Mignis

Mignis is a tool developed by our security group that simplifies firewall specification and makes it easy maintaining configurations. There are only four possible rules in Mignis:

  • n1 / n2 | φ
    forbids packets that satisfy φ to flow from n1 to n2, even through NATs, and has priority over any other rule

  • n1 > n2 | φ
    enables new connections from n1 to n2, as long as φ holds

  • n1 > [nt] n2 | φ
    n2 is behind a DNAT and n1 may start new connections with it by sending a packet satisfying φ to addresses in nt

  • n1 [nt] > n2 | φ
    n1 may start new SNAT connections with n2 sending packets satisfying φ and with source address nt

  • Packets on established connections that are not forbidden (first rule) always go through

Formula φ stands for any constraint expressible in iptable syntax that does not conflict with the rule specification (for example φ cannot specify a destination IP as this is also given in n2)

This is the configuration file for the example we have seen with iptables, where we only admit ssh incoming connections with no restriction on outgoing connections:

There are various sections in Mignis configuration. Here we only specify the INTERFACES (lan eth0 with mask 16) and two FIREWALL rules. The first permits connections from the lan to the local host (local is a special keyword) on port 22 protocol tcp and the second permits any outgoing connection from local to lan.
Notice that in Mignis ESTABLISHED packets always go through. Any other packet is dropped.

Exercise 1 in iptables can be done by simply adding a DNAT-SNAT rule:

that translates destination into dest and source into firewall.

Mignis is available here. To run it you need to download the program sources. NOTE: You will need ipaddr installed. Depending on the Linux distribution this can be achieved with emerge ipaddr or apt install python-ipaddr.

NOTE: before you execute rules generated by Mignis it is a good idea to test that you are not cutting off your connection. Do the following.

Test that your configuration compiles well. The -n option performs a dry-run so no rule will be executed

If you don’t get errors you can test your firewall as follows:

The above command will execute your configuration for 10 seconds and will automatically reset the firewall so that you can regain access to the host in case you got cut off from your firewall.

If in these ten seconds everything goes well you can make the firewall permanent with: