

Hi Meaton, sure to simplify things a bit, traffic from 192.168.4.2 does not hit the rule in this case:

        let remoteNetwork = NWHostEndpoint(hostname: "192.168.4.2", port: "0")
        let inboundNetworkRule = NENetworkRule(remoteNetwork: remoteNetwork,
                                               remotePrefix: 32,
                                               localNetwork: nil,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)

If I change the port to "" which according to the docs sounds like it should be the same as "0" port I now match the rule but other remote IP's also match the rule. This seems like another issue.

The below case does not seem to do what I want either. With the configuration below I see multiple remote IP's hit the rule. To me that makes sense because the prefix is 0 not 32. However I also saw loopback traffic hit in this case as well which did not make any sense given the documentation I've read seems to indicate loopback traffic will only hit an explicit rule for 127.0.0.1.

        let remoteNetwork = NWHostEndpoint(hostname: "192.168.4.2", port: "0")
        let inboundNetworkRule = NENetworkRule(remoteNetwork: remoteNetwork,
                                               remotePrefix: 0,
                                               localNetwork: nil,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)

I also tried the below and the behavior is the same as the localNetwork nil case above.

        let localNetwork = NWHostEndpoint(hostname: "0.0.0.0", port: "0")
        let remoteNetwork = NWHostEndpoint(hostname: "192.168.4.2", port: "0")
        let inboundNetworkRule = NENetworkRule(remoteNetwork: remoteNetwork,
                                               remotePrefix: 0,
                                               localNetwork: localNetwork,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)

In the case below the behavior is the same as the above (multiple remote ip's hit the rule) except I no longer see loopback traffic (likely because the local port filter is working).

        let localNetwork = NWHostEndpoint(hostname: "0.0.0.0", port: "8888")
        let remoteNetwork = NWHostEndpoint(hostname: "192.168.4.2", port: "0")
        let inboundNetworkRule = NENetworkRule(remoteNetwork: remoteNetwork,
                                               remotePrefix: 0,
                                               localNetwork: localNetwork,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)

And finally the case I really want is below. A connection from remote IP 192.168.4.2 to local port 8888 does not get caught by the rule below. It appears this doesn't have anything to do with the localNetwork based on the examples above which used a nil or 0.0.0.0/0 local network and still didn't work.

        let localNetwork = NWHostEndpoint(hostname: "0.0.0.0", port: "8888")
        let remoteNetwork = NWHostEndpoint(hostname: "192.168.4.2", port: "0")
        let inboundNetworkRule = NENetworkRule(remoteNetwork: remoteNetwork,
                                               remotePrefix: 32,
                                               localNetwork: localNetwork,
                                               localPrefix: 0,
                                               protocol: .TCP,
                                               direction: .inbound)
0
SimpleFilrewall Example inbound flow control
First post date Last post date
 
 
Q