Why make every lunch break be spent making a firewall?

Review

Earlier this month, Mason was introduced to you, giving you the ability to produce a packet filtering firewall. With the help of that article, you were able to begin securing your machine while allowing everyone who uses it to be able to do what they need to do. Now let's see if we can't make it so that you do not have to take as long to do this task on another machine with the same or even one with a little different needs.

How do I start?

Examine what you have now. This means to take the baserules file (/var/lib/mason/baserules) that you generated already and try to clean it up a little bit, but first make a copy of this baserules file to another directory (say /root or /tmp). This will allow you to have a backup of the working version before you start, just in case of a mess up while moving rules around (you would have to copy this baserules back to /var/lib/mason in the event of this). You may also find it useful to make a printout of the baserules file from time to time so you can see all of the rules in a hard copy format which you can markup.

Now it is time to start cleaning up of the rules. In the baserules file (/var/lib/mason/baserules), start grouping the rules together by their rule counterparts; for example group all of the icmp input rules with their respective icmp output rules. Then start grouping the rules by their services/functions, for example all of the rules used for web access (i.e., http,https), telnet (i.e., telnet,auth), ftp (ftp,ftp-data,auth). By doing this you will be able to help yourself in doing the next task, which is the more challenging part; making the baserules you have for one machine work on another machine.

Making rules more generic

When thinking about making the firewall rules more generic, remember that the baserules file is a bash shell script which invokes a lot of ipchains calls. This means that standard shell scripting techniques can be applied. So, you can use the rules you have already grouped into their services and make variables, loops, if-then-else statements, etc. around them to help remove rules that apply to multiple IP addresses.

Here are some variables which you could use, so that you can eliminate the need for using host names for the IPs on your machine.

--------------

ETHCONFIGDIR="/etc/sysconfig/network-scripts"
ETHBASEPORT="eth0"
ETHBASEIP=`cat ${CONFIGDIR}/ifcfg-${ETHBASEPORT} | /bin/grep IPADDR | sed -e 's/IPADDR=//g' | tr -d '"'`
ETHALLIPS=`cat ${CONFIGDIR}/ifcfg-${ETHBASEPORT} | /bin/grep IPADDR | sed -e 's/IPADDR=//g' | tr -d '"'`
ETHNETMASK=`cat ${CONFIGDIR}/ifcfg-${ETHBASEPORT} | /bin/grep NETMASK | sed -e 's/NETMASK=//g' | tr -d '"'`
ETHNETWORK=`/sbin/route -n | grep ${ETHNETMASK} | /bin/grep ${ETHBASEPORT} | awk {'print $1'}`
ETHBROADCAST=`/sbin/route -n | grep ${ETHBASEIP} | /bin/grep ${ETHBASEPORT} | awk {'print $3'}`
ETHNETWORKCAST="${ETHNETWORK}/`convmasktobits ${ETHNETMASK}`"

--------------

Each one of these takes care of the basics: the main ethernet port on the your main ethernet card, the IP addresses of that port, the network, broadcast, and the network of that port, allowing you to work on deciding how many of the rules you actually need to keep to how make those rules you kept generic.

For example, the loop below in conjunction with the above variables will allow your machine to be seen, ie. be pinged and tracerouted to from all machines on the Internet.

-------------

for ONEIP in `echo ${ETHALLIPS}`; do

        # Echo reply/icmp (I) *
        /sbin/ipchains -A input -i lo -p icmp -s ${ONEIP}/32 0 -d ${ONEIP}/32 0 -j ACCEPT 

        # Echo reply/icmp (O) *
        /sbin/ipchains -A output -i lo -p icmp -s ${ONEIP}/32 0 -d ${ONEIP}/32 0 -j ACCEPT 

        # Echo req/icmp (I) *
        /sbin/ipchains -A input -i lo -p icmp -s ${ONEIP}/32 8 -d ${ONEIP}/32 0 -j ACCEPT 

        # Echo req/icmp (O) *
        /sbin/ipchains -A output -i lo -p icmp -s ${ONEIP}/32 8 -d ${ONEIP}/32 0 -j ACCEPT 

        # Dest Unreach/icmp (I) *
        /sbin/ipchains -A input -i lo -p icmp -s ${ONEIP}/32 3 -d ${ONEIP}/32 1 -j ACCEPT 

        # Dest Unreach/icmp (O) *
        /sbin/ipchains -A output -i lo -p icmp -s ${ONEIP}/32 3 -d ${ONEIP}/32 1 -j ACCEPT 

        # Dest Unreach/icmp (I) *
        /sbin/ipchains -A input -i lo -p icmp -s ${ONEIP}/32 3 -d ${ETHBASEIP}/32 3 -j ACCEPT 

        # Dest Unreach/icmp (O) *
        /sbin/ipchains -A output -i lo -p icmp -s ${ONEIP}/32 3 -d ${ETHBASEIP}/32 3 -j ACCEPT 

        # TRACEROUTE/udp (I) *
        /sbin/ipchains -A input -i lo -p udp -s ${ETHBASEIP}/32 1024:65535 -d ${ONEIP}/32 33434:33524 -j ACCEPT 

