Differences between revisions 12 and 13
Revision 12 as of 2007-03-26 05:42:12
Size: 4114
Editor: GuillemJover
Comment: Remove spam
Revision 13 as of 2009-03-16 03:30:36
Size: 4114
Editor: anonymous
Comment: converted to 1.6 markup
No differences found!

Problem description

Debian includes many, many packages which provide firewalling tools for users; enough that it's difficult for the novice user to choose between them, which often means choosing none at all; and even though iptables is installed as part of the base system, this package includes no firewall rules (i.e., a default policy of "permit") and no startup scripts to manage a firewall.

Moreover, even though the various firewall packages all hook into iptables, there is minimal or no support for sharing configurations between the tools or migrating from one to the other because they lack any common configuration format (many of them treat the actual iptables rules as an exported view only).

As a further consequence, support for package-specific firewall rules is lacking. With the exception of particular common services, users are left on their own to peruse HOWTOs to figure out how to let package-specific traffic through their firewall.

Proposed solution

So obviously, the right way to fix this is to introduce a completely new system.

features

  • Top-level chains that will not be touched by individual packages, which provide hooks for distinguishing between trusted and untrusted interfaces/IPs
  • One or more managed "application" chains which incorporate per-package rules governing access from untrusted hosts
  • Per-package conffiles which specify the necessary iptables rules for a package's services
  • Tools similar to a2enmod/a2dismod which can be used to allow/disallow access to a specified service
  • Packages which provide services have rules that are disabled by default
  • Packages which act as clients and require additional firewall configuration *may* have rules that are enabled by default
  • Pretty front-end (debconf?) for enabling and disabling services
  • Ability to administer rules for a remote device
    • rationale: I'm aware of at least one DSL modem/router powered by linux-mips using an iptables firewall


possible starting point

This is the output of iptables-save:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:debian_input_root - [0:0]
:debian_logging - [0:0]
:debian_services_input - [0:0]
:debian_trusted_hosts_input - [0:0]
:debian_untrusted_hosts_input - [0:0]

# Accept Loopback and then jump to the debian managed chain
-A INPUT -i lo -j ACCEPT
-A INPUT -j debian_input_root

# This is pretty much just an accept all, but it does a little sanity checking
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j debian_logging

# The main Debian chain.
-A debian_input_root -m conntrack --ctstate INVALID -j debian_logging
-A debian_input_root -j debian_trusted_hosts_input
-A debian_input_root -j debian_untrusted_hosts_input
-A debian_input_root -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A debian_input_root -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j debian_logging
-A debian_input_root -m conntrack --ctstate NEW -j debian_services_input
-A debian_input_root -j debian_logging

#Log 5 packets per minute.  Reject with icmp-port-unreachable.
-A debian_logging -m limit --limit 5/min -j LOG --log-prefix "debian-ruleset"
-A debian_logging -j REJECT --reject-with icmp-port-unreachable

#Managed chain for services.  Automatically allows pings at a rate of 5/sec.
#The Example also allows ssh connections.
-A debian_services_input -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT
-A debian_services_input -p tcp -m tcp --dport 22 -j ACCEPT

-A debian_trusted_hosts_input -s always.trusted.net.block/255.255.255.0 -j ACCEPT
-A debian_untrusted_hosts_input -s evil.bad.guy.net/255.255.255.0 -j DROP
COMMIT

Major issues:

  • RPC may become a problem
  • Need more ICMP handling
  • Logging would be better with dstlimit (srcip-dstip)
  • Need to zone out common logging clutter. Port 445 & broadcast traffic.

  • We should set a standard for sysctl flags.
  • We should verify that packets have a destination of the local ip address