Search This Blog

Wednesday, April 10, 2013

firewall-wizards Digest, Vol 64, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. [iptables] Zone based rules (Jimmy Thrasibule)
2. Re: [iptables] Zone based rules (Magos?nyi, ?rp?d)
3. IPv6 (Paul D. Robertson)
4. Re: IPv6 (Harry Hoffman)
5. Re: IPv6 (Paul Robertson)
6. Re: [iptables] Zone based rules (Jimmy Thrasibule)


----------------------------------------------------------------------

Message: 1
Date: Tue, 09 Apr 2013 17:41:39 +0200
From: Jimmy Thrasibule <thrasibule.jimmy@gmail.com>
Subject: [fw-wiz] [iptables] Zone based rules
To: "debian-firewall@lists.debian.org"
<debian-firewall@lists.debian.org>
Message-ID: <1365522099.25705.29.camel@BEWS005.euractiv.com>
Content-Type: text/plain; charset="UTF-8"

Hi,

I've got a Linux box sitting between different local networks. I'd like
to set up access policies between each network so I though about a zone
based firewall.

Each zone is responsible of its incoming and outgoing traffic. However
this role is played by the same box and if a packet is accepted by a
zone, it cannot be denied by another zone.

Let me give you an example:

-----------
| Marketing |---------
----------- | eth0
----------
| Firewall |
----------
--------- | eth1
| Servers |-----------
---------

Marketing wants to reach a server. However, marketing is very large on
its outgoing traffic (allows everything) on the server side however we
would reject any SSH connection coming from marketing.

Here are the iptables rules I would go for:

# Zones creation.
-N ZONE_MRKT
-N MRKT_OUT

-N ZONE_SRV
-N SRV_IN

# Traffic coming from the zones.
-A FORWARD -i eth0 ZONE_MRKT
-A FORWARD -i eth1 ZONE_SRV

# Traffic to the zones.
-A FORWARD -o eth0 ZONE_MRKT
-A FORWARD -o eth1 ZONE_SRV


# Let's look at marketing.
-A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
# Marketing allows any outgoing traffic.
-A MRKT_OUT -j ACCEPT

# Servers
-A ZONE_SRV -o eth1 -s any/0 -d ser.ver.s.net/mask -j SRV_IN
-A SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP


In this example traffic leaving a zone is checked first so any traffic
from marketing is allowed while the servers zone denies traffic from
marketing.

In can change the rules order but this will not solve the problem.
Another solution would be to mark the packet and then check the mark at
the end to decide on whether to accept or reject. But how about
performances on a large set of rules as the firewall will have to go
through all of them before taking a decision?

How would you manage such a case?

--
Jimmy




------------------------------

Message: 2
Date: Tue, 09 Apr 2013 19:37:58 +0200
From: "Magos?nyi, ?rp?d" <m4gw4s@gmail.com>
Subject: Re: [fw-wiz] [iptables] Zone based rules
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <516451F6.5000708@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 04/09/2013 05:41 PM, Jimmy Thrasibule wrote:
> # Zones creation.
> -N ZONE_MRKT
> -N MRKT_OUT
>
> -N ZONE_SRV
> -N SRV_IN
>
> # Traffic coming from the zones.
> -A FORWARD -i eth0 ZONE_MRKT
> -A FORWARD -i eth1 ZONE_SRV
>
> # Traffic to the zones.
> -A FORWARD -o eth0 ZONE_MRKT
> -A FORWARD -o eth1 ZONE_SRV
>
>
> # Let's look at marketing.
> -A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
> # Marketing allows any outgoing traffic.
> -A MRKT_OUT -j ACCEPT
>
> # Servers
> -A ZONE_SRV -o eth1 -s any/0 -d ser.ver.s.net/mask -j SRV_IN
> -A SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
>
>
> In this example traffic leaving a zone is checked first so any traffic
> from marketing is allowed while the servers zone denies traffic from
> marketing.
>
> In can change the rules order but this will not solve the problem.
What about using the RETURN target instead of ACCEPT, and denying
everything in the zone-specific chain?
I believe it would solve the problem.
Having an IN and an OUT chain for each zone would mean more efficient
processing also.

