I see I left off OpenVPN.
Are you running it over UDP or TCP? I will add the appropriate rules after you answer.
Developing Shorewall rules
Adding support for tftp - Re: Developing Shorewall rules
I see that you have tftp running (noticed the service when I was restarting ntp per the ntp thread).
To support tftp, we need only change one rule:
Now wasn't that easy! Plus you tightly control who can get to your tftp server...
We COULD tighten it even further. We make a zone that only includes the range of addresses assigned via dhcp, nesting it within the Loc zone. Perhaps calling it the Dh zone? Anyway, only it would have access to tftp. But I don't think that restriction is needed.
This now brought to fore another thought. That of DNS over tcp. I do not have it allowed, do we need it, say for dyndns? If so, I would think only Loc needs it?
To support tftp, we need only change one rule:
Code: Select all
ACCEPT Loc fw udp domain,tftp
We COULD tighten it even further. We make a zone that only includes the range of addresses assigned via dhcp, nesting it within the Loc zone. Perhaps calling it the Dh zone? Anyway, only it would have access to tftp. But I don't think that restriction is needed.
This now brought to fore another thought. That of DNS over tcp. I do not have it allowed, do we need it, say for dyndns? If so, I would think only Loc needs it?
DNS over tcp - Re: Developing Shorewall rules
I only had DNS over udp, and the DNS macro proper allows both udp and tcp, so here is a new rules file:
I also switched daap over to the macro, even though I had it setup for both udp and tcp already.
Code: Select all
ACCEPT all all icmp
ACCEPT Loc fw udp tftp
DNS(ACCEPT) Loc fw
ACCEPT Int fw tcp rpcbind,ntp,http,ipp,rpasswd,nfs
ACCEPT Int fw tcp ssh - -3/min
ACCEPT Int fw tcp 10000 # webmin
Web(ACCEPT) Int fw
SMB(ACCEPT) Int fw
DAAP(ACCEPT) Int fw
VNC(ACCEPT) Int fw
#ACCEPT Pub fw
#ACCEPT fw Loc
#ACCEPT fw Int
SMB(ACCEPT) fw Int
ACCEPT fw Pub tcp ntp
DNS(ACCEPT) fw Pub
Web(ACCEPT) fw Pub
Re: Developing Shorewall rules
i apologize, but i am not following you in detail.
not being an expert, though, i can only remember how hard it was.
what i did was start a quick & dirty firewall user interface. later we can work on integrating this front end to your back end.
will take a while, but we'll get there.
not being an expert, though, i can only remember how hard it was.
what i did was start a quick & dirty firewall user interface. later we can work on integrating this front end to your back end.
will take a while, but we'll get there.
- firewall.png (19.14 KiB) Viewed 4095 times
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1
Re: Developing Shorewall rules
Ho boy.... I got some splan'g to do. 
First is grouping systems with similar policies. I went with 3 groupings, even though there COULD be 4, but that would be too complex..
Pub - The world at large, a scary place.
Int - My network that I trust.
Loc - Amahi's subnet, where systems can get special services (like dhcp).
Loc thus is built of the same network information as dhcpd uses.
Int is all your internal network that you want to give access Amahi. This can be more than one CIDR block, even though I showed you it as only one block. After all, when I worked on RFC 1918 (yes I am THAT Moskowitz), we were given 3 CIDR blocks. Plus some, like me, have a nice public CIDR block as well. Fortunately Hosts allows for disjoint CIDR blocks for one zone:
So you can pretty much build /etc/shorewall/hosts, you have to allow for those that have more complex internal networks.
I have avoided a zone for systems with dhcp-assigned addresses, I really don't think they are more 'allowed' than Loc. Plus Amahi supports hardcoded systems on the local network, and that would add to the complexity of Hosts file.
Both the zone and policy files are slam-dunks, as is the one change to shorewall.conf to allow for IPv6 (soon I will have shorewall6 example). All that is left is rules and any custom macros (none yet!).
There are a few groupings of rules. The simple one is allowing a port or range to access Amahi:
And of course you are going to allow icmp to/from Amahi:
Or maybe not! Then there are ports that need some control:
This limits ssh to 3 connects per minute, or no connections allowed for a min to cool things down. There is a less restrictive approach of:
No longer so simple to put together from a simple form entry!
Notice that I use port names, these come from /etc/services. Most users know what service they want by name not number, but they may not know what it is officially called (eg domain, not dns). You would want a pull-down list perhaps, but /etc/services is a LARGE file with obscure services included!
