[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- From: Francisco Sánchez <lists@xxxxxxxxxxxxx>
- Date: Sat, 19 Jan 2002 22:20:08 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Michael and Gerald
Well, first of all, I have tried the rules from Michael, but including the
lines from Gerald:
# disable after $TTF seconds.
TTF=60
if test $TTF -gt 0
then
echo "Firewall rules runing for $TTF seconds"
(sleep $TTF;
/etc/rc.d/init.d/pmfirewall stop \
) &
else
echo "Firewall rules running for ever"
fi
echo " Done!"
echo ""
echo "" ;
This is a good thing since you can test whatever rules you wish, making sure
that they will be erased in 60 secnds (or whatever time you prefer), in case
you are locked out of your server.
However, in my case I have done something fatal. I have set the following
rules:
# General policies
$IPCHAINS -P input DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward DENY
# Allow locally originated connections to go to the outside world
$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
# Allow some ICMP traffic
$IPCHAINS -A input -p icmp -s $REMOTENET destination-unreachable -d
$LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET time-exceeded -d $LOCALNET -j
ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET echo-reply -d $LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -l -j DENY
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
# Allow ident
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
# Allow ssh connections
$IPCHAINS -A input -i $LOCALIF -p tcp -s 217.216.8.58/255.255.248.0 22 -d
$LOCALNET 513:1022 '!' --syn -j ACCEPT
# Allow http, https, Cobalt admin interface and Webmin
$IPCHAINS -A input -p tcp -s $REMOTENET 1023: -d $LOCALNET 80 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET 1023: -d $LOCALNET 443 -j ACCEPT
$IPCHAINS -A input -p tcp -s 217.216.8.58/255.255.248.0 1023: -d $LOCALNET
81 -j ACCEPT
$IPCHAINS -A input -p tcp -s 217.216.8.58/255.255.248.0 1023: -d $LOCALNET
443 -j ACCEPT
$IPCHAINS -A input -p tcp -s 217.216.8.58/255.255.248.0 1023: -d $LOCALNET
10000 -j ACCEPT
# Allow smtp
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 25 -j ACCEPT
# Allow pop3
$IPCHAINS -A input -p tcp -s 217.216.8.58/255.255.248.0 -d $OUTERNET 110 -j
ACCEPT
# Allow DNS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
Some additional rules, like the ones allowing connections to or from the
loopback device are already included in the pmfirewall config scripts, so I
only put here those I have added. Also note that for some services like
Cobalt admin, webmin and ssh, I have restricted access to a certain IP.
So, these seemed to work, to my joy. However, and this is the point I
didn't realise, but was there in Michael's post, general policies are not
erased when stopping the firewall. Thus, 60 seconds after the firewall was
started, it shut down and erased all rules except:
$IPCHAINS -P input DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward DENY
The result, obviously, a locked server.
This has been my first firewall lesson :-(
And this makes me believe that, for remote servers, perhaps it would be
better to implement a general DENY policy by something like:
$IPCHAINS -A input -j DENY -s $REMOTENET -d $LOCALNET
This rule should be deleted when shutting down the firewall, while
$IPCHAINS -P input DENY seems not to behave that way. It appears that the
result would be the same... right?
The problem I see (and fear) with $IPCHAINS -P input DENY would be that the
server would be locked in case of an failure in the firewall, while with
$IPCHAINS -A input -j DENY -s $REMOTENET -d $LOCALNET and the same firewall
failure it would be accessible. Am I wrong with this?
Anyway I am willing to apply the above rules plus some other that come with
pmfirewall, as:
# Allow loopback interface
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
# Allow packets with ack bit set, they are from an established connection.
$IPCHAINS -A input ! -y -p tcp -s $REMOTENET -d $OUTERNET -j ACCEPT
# Block Nonroutable IP's from entering on the External Interface
$IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF
# Back Orifice (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
# NetBus (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
# Trin00 (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY -l
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 27665 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 27444 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31335 -j DENY -l
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $REMOTENET -j DENY
$IPCHAINS -A input -s $REMOTENET -d 224.0.0.0/8 -j DENY
Finally, is it the ident service tcp, udp or both. While in the rule set by
Michael it should be tcp only, pmfirewall includes a similar rule but for
tcp and udp...???
Thanks very much for your valuable advice.
Francisco