Skip to content

Custom firewall integration

I'm using a custom firewall solution, which uses a network-manager dispatcher script. It is based on ferm and gets executed after a network connection is established.

When i start bitmask, it will successfully add it's iptables rules on top of those managed by ferm. But when I re-connect to a network or connect to another one (or even suspend/resume, see #9262 (closed)), the VPN will continue to work but the firewall status is "off" because bitmasks iptables rules got overridden:

⏻  ~  » bitmaskctl vpn status
status      off
firewall    off
vpn         on
domain      demo.bitmask.net
remote      46.165.242.169:443
↑↑↑         51.0 B
↓↓↓         112.0 B

⏻  ~  » sudo iptables -nL
[sudo] password for varac: 
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  10.1.1.0/24          0.0.0.0/0            udp dpt:5353

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

This leads to inconsistent behaviour where bitmaskctl detects successfully that the VPN is running, but the firewall rules are gone, resulting in the UI/trayicon showing that the VPN is off (see also #9262 (closed).

How can custom firewall solutions integrate with bitmask ?