Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What do you want in a firewall?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What do you want in a firewall?

SplitIceSplitIce Member, Host Rep
edited March 2020 in General

We have all seen the "Cloud Firewall" products offered with bigger VPS providers (Vultr, DigitalOcean, AWS etc), from my experience these are pretty useless for anything but the most basic applications.

For the past 2 years I've been working on a way to scale custom mitigation and firewall rules (at Layer 3-5) to the scales we operate. It looks like this year we will finally achieve the scalability required to offer it.

What remains to be ascertained is the priority for implementation (at customer level) various match parameters, I want this to be as useful as possible. What would you like to see available for either match parameters, or target types in Layer 4 firewall?

Currently Available:
- Full BPF (cBPF) expression matching (anything you could select with tcpdump)
- IP ban lists
- DROP target
- Evaluate either for new connections, or on every packet

Planned:
- RateLimit (white & black) target
- BAN target
- API support for adding/removing IPs from ban lists (i.e so people can take control on their own servers and have us do the heavy lifting)

Possible:
- IP whitelist
- Paired Ports (accept only where connected to another port)
- DNS match
- TLS match
- String match ( performance :( )

What would you prioritize?

Comments

  • raindog308raindog308 Administrator, Veteran

    block by country like CSF does.

    I would think IP whitelisting is a pretty basic feature...but then, I've never used a "cloud" firewall.

  • somiksomik Member
    edited March 2020

    I would like it to be able to run without refueling. Hate it when you have to go topup gasoline to keep the fire wall up. But at least it keeps the zombies out.

  • SplitIceSplitIce Member, Host Rep

    raindog308 said: block by country like CSF does.

    So poorly? I'm not keen on perpetuating GeoIP db inaccuracy to be honest.

    This is coming from someone who according to Maxmind is located in PNG currently on my home ISP.

Sign In or Register to comment.