Re: [cobalt-security] Portsentry, ipchains and pmfirewall

[Francisco Sánchez <lists@xxxxxxxxxxxxx>]

----- Original Message -----
From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Sunday, 20 January, 2002 16:15
Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall


> That's right. However, this entails one capital danger: If you have a
mistake
> in your ruleset which locks you out, then even rebooting the server will
not
> help you to remove the problem, as the firewall will kick in automatically
> after reboot. So make sure to programm in a delay like "sleep 5m" so that
you
> can go in after server reboot and can kill the process.
>

Yes, this is a very important safety measure for a remote server.  I will
set this delay.  Thanks for the idea.

> The easiest way is to not allow by IP-address, but by netblock with
> corresponding subnet mask. That's about the only option you have with
> gShield, as it's not designed to handle multiple (own) IP addresses
another
> way. While this looks like a security issue at first glimpse, on second
> glimpse - it isn't. All your closed ports are still closed and all blocked
> source addresses are still blocked. The additional target IP addresses you
> opened up ... now that's no issue at all. On those IPs your machine isn't
> listening anway, so this does no damage at all.
>
> You can automatically fetch the important network settings from the RaQs
> configuration files. To do so just add/replace the following in
gShield.conf:
>
> # ------ [ Network settings ] ------ #
>
>         # Automatically fetch them from the RaQ configuration files
>         source /etc/sysconfig/network-scripts/ifcfg-eth0
>
>         LOCALIP=$IPADDR
>         LOCALMASK=$NETMASK
>         LOCALNET=$NETWORK/$NETMASK
>         REMOTENET="0/0"
>
> As you can see, I read /etc/sysconfig/network-scripts/ifcfg-eth0 (where
the
> RaQ stores the network settings for eth0) and then I just pass the
> information to the proper strings in gShield. That way you can even use
the
> frontpanel to reconfigure your basic network settings and the firewall
will
> then use the new settings right away after the reboot which then takes
place.
>
> Just make darn well sure that your gateway is within the same network
class
> as $LOCALNET, otherwise you blow off your own boot.
>
> The only thing you still have to enter manually are the DNS servers. I use
a
> three line shell script and a short PERL-script to read those settings and
to
> transform them into the format that gShield expects. I leave 'em out of
here
> as I already got too talkative. :o)
>

Yeah... but gave great lessons.  Here I see tow different apporaches.  One
with your suggested method and same rules for all IP addresses and another
which would be to add a user configuration for the other IP addresses in
case you want different behaviour for each one.  Also a combination of
methods would fit.  Imagine you have a DNS server with one address but not
with the others.  We could use your method and add custom rules to block tcp
and udp for port 53 in all other addresses.

Well, this is a matter of trial and error.  Once being locked out of the
server has been resolved (and the 5 minute delay in starting the firewall
should be the right answer) you can test with more peace of mind.

Thanks again for your very good advise.

Best regards,

Francisco