Firewall

The Firewall filter's job is to allow or block traffic depending on if the incoming traffic's IP and port matches the rules set on the Firewall filter.

Filter name

quilkin.filters.firewall.v1alpha1.Firewall

Configuration Examples


#![allow(unused)]
fn main() {
let yaml = "
version: v1alpha1
static:
  filters:
    - name: quilkin.filters.firewall.v1alpha1.Firewall
      config:
        on_read:
          - action: ALLOW
            source: 192.168.51.0/24
            ports:
               - 10
               - 1000-7000
        on_write: 
          - action: DENY
            source: 192.168.51.0/24
            ports:
               - 7000
  endpoints:
    - address: 127.0.0.1:7001
";
let config = quilkin::config::Config::from_reader(yaml.as_bytes()).unwrap();
assert_eq!(config.source.get_static_filters().unwrap().len(), 1);
quilkin::Builder::from(std::sync::Arc::new(config)).validate().unwrap();
}

Configuration Options (Rust Doc)

---
$schema: "http://json-schema.org/draft-07/schema#"
title: Config
description: Represents how a Firewall filter is configured for read and write operations.
type: object
required:
  - on_read
  - on_write
properties:
  on_read:
    type: array
    items:
      $ref: "#/definitions/Rule"
  on_write:
    type: array
    items:
      $ref: "#/definitions/Rule"
definitions:
  Action:
    description: "Whether or not a matching [Rule] should Allow or Deny access"
    type: string
    enum:
      - ALLOW
      - DENY
  PortRange:
    description: "Range of matching ports that are configured against a [Rule]."
    allOf:
      - $ref: "#/definitions/Range_of_uint16"
  Range_of_uint16:
    type: object
    required:
      - end
      - start
    properties:
      end:
        type: integer
        format: uint16
        minimum: 0.0
      start:
        type: integer
        format: uint16
        minimum: 0.0
  Rule:
    description: "Combination of CIDR range, port range and action to take."
    type: object
    required:
      - action
      - ports
      - source
    properties:
      action:
        $ref: "#/definitions/Action"
      ports:
        type: array
        items:
          $ref: "#/definitions/PortRange"
      source:
        description: ipv4 or ipv6 CIDR address.
        type: string

Rule Evaluation

The Firewall filter supports DENY and ALLOW actions for access control. When multiple DENY and ALLOW actions are used for a workload at the same time, the evaluation is processed in the order it is configured, with the first matching rule deciding if the request is allowed or denied:

  1. If a rule action is ALLOW, and it matches the request, then the entire request is allowed.
  2. If a rule action is DENY and it matches the request, then the entire request is denied.
  3. If none of the configured rules match, then the request is denied.

Metrics

  • quilkin_filter_Firewall_packets_denied_total Total number of packets denied.
  • quilkin_filter_Firewall_packets_allowed_total Total number of packets allowed.

Both metrics have the label event, with a value of read or write which corresponds to either on_read or on_write events within the Filter.