Firewall blacklisting mechanism & testing

[enesoztrk]

Description of Changes

• SSH tarpit to slow or trap unauthorized SSH attempts
• Packet marking and redirection for blacklisted traffic
• Blacklist management via ipset and iptables
• Ensures required firewall kernel modules are included for all the targets.
• Includes tests for tarpit, marking, redirection, and blacklist enforcement

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. Network-related services should work
2. Launch an attack using the command hping3 -S -p 22 -i u10000 -c 20 ${netVmIp}
3. Check the blacklist on net-vm with ipset list BLACKLIST. You should see attacker's IP in the members section.
4. Attempt to connect from the attacker's device to the Ghaf laptop via SSH. The connection should hang.

[milva-unikie]

ghaf-pre-merge-pipeline failure can be ignored, jenkins-pre-merge is the correct pre-merge pipeline. It passed with no issues.

[vunnyso]

Overall, it looks good. Although I'm not a networking expert, I think we can do one round of testing.

[milva-unikie]

Issues

• Automated Orin tests are failing. They try to make too many SSH connections in a minute. The pre-merge tests were fine since those only include some of the cases. When running the whole BAT suite we reach the limit of 10 connections/minute.
• There are two options:
  • [Might take a while] Wait while we look into the Orin tests and try to reduce the number of required connections. Currently the connection is often closed and reopened between cases.
  • [Faster solution] Increase the limit to 20 connections/minute, at least temporarily. With the limit set to 20 all Orin tests passed (15 was not enough).

Tested on Lenovo-X1 and Orin-NX

• Networking seems to work fine
• Attacker gets blacklisted for one hour, after that connecting works again
• Connections from other IP addresses work while one IP address is blacklisted

[milva-unikie]

Should be good now!