I am going to introduce Shorewall macros at this point, as it will make a number of things easier to cover. Some services need a complex set of rules. For us, SMB is the most complex we will deal with. In fact other than a few of us that have really worked with SMB know all that needs In fact there are TWO SMB macros:
or
SMB is bidirectional. You either run the SMB macro both ways, or use the special bidirectional macro. It is a matter of rules file appearance, the same rules are written in the end.
And as I said SMB is complex:
Would your 'typical' user know all of these? I have been working with Netbios since DOS 2, and **I** have to look it up!
Macros also help out for when both protocols are used, and users are not that aware that they need to specify both!
Isn't that nice, the service is 'domain' but the Shorewall macro is 'DNS'!
Shorewall comes with a LOT of macros, more than we will need for Amahi, but here is a listing:
Looking at this, you might pick up on one that I did not include that Amahi 'needs'! Notice that practically every protocol we use, there is a macro for it. And if there is another we need, we can create our own and put them in /etc/shorewall. Note there is no SIP macro. Guess I should write one and submit it, as I have done a lot with SIP/RTP...
Macros don't 'cost' anything. At startup, Shorewall expands them to iptables rules. I guess the reason I do not use macros all the time is style. I LIKE to see actual service rules!
As I sit here typing this 'tutorial', I am thinking that an Amahi user will rarely introduce a rule that does not have a macro, so the basic screen should be for which from/to zone for which macro. Here is my rules file written completely with macros:
And for this, I will have to write macros for: RPCBIND, RPASSWD, NFS, and SSHl (rate limited SSH). None hard to do.
So I see 3 screens. The 'basic' one is:
from and to zone and macro.
The second is:
CIDR ranges for including in Int (default is 192.168.0.0/16).
The third is:
from and to zone, protocol, and port [range].
All of these need a portion which shows what exists already. with the ability to delete existing ones. Perhaps the first two come 'preloaded' Some services are just 'needed' like DNS, SMB, and Web, and we can assume the default Int CIDR block. Plus by having some prebuilt rules, we introduce the concept of what protocols for which grouping of systems (zones). Thus I would preload most of what I show.
I guess you have 3 more tables to add to your SQL database. (I started with SQL with MicroRIM, THE original SQL database).
Fortunately Amahi is a server and not a gateway! (as I work with it, I am coming up with ONE scenario where we might allow it), so firewall rules aren't SO bad... Also Amahi is behind a firewall of some sorts already so we don't have to 'worry' about things like smurfs and martians oh my!
And NO LOGGING!
Hope this helps explain our basic firewalling needs.
First is grouping systems with similar policies. I went with 3 groupings, even though there COULD be 4, but that would be too complex..
Pub - The world at large, a scary place.
Int - My network that I trust.
Loc - Amahi's subnet, where systems can get special services (like dhcp).
Loc thus is built of the same network information as dhcpd uses.
Int is all your internal network that you want to give access Amahi. This can be more than one CIDR block, even though I showed you it as only one block. After all, when I worked on RFC 1918 (yes I am THAT Moskowitz), we were given 3 CIDR blocks. Plus some, like me, have a nice public CIDR block as well. Fortunately Hosts allows for disjoint CIDR blocks for one zone:
Code: Select all
Int eth0:192.168.0.0/16
Int eth0:10.0.0.0/8
Int eth0:201.45.28.192/26
I have avoided a zone for systems with dhcp-assigned addresses, I really don't think they are more 'allowed' than Loc. Plus Amahi supports hardcoded systems on the local network, and that would add to the complexity of Hosts file.
Both the zone and policy files are slam-dunks, as is the one change to shorewall.conf to allow for IPv6 (soon I will have shorewall6 example). All that is left is rules and any custom macros (none yet!).
There are a few groupings of rules. The simple one is allowing a port or range to access Amahi:
Code: Select all
ACCEPT Loc fw udp tftp
Code: Select all
ACCEPT all all icmp
Code: Select all
ACCEPT Int fw tcp ssh - - 3/min
Code: Select all
Limit:none:SSHA,3,60 Int fw tcp 22
Notice that I use port names, these come from /etc/services. Most users know what service they want by name not number, but they may not know what it is officially called (eg domain, not dns). You would want a pull-down list perhaps, but /etc/services is a LARGE file with obscure services included!
I am going to introduce Shorewall macros at this point, as it will make a number of things easier to cover. Some services need a complex set of rules. For us, SMB is the most complex we will deal with. In fact other than a few of us that have really worked with SMB know all that needs In fact there are TWO SMB macros:
Code: Select all
SMB(ACCEPT) Int fw
SMB(ACCEPT) fw Int
Code: Select all
SMBBI(ACCEPT) Int fw
And as I said SMB is complex:
Code: Select all
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
Macros also help out for when both protocols are used, and users are not that aware that they need to specify both!
