Differences between revisions 11 and 12
Revision 11 as of 2007-03-25 12:51:42
Size: 6849
Editor: ?MarnieForcum
Comment:
Revision 12 as of 2007-03-26 05:42:12
Size: 4114
Editor: GuillemJover
Comment: Remove spam
Deletions are marked like this. Additions are marked like this.
Line 72: Line 72:
 [http://mephitical.kogaryu.com/77.html gushing anal] | [http://homepage.mac.com/liffey1/48.html sex vid samples] | [http://homepage.mac.com/herbalists/35.html hot webcam directory] | [http://homepage.mac.com/feelings1/60.html webcam-masturbating girl] | [http://bejeweling.freewebsitehosting.com/16.html celeb upskirt accidents] | [http://homepage.mac.com/bark4/6.html stop smoking methods] | [http://homepage.mac.com/keyring/82.html naked highschool webcam] | [http://extenuated.g0g.net/54.html squirting mpeg] | [http://scrumped.1accesshost.com/64.html myas live webcam] | [http://bejeweling.freewebsitehosting.com/28.html black gang bang] | [http://homepage.mac.com/clinically/45.html dildo webcam free] | [http://leafstalks.741.com/39.html masturbating homeless guy] | [http://overruns.o-f.com/79.html bisexual naked] | [http://pissers.greatnow.com/22.html leather bondage table] | [http://metabolic.100freemb.com/1.html blowjob on webcam] | [http://melanosis.angelcities.com/71.html webcam girls nude] | [http://bribes.freewebpages.org/43.html ebony live webcam] | [http://headbutts.1accesshost.com/46.html hot bisexual] | [http://moralizers.dreamstation.com/70.html ass squirting porn] | [http://homepage.mac.com/pkwy1/74.html cute girl webcams] | [http://homepage.mac.com/cinema5/32.html celebrities boobs] | [http://icelander.150m.com/35.html hot cumshot mpeg] | [http://sabers.exactpages.com/1.html diagram of clitoris] | [http://unbars.freecities.com/82.html red head anal] | [http://ladybird.100freemb.com/70.html teen bikini webcam] | [http://scuffing.freewebsitehosting.com/20.html irish pussy] | [http://tunisia.00freehost.com/34.html babes cumshot] | [http://homepage.mac.com/estranged2/35.html webcam sex l] | [http://magritte.freecities.com/31.html webcam teens nude] | [http://reuniting.g0g.net/46.html amature wife] | [http://miro.wtcsites.com/38.html little public nudity] | [http://levitating.100freemb.com/30.html sexy undies] | [http://homepage.mac.com/gaiter/68.html blowjob pigtails cute] | [http://closures.bravepages.com/89.html head up vagina] | [http://homepage.mac.com/zip17/34.html webcam teen nudes] | [http://reckless.greatnow.com/78.html lesbian webcam porn] | [http://homepage.mac.com/rehashed1/55.html anal dripping cum] | [http://careen.greatnow.com/77.html fat plumper tits] | [http://naughts.1accesshost.com/71.html sucking grans tits] | [http://homepage.mac.com/ammeter/91.html young webcam tits] | [http://leviers.ibnsites.com/63.html free ameteur webcam] | [http://chorister.o-f.com/1.html wendy cancun webcam] | [http://swelter.100freemb.com/91.html small nude stories] | [http://yeltsin.fcpages.com/73.html amateur housewives naked] | [http://bunco.kogaryu.com/5.html romanian bbw webcam]

Problem description

Debian includes many, many packages which provide firewalling tools for users; enough that it's difficult for the novice user to choose between them, which often means choosing none at all; and even though iptables is installed as part of the base system, this package includes no firewall rules (i.e., a default policy of "permit") and no startup scripts to manage a firewall.

Moreover, even though the various firewall packages all hook into iptables, there is minimal or no support for sharing configurations between the tools or migrating from one to the other because they lack any common configuration format (many of them treat the actual iptables rules as an exported view only).

As a further consequence, support for package-specific firewall rules is lacking. With the exception of particular common services, users are left on their own to peruse HOWTOs to figure out how to let package-specific traffic through their firewall.

Proposed solution

So obviously, the right way to fix this is to introduce a completely new system.

features

  • Top-level chains that will not be touched by individual packages, which provide hooks for distinguishing between trusted and untrusted interfaces/IPs
  • One or more managed "application" chains which incorporate per-package rules governing access from untrusted hosts
  • Per-package conffiles which specify the necessary iptables rules for a package's services
  • Tools similar to a2enmod/a2dismod which can be used to allow/disallow access to a specified service
  • Packages which provide services have rules that are disabled by default
  • Packages which act as clients and require additional firewall configuration *may* have rules that are enabled by default
  • Pretty front-end (debconf?) for enabling and disabling services
  • Ability to administer rules for a remote device
    • rationale: I'm aware of at least one DSL modem/router powered by linux-mips using an iptables firewall


possible starting point

This is the output of iptables-save:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:debian_input_root - [0:0]
:debian_logging - [0:0]
:debian_services_input - [0:0]
:debian_trusted_hosts_input - [0:0]
:debian_untrusted_hosts_input - [0:0]

# Accept Loopback and then jump to the debian managed chain
-A INPUT -i lo -j ACCEPT
-A INPUT -j debian_input_root

# This is pretty much just an accept all, but it does a little sanity checking
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j debian_logging

# The main Debian chain.
-A debian_input_root -m conntrack --ctstate INVALID -j debian_logging
-A debian_input_root -j debian_trusted_hosts_input
-A debian_input_root -j debian_untrusted_hosts_input
-A debian_input_root -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A debian_input_root -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j debian_logging
-A debian_input_root -m conntrack --ctstate NEW -j debian_services_input
-A debian_input_root -j debian_logging

#Log 5 packets per minute.  Reject with icmp-port-unreachable.
-A debian_logging -m limit --limit 5/min -j LOG --log-prefix "debian-ruleset"
-A debian_logging -j REJECT --reject-with icmp-port-unreachable

#Managed chain for services.  Automatically allows pings at a rate of 5/sec.
#The Example also allows ssh connections.
-A debian_services_input -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT
-A debian_services_input -p tcp -m tcp --dport 22 -j ACCEPT

-A debian_trusted_hosts_input -s always.trusted.net.block/255.255.255.0 -j ACCEPT
-A debian_untrusted_hosts_input -s evil.bad.guy.net/255.255.255.0 -j DROP
COMMIT

Major issues:

  • RPC may become a problem
  • Need more ICMP handling
  • Logging would be better with dstlimit (srcip-dstip)
  • Need to zone out common logging clutter. Port 445 & broadcast traffic.

  • We should set a standard for sysctl flags.
  • We should verify that packets have a destination of the local ip address