8b29912521
suricata XDP support requires xdp-tools with libbpf 1.4 to resolve stack smash issue. also workaround memlock operation not permitted by running suricata as root since load/attach XDP program requires root privilige anyway. see: https://github.com/vincentmli/BPFire/issues/54 Usage scenario: since suricata IPS XDP capture mode works as layer 2 bridge, BPFire netfilter firewall, NAT IP route will be bypassed. no IP address should be assigned to red0 and green0 interface. 172.16.1.0/24 inline 172.16.1.0/24 red network<-->red0(xdp)<-->green0(xdp)<-->green network we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0 to red0 and green0, then reboot BPFire, BPFire DHCP will stops working after reboot. green network client can get DHCP IP from upstream dhcp server. start suricata manually suricata -c /etc/suricata/suricata-xdp.yaml --af-packet xdp_filter.bpf program will be attached to red0 and gree0 interface not sure if we should add GUI for suricata XDP capture mode since this is not common use case. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BPFire - eBPF Network Firewall and Load Balancer (eBPF 网络防火墙及负载均衡)
What is BPFire?
BPFire is fork of IPFire 2.x, a hardened, versatile, state-of-the-art Open Source firewall based on Linux. BPFire is to enable revolutionary eBPF technology for non-tech savvy users, make eBPF technology consumable to home users or any size of organizations to secure their network environment. Current supported eBPF network application features:
BPFire 基于IPFire 2.x, 一个基于Linux的安全坚固、多功能、先进的开源防火墙. BPFire 为普罗大众带来革命创新性的eBPF技术,为家庭用户或任何大小组织企业的网络安全保驾护航. 当前支持的eBPF应用包括:
- XDP DDoS protection, See XDP SYNPROXY stops 10G DDoS SYN flood here
- XDP DNS domain blocklist, ratelimit protection
- XDP SSL/TLS server name indicator (SNI) blocklist
- XDP GeoIP/Country blocklist
- eBPF based LoxiLB load balancer, Firewall, Proxy, see full features LoxiLB
Where can I get BPFire installation ISO or flash image?
https://drive.google.com/drive/folders/1HPJTWP6wi5gPd5gyiiKvIhWipqguptzZ?usp=drive_link
What computer hardwares BPFire requires?
BPFire support commodity computer hardware, small or large, old or new, cheap or expensive.
for example mini PC I use at home.
How do I install BPFire?
flash the ISO to USB on Linux machine, /dev/sdc is your USB thrumb drive.
dd if=bpfire-2.29-core184-x86_64.iso of=/dev/sdc status=progress
BPFire installation on mini industrial PC:
How do I use this software?
BPFire XDP DDoS feature demo:
IPFire have a long and detailed wiki located here which should answers most of your questions for IPFire.
BPFire SYNPROXY throughput with and without XDP acceleration under 10Gbit DDoS SYN flood:
BPFire WebUI screenshot:
English:
Chinese:
Does BPFire run in hypervisor virtual environment?
Yes, We have tested in Linux KVM hypervisor, Proxmox, Microsoft Hyper-v, should support Virtualbox, VMware as well.
Microsoft Hyper-v screen shot:
But I have some questions left. Where can I get support?
You can ask your question by open github issue report or discussion or You can ask your question at ipfire community located here that is IPFire related.
How to build BPFire?
Build Environment Setup https://www.ipfire.org/docs/devel/ipfire-2-x/build-initial
git clone https://github.com/vincentmli/BPFire.git
cd BPFire
git checkout bpfire
get BPFire source tar ball cache.tar https://drive.google.com/drive/folders/15rEoiB9TU4DxYv1qdOFqyJ2DkL6J9lG1?usp=drive_link
tar xvf cache.tar
get all BPFire addon source tar balls from https://drive.google.com/drive/folders/1cDZ0z26td2jVkxBX9cHhz43QxrZn3Aqq?usp=drive_link and move them to cache directory
mv *.tar.gz ./cache/
./make.sh clean
./make.sh build
How do I support BPFire development?
Join or Donate to BPFire paypal