Mignis

Mignis is a tool developed by our security group that simplifies firewall specification and makes it easy maintaining configurations. There are only four possible rules in Mignis:

  • n1 / n2 | φ
    forbids packets that satisfy φ to flow from n1 to n2, even through NATs, and has priority over any other rule

  • n1 > n2 | φ
    enables new connections from n1 to n2, as long as φ holds

  • n1 > [nt] n2 | φ
    n2 is behind a DNAT and n1 may start new connections with it by sending a packet satisfying φ to addresses in nt

  • n1 [nt] > n2 | φ
    n1 may start new SNAT connections with n2 sending packets satisfying φ and with source address nt

  • Packets on established connections that are not forbidden (first rule) always go through

Formula φ stands for any constraint expressible in iptable syntax that does not conflict with the rule specification (for example φ cannot specify a destination IP as this is also given in n2)

This is the configuration file for the example we have seen with iptables, where we only admit ssh incoming connections with no restriction on outgoing connections:

There are various sections in Mignis configuration. Here we only specify the INTERFACES (lan eth0 with mask 16) and two FIREWALL rules. The first permits connections from the lan to the local host (local is a special keyword) on port 22 protocol tcp and the second permits any outgoing connection from local to lan.
Notice that in Mignis ESTABLISHED packets always go through. Any other packet is dropped.

Mignis is available here. To run it on your ctf hosts you need to download the program sources locally and move the zip file to the VMs using scp. NOTE: You will need ipaddr installed. From the team hosts you can obtain it with emerge ipaddr.

NOTE: before you execute rules generated by Mignis it is a good idea to test that you are not cutting off your connection. Do the following.

Test that your configuration compiles well. The -n option performs a dry-run so no rule will be executed

If you don’t get errors you can test your firewall as follows:

The above command will execute your configuration for 10 seconds and will automatically reset the firewall so that you can regain access to the host in case you got cut off from your firewall.

If in these ten seconds everything goes well you can make the firewall permanent with: