Starting from release 2.0.357, we offer an experimental capability which allows you to filter traffic in line using FastNetMon. We leverage the XDP capability of the Linux Kernel for lightning-fast traffic filtering.
You can use this capability to defend a Linux server from attacks from the outside.
To enable logic which automatically creates filtering rules for malicious traffic, please follow this guide. You will need to skip the section about BGP configuration as we do not need it, but you may prefer to keep BGP Flow Spec and XDP filter enabled at the same time for the most efficient filtering.
Please note that the licensing scheme for filter capability may be changed in future. Existing deployments will not be affected.
Currently not supported, but it will be added in future releases: Transparent bridge/filter mode when the machine with a filter acts like a filter and processes all traffic towards your network.
We support only Ubuntu 22.04 LTS as a platform for the filter.
To use this capability, you need to install clang 17 this way:
wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc echo -e "deb https://apt.llvm.org/jammy/ llvm-toolchain-jammy-17 main\n" | sudo tee -a /etc/apt/sources.list.d/clang.list sudo apt-get update sudo apt-get install -y clang-17 libbpf-dev
To enable this capability, you need to set this flag:
sudo fcli set main filter_xdp true
After that, you need to specify a list of network interfaces where FastNetMon will install XDP filtering rules:
sudo fcli set main interfaces_filter_xdp wlp82s0
In the current version of FastNetMon, you can add filtering rules manually using the standard BGP Flow Spec format.
sudo fcli set flowspec '{ "source_prefix": "4.0.0.0/32", "destination_prefix": "127.0.0.0/32", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "udp" ], "fragmentation_flags": [ "dont-fragment" ], "action_type": "discard" }'
We have the following limitations when you use BGP Flow Spec rules for attack filtering:
- Only a single element is supported for “fragmentation_flags” field
- Only a single element is supported for “tcp_flags” field and the protocol should be set to TCP
- Element “not-a-fragment” has no effect as it’s not supported by RFC
- Only IPv4 protocol is supported
- Only /32 prefixes are supported for source_prefix and destination_prefix
- If you specify a source or destination port in a rule, then you need to keep exactly a single protocol in the list, and this protocol should be only UDP or TCP
- The only supported action is “discard”
XDP can work in three possible modes:
- skb – enabled by default, copy mode for network cards without official support for XDP (slowest of all modes).
- driver – filtering on driver level, way faster than skb
- hardware – filtering with offload to network card hardware, fastest, rarely supported
You can configure them in the following way:
sudo fcli set main filter_xdp_mode skb sudo fcli commit
If the configured mode is not supported by your network cards, it will return an error during attempts to load filters.
FastNetMon implements additional validation that source and destination prefixes belong to networks you own. To disable this logic, you can use the following command:
sudo fcli set main flow_spec_execute_validation disable sudo fcli commit