Starting from 2.0.357 release we offer experimental capability which allows you to filter traffic in line using FastNetMon. We leverage XDP capability of Linux Kernel for lightning fast traffic filtering.
You can use this capability to defend Linux server from attacks from the outside.
To enable logic which automatically creates filtering rules for malicious traffic please follow this guide. You will need to skip section about BGP configuration as we do not need it but you may prefer to keep BGP Flow Spec and XDP filter enabled in same time for most efficient filtering.
Please note that licensing scheme for filter capability may be changed in future. Existing deployments will not be affected.
Transparent bridge / filter mode when machine with filter acts like filter and processes all traffic towards your network is not supported but it will be added in future releases.
We support only Ubuntu 22.04 LTS as platform for filter.
To use this capability you need to install clang 17 this way:
wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc echo -e "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-17 main\n" | sudo tee -a /etc/apt/sources.list.d/clang.list sudo apt-get update sudo apt-get install -y clang-17 libbpf-dev
To enable this capability you need to set this flag:
sudo fcli set main filter_xdp true
After that you need to specify list of network interfaces where FastNetMon will install XDP filtering rules:
sudo fcli set main interfaces_filter_xdp wlp82s0
In current version of FastNetMon you can add filtering rules manually using standard BGP Flow Spec format.
sudo fcli set flowspec '{ "source_prefix": "4.0.0.0/32", "destination_prefix": "127.0.0.0/32", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "udp" ], "fragmentation_flags": [ "dont-fragment" ], "action_type": "discard" }'
We have following limitations when you use BGP Flow Spec rules for attack filtering:
- Only single element supported for field fragmentation_flags
- Only single element supported for field tcp_flags and protocol should be set to TCP
- Element not-a-fragment has no effect as it’s not supported by RFC
- Only IPv4 protocol supported
- Only /32 prefixes supported for source_prefix and destination_prefix
- If you specify source or destination port in rule then you need to keep exactly single protocol in list and this protocol should be only UDP or TCP
- The only supported action is “discard”
XDP can work in three possible modes:
- skb – enabled by default, copy mode for network cards without official support for XDP, slowest from all modes
- driver – filtering on driver level, way faster then skb
- hardware – filtering with offload to network card hardware, fastest, rarely supported
You can configure them this way:
sudo fcli set main filter_xdp_mode skb sudo fcli commit
If configured mode it not supported by your network cards then it will return error during attempts to load filters.
FastNetMon implements additional validation that source and destination prefixes belong to networks you own. To disable this logic you can use following command:
sudo fcli set main flow_spec_execute_validation disable sudo fcli commit