Developing Shorewall rules

[rgmhtt]

I am now developing Shorewall rules for Amahi. I am starting with the IPv4 and will later add Shorewall6.

So I was given the following a while ago from Carlos on the email list:

the internal services should be:

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
774/tcp open rpasswd
2049/tcp open nfs
3689/tcp open rendezvous
5901/tcp open vnc-1

First is 53 really tcp? Not udp? or both?
Also what about 139 and 2049?

How about 123 for ntp?

only 5901? Not 5901:5903?

Webmin is 10000.

What else should I know about?

[cpg]

I am now developing Shorewall rules for Amahi. I am starting with the IPv4 and will later add Shorewall6.

So I was given the following a while ago from Carlos on the email list:

the internal services should be:

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
774/tcp open rpasswd
2049/tcp open nfs
3689/tcp open rendezvous
5901/tcp open vnc-1

First is 53 really tcp? Not udp? or both?
Also what about 139 and 2049?

How about 123 for ntp?

only 5901? Not 5901:5903?

Webmin is 10000.

What else should I know about?

oooo, excellent!

if you can create the rule in a file or whatever in a form that is regular, we may be able to create a nice front end without much effort!

that would rock!

personally i would start small and grow from there.

you are correct! dns needs both udp & tcp. yea, for vnc you need at least one and one per each simultaneous session i guess, so that depends on the user.

for the rest, i am not sure (not an expert). best may be to start restrictive and add things after a bit of research on each service.

[moredruid]

is shorewall better than iptables?
iptables can be modified very easily, however you can make it very complicated by defining rules more strict.

what I've read from cpg's list open means completely open, which is what you don't want.
iptables has options regarding this with the likes of accept, established, related, drop etc. and portforwarding/bridging/routing built in as well

[rgmhtt]

You are aware that an Amahi install has iptables disabled?


Shorewall makes iptables easier.

Particularly as I delve into what we need; things I have not done with Shorewall in the past, but many others have.

Simple things like port knocking for SSH.

Then more complex like what range of addresses can access SMB and IPP.

This is going to be interesting....

[rgmhtt]

I have shorewall configured. Took a bit of learning, as I am doing things with it I have not done before. Tom (shorewall developer) was a great help.

Assumption: One interface: eth0
I am running shorewall 4.2.4-5, 4.2.6-3 is available from http://www.invoca.ch/pub/packages/shorewall/4.2/

You want shorewall and shorewall-perl. I have not worked on shorewall6 yet. I would recommend that the current shorewall be maintained in the Amahi repo and not make the user figure out how to get the current stable version...

After installing, there is potential need to edit /etc/shorewall/shorewall.conf (all but macros are in /etc/shorewall). For IPv6 support, you need to change DISABLE_IPV6 to No. Otherwise, you can leave this unchanged.

Next you need your interfaces file (I tried to align things up for nice visuals, but it is not working):

Code: Select all

#ZONE INTERFACE BROADCAST OPTIONS - eth0 detect dhcp

Then the zones file:

Code: Select all

#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall Pub IPv4 Int:Pub IPv4 Loc:Int IPv4

These zones will make more sense once you see the hosts file:

Code: Select all

#ZONE HOST(S) OPTIONS Loc eth0:192.168.1.0/24 routeback Int eth0:192.168.0.0/16 Pub eth0:0.0.0.0/0

Loc, Int, and Pub are 'nested zones' I include Int to allow for those that have other networks. Note that the line Loc is the ONLY line in all of this that is specific to an install.

Now you need the policy file:

Code: Select all

#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK all fw DROP info fw all DROP info all all DROP

This last policy is a catch all. As your Amahi box should not be doing routing.


We are almost ready for rules. First I will show you the 3 macros I use. Macros are in /usr/share/shorewall:

macro.SMB:

Code: Select all

#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 PARAM - - udp 137:139 PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445

macro.VNC

Code: Select all

#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 5900:5909

macro.Web

Code: Select all

#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 80 # HTTP (plaintext) PARAM - - tcp 443 # HTTPS (over SSL)

Now for the actual rules:

Code: Select all

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW ACCEPT all all icmp ACCEPT Loc fw udp domain ACCEPT Int fw tcp rpcbind,ntp,http,ipp,rpasswd,nfs,daap ACCEPT Int fw tcp ssh - - 3/min ACCEPT Int fw tcp 10000 # webmin Web(ACCEPT) Int fw SMB(ACCEPT) Int fw VNC(ACCEPT) Int fw #ACCEPT Pub fw #ACCEPT fw Loc #ACCEPT fw Int SMB(ACCEPT) fw Int ACCEPT fw Pub udp domain ACCEPT fw Pub tcp ntp Web(ACCEPT) fw Pub

I some commented rules groupings for place holders as we figure out what else is needed. I have not tested everything, but SMB seems to work! I am accessing shares from my Centos laptop from a subnet in zone Int by putting in Nautlius SMB://192.168.1.myamahi Well you get the idea!

PLEASE look these rules over; have I missed any protocol?

Having Amahi as a gateway with two interfaces will take a lot more....

[rgmhtt]

I forgot to mention the shorewall commands.

shorewall clear will clear out everything you difined in shorewall.

shorewalll check will do a compile and report. Good for testing new rules.

shorewall start or restart to compile and put rules in force.

[rgmhtt]

I just had a system hang on an smb access across a router. Got testing to do....

[cpg]

thanks for the rules!

what kind of a hang??

actual os hang?
or just the firewall going in between the client and the hda?

[rgmhtt]

Nautlius was not responding. It responded to smb://<amahi IP addr> and listed the shares, but when I tried to open Public, it hung. I had to kill Nautlius; this killed every running copy of it. When I tried to restart it, it would not. I then went to reboot the system, and then the system became unresponsive. Had to pull the AC and the battery to get a hard boot going.

There a could different SMB macros with Shorewall. I have to find out what the is difference between them.

[rgmhtt]

Stupid mistake.

I had started iptables. Which is another front end to IPTABLES and messed everything up.

As explained in the Shorewall documentation (that I was reminded to read again ), Shorewall replaces the iptables configuration service.

One change I could make is replace the 2 SMB macros with one SMBBI macro. But on review, I like the way the rules file 'looks' with the SMB macro. A reviewer can see what is happening without delving into the macro so much.

So I have a public web server I could put all the files up on if you want, otherwise, let's test away with the various apps and see if there are any other ports needed to be added to the rules file.

**I** feel better now having protection for my Amahi server