Code: Select all
DNS(ACCEPT) Loc fw
Code: Select all
ACCEPT Loc fw udp domain
ACCEPT Loc fw tcp domain
Code: Select all
macro.AllowICMPs macro.GNUnet macro.JabberSecure macro.PostgreSQL macro.SPAMD
macro.Amanda macro.Gnutella macro.JAP macro.PPtP macro.SSH
macro.Auth macro.GRE macro.Jetdirect macro.Printer macro.Submission
macro.BitTorrent macro.HTTP macro.L2TP macro.Rdate macro.SVN
macro.BitTorrent32 macro.HTTPS macro.LDAP macro.RDP macro.Syslog
macro.CVS macro.ICQ macro.LDAPS macro.Reject macro.Telnet
macro.DAAP macro.IMAP macro.Mail macro.Rfc1918 macro.Telnets
macro.DCC macro.IMAPS macro.MySQL macro.RNDC macro.template
macro.Distcc macro.IPIP macro.NNTP macro.Rsync macro.TFTP
macro.DNS macro.IPP macro.NNTPS macro.SANE macro.Time
macro.Drop macro.IPPserver macro.NTP macro.SixXS macro.Trcrt
macro.DropDNSrep macro.IPsec macro.NTPbrd macro.SMB macro.VNC
macro.DropUPnP macro.IPsecah macro.OpenVPN macro.SMBBI macro.VNCL
macro.Edonkey macro.IPsecnat macro.PCA macro.SMBswat macro.Web
macro.Finger macro.IRC macro.Ping macro.SMTP macro.Webmin
macro.FTP macro.Jabberd macro.POP3 macro.SMTPS macro.Whois
macro.Git macro.JabberPlain macro.POP3S macro.SNMP
Macros don't 'cost' anything. At startup, Shorewall expands them to iptables rules. I guess the reason I do not use macros all the time is style. I LIKE to see actual service rules!
As I sit here typing this 'tutorial', I am thinking that an Amahi user will rarely introduce a rule that does not have a macro, so the basic screen should be for which from/to zone for which macro. Here is my rules file written completely with macros:
Code: Select all
AllowICMPs(ACCEPT) all all
TFTP(ACCEPT) Loc fw
DNS(ACCEPT) Loc fw
RCPBIND(ACCEPT) Loc fw
NTP(ACCEPT) Loc fw
IPP(ACCEPT) Loc fw
RPASSWD(ACCEPT) Loc fw
NFS(ACCEPT) Loc fw
SSHl(ACCEPT) Int fw
Webmin(ACCEPT) Int fw
Web(ACCEPT) Int fw
SMB(ACCEPT) Int fw
DAAP(ACCEPT) Int fw
VNC(ACCEPT) Int fw
SMB(ACCEPT) fw Int
NTP(ACCEPT) fw Pub
DNS(ACCEPT) fw Pub
Web(ACCEPT) fw Pub
So I see 3 screens. The 'basic' one is:
from and to zone and macro.
The second is:
CIDR ranges for including in Int (default is 192.168.0.0/16).
The third is:
from and to zone, protocol, and port [range].
All of these need a portion which shows what exists already. with the ability to delete existing ones. Perhaps the first two come 'preloaded' Some services are just 'needed' like DNS, SMB, and Web, and we can assume the default Int CIDR block. Plus by having some prebuilt rules, we introduce the concept of what protocols for which grouping of systems (zones). Thus I would preload most of what I show.
I guess you have 3 more tables to add to your SQL database. (I started with SQL with MicroRIM, THE original SQL database).
Fortunately Amahi is a server and not a gateway! (as I work with it, I am coming up with ONE scenario where we might allow it), so firewall rules aren't SO bad... Also Amahi is behind a firewall of some sorts already so we don't have to 'worry' about things like smurfs and martians oh my!
And NO LOGGING!
Hope this helps explain our basic firewalling needs.
Re: Developing Shorewall rules
Oh you will want a method to run 'shorewall check' and 'shorewall restart'.
And report results.
And report results.
We are going about this all wrong Re: Developing Shorewall r
I just remembered....
I installed Webmin on my Amahi system and went to THEIR Shorewall control! (https://localhost:10000/shorewall/)
I would show you some nice screen captures, but I don't know how to upload them.
So I guess it is your choice: Build your own or use Webmin... 
I installed Webmin on my Amahi system and went to THEIR Shorewall control! (https://localhost:10000/shorewall/)
I would show you some nice screen captures, but I don't know how to upload them.
So I guess it is your choice: Build your own or use Webmin...
Who is online
Users browsing this forum: Google [Bot] and 58 guests