Firezone, first impressions

Hello!

I apologize for bad English, I use computer translation.

The product is just great, greatly simplifies the administration process.
But there are a few comments and questions.

  1. Firezone works with nftables firewall. Previously, we had firewall rules configured to prevent unauthorized access. After installation, Firezone behaved a little differently than expected - the settings of the “Rules” tab did not affect the work of clients in any way. We simply took the source code of the nftables config script and added the name of the physical interface to the rules wherever necessary so that they only affect that interface and not everything that is discovered (including wg-firezone). This allowed the system to operate within the established fire zone rules for nftables. As such, I would recommend doing the same for the “wg-firezone” interface in Firezone’s auto-enforced rules.
  2. I did not find a description of the version upgrade process in the documentation. Maybe I didn’t search well. If it doesn’t make it difficult, tell me how to update the Firfezone version?
  3. There is still a lot of work to be done on the statistics pages for users and their devices. If possible, I will talk with our programmers, maybe they will join the discussion of this issue. But it all depends on the desire and employment of our programmers. I have not discussed this issue with them yet.

Good luck! Firezone deserves a lot of popularity.

Hi Igor,

Thanks for your feedback.

  1. We’re exploring ways to make firewall rules more granular. Would this help? Enforce per-user|device rules · Issue #423 · firezone/firezone · GitHub
  2. See here: Upgrade | Docs Firezone

Thanks for the quick response and tip!

And at the expense of nftables.
It meant something else.

For example, before installing Firezone, we had the following rule:
ip saddr 172.28.0.0/16 tcp dport { 80, 443} counter accept comment “accept HTTP and HTTPS from trusted IPv4 clients”
And VPN clients were allocated IP addresses from the 172.28.10.0/24 range.
So the nftables rules defined in the Rules tab had no effect on the limits.

We fixed this situation by making the following changes to the nftables configuration script:
iifname ens192 ip saddr 172.28.0.0/16 tcp dport { 80, 443} counter accept comment “accept HTTP and HTTPS from trusted IPv4 clients”
After that everything worked as it should.

Firezone at the start makes its own changes to the rules of nftables.
table inet firezone {
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr 172.XX.XX.XX/XX accept
}

    chain postrouting {
            type nat hook postrouting priority srcnat; policy accept;
            oifname "ens192" masquerade random,persistent
    }

}

Could Rule
ip daddr 172.XX.XX.XX/XX accept
be given the following form:
iifname “wg-firezone” ip daddr 172.XX.XX.XX/XX accept
?

I didn’t check it myself.

Hey @parmon – thanks for the followup. I’ve opened Scope rules to networks / interfaces · Issue #647 · firezone/firezone · GitHub to track this request.