        # TRACEROUTE/udp (O) *
        /sbin/ipchains -A output -i lo -p udp -s ${ETHBASEIP}/32 32768:65535 -d ${ONEIP}/32 33434:33524 -j ACCEPT 

        # Echo reply/icmp (O) *
        /sbin/ipchains -A output -i ${ETHBASEPORT} -p icmp -s ${ONEIP}/32 0 -d 0/0 0 -j ACCEPT 

        # Echo req/icmp (I) *
        /sbin/ipchains -A input -i ${ETHBASEPORT} -p icmp -s 0/0 8 -d ${ONEIP}/32 0 -j ACCEPT 

        # Dest Unreach/icmp (I) *
        /sbin/ipchains -A input -i ${ETHBASEPORT} -p icmp -s 0/0 3 -d ${ONEIP}/32 3 -j ACCEPT 

        # Dest Unreach/icmp (O) *
        /sbin/ipchains -A output -i ${ETHBASEPORT} -p icmp -s ${ONEIP}/32 3 -d 0/0 3 -j ACCEPT 

        # Echo reply/icmp (I) *
        /sbin/ipchains -A input -i ${ETHBASEPORT} -p icmp -s 0/0 0 -d ${ONEIP}/32 0 -j ACCEPT 

        # Echo req/icmp (O) *
        /sbin/ipchains -A output -i ${ETHBASEPORT} -p icmp -s ${ONEIP}/32 8 -d 0/0 0 -j ACCEPT 

        # Time exceeded/icmp (I) *
        /sbin/ipchains -A input -i ${ETHBASEPORT} -p icmp -s 0/0 11 -d ${ONEIP}/32 0 -j ACCEPT 

        # Source Quench/icmp (I) *
        /sbin/ipchains -A input -i ${ETHBASEPORT} -p icmp -s 0/0 4 -d ${ONEIP}/32 0 -j ACCEPT 

done

------------

Saved you a little time, eh? We'll let's now start working to show you how to do these adjustments to the rules you have. Remember that all of the rules are just a series of commands. This means that you can use variables and other techniques to remove a lot of the host names for the machines on your local network. Since you have already grouped all of the rules into the their services, you can start by using the above variables to change your local host names into variables. Also start looking through lines to find the patterns within the commands (this is why it was suggested you make printouts). You will begin to notice that some rules/commands are repeated and that if you have multiple IP addresses off the main ethernet port, some require the use of the main IP address of the port (e.g. eth0:0 might need eth0) for allowing information to pass through the main port. Once you have spotted these patterns, you can start creating rule blocks as shown above. Remember, you can use external files to list a selected number of IP addresses to allow particular services also.

------------

if [ `ls ${ETHBASEPORT}-dns |/bin/grep -v '#' | wc -l` -gt 0 ]; then
        for ONEIP in `cat ${ETHBASEPORT}-dns |/bin/grep -v '#'`; do
                <insert dns and support ACCEPT rules here>
                if [ ${ONEIP} != ${ETHBASEIP} ]; then
                        <insert telnet DENY rules here>
                fi
        done
fi

------------

A block like this could allow you to list all of the IP addresses that you wish to allow dns access to (domain,support), but not allow telnet access in one file (hint: always remember to include the main IP address in these files). Using files to make the rules more generic will allow you to quickly add and remove IP addresses by editing a text file. After you have finished making these types of changes to the baserules file (/var/lib/mason/baserules) all you need to do is run these two commands:

   /etc/rc.d/init.d/firewall stop
        /etc/rc.d/init.d/firewall start

Making these types of changes to the baserules file you generated will allow you to quickly make the small tweaks you need to do when copying the baserules file over to a machine with similar needs, or even one that say doesn't need ssh or ftp access, but was needed on the first machine.

Pre-Made RuleSets

You are probably thinking now, "There has got to be a quick fix to my security needs! I cannot be bothered waiting two hours or even two days doing this stuff! Why can I not just go to a site and download and install a set of rules that will work for my needs?" Well there is a way. I have created a site for this purpose. If you go to it, you will find some generic baserules that have been made from different servers on Internet (some may work better than others for your needs). Simply follow the directions on the site describing how to install the rules, have the people at your office test to make sure that they can still do what they need to do, then you are all set. The URL to the site is: https://www.pobox.com/~rsg/projects/linux/mason/. I hope that you find it informative and useful.

Additional Resources

• The Mason web site.
• The Mason Howto. A much more complete coverage of the program.
• Mason Pre-made RuleSets
• Ipfwadm, the packet filtering used in 2.0.x kernels.
• The IPChains HOWTO.
• The IPChains mailing list info.
• Ipchains, the packet filtering used in 2.2.x kernels.
• Netfilter/iptables, the packet filtering being prepared for 2.4.x kernels.
• The IPTables Howto.
• The Netfilter mailing list
• The IP Masquerade resource, reams of documentation related to IP masquerading and firewalling.
• The IP Masquerade Howto.
• The IP-Masq mailing list info.
• The Firewall and Proxy server HOWTO.