KZORP ( https://github.com/balabit/kzorp ) have a notion of zone
hierarchy. You might want to take a look at it.




------------------------------

Message: 3
Date: Tue, 9 Apr 2013 16:01:21 -0400
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: [fw-wiz] IPv6
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <BF729A1F-4E0F-4B4F-BC41-99B7B94C91CA@compuwar.net>
Content-Type: text/plain; charset=us-ascii

Has anyone had to deal with allowing v6 yet? Any insight into DNS issues, non-HTTP protocols, or anything else?

Paul
--
President and Chairman, FluidIT Group
Moderator, Firewall-Wizards
Art: http://www.pauldrobertson.net

------------------------------

Message: 4
Date: Tue, 09 Apr 2013 16:05:23 -0400
From: Harry Hoffman <hhoffman@ip-solutions.net>
Subject: Re: [fw-wiz] IPv6
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <51647483.4090904@ip-solutions.net>
Content-Type: text/plain; charset=ISO-8859-1

Yep, I haven't run into any issues yet.

What sort of DNS issues are you thinking about? Are the resolvers on a
different network?

Cheers,
Harry



On 04/09/2013 04:01 PM, Paul D. Robertson wrote:
> Has anyone had to deal with allowing v6 yet? Any insight into DNS issues, non-HTTP protocols, or anything else?
>
> Paul
> --
> President and Chairman, FluidIT Group
> Moderator, Firewall-Wizards
> Art: http://www.pauldrobertson.net
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 5
Date: Tue, 9 Apr 2013 16:22:15 -0400
From: Paul Robertson <probertson@fluiditgroup.com>
Subject: Re: [fw-wiz] IPv6
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <0534C155-8A7B-432C-8929-A263F9D8481E@fluiditgroup.com>
Content-Type: text/plain; charset=us-ascii

DNS-wise, rfc4472 concerns around misbehavior, and 4 vs 6 services are the biggest ones- like v4 resolution of v6 resolvers. I've also heard tales of woe regarding dealing with reverse delegation locally.

Paul
--
President and Chairman, FluidIT Group
Moderator, Firewall-Wizards
@compuwar

On Apr 9, 2013, at 16:05, Harry Hoffman <hhoffman@ip-solutions.net> wrote:

> Yep, I haven't run into any issues yet.
>
> What sort of DNS issues are you thinking about? Are the resolvers on a
> different network?
>
> Cheers,
> Harry
>
>
>
> On 04/09/2013 04:01 PM, Paul D. Robertson wrote:
>> Has anyone had to deal with allowing v6 yet? Any insight into DNS issues, non-HTTP protocols, or anything else?
>>
>> Paul
>> --
>> President and Chairman, FluidIT Group
>> Moderator, Firewall-Wizards
>> Art: http://www.pauldrobertson.net
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 6
Date: Wed, 10 Apr 2013 00:08:25 +0200
From: Jimmy Thrasibule <thrasibule.jimmy@gmail.com>
Subject: Re: [fw-wiz] [iptables] Zone based rules
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1365545305.14410.20.camel@draco>
Content-Type: text/plain; charset="utf-8"

> > In can change the rules order but this will not solve the problem.
> What about using the RETURN target instead of ACCEPT, and denying
> everything in the zone-specific chain?
> I believe it would solve the problem.

Yes indeed, RETURN can do the trick.

> Having an IN and an OUT chain for each zone would mean more efficient
> processing also.

I'm aware of that but I wanted to have only one entry point for each
zone.

--
Jimmy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130410/30a0e8f8/attachment-0001.pgp>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 64, Issue 2
***********************************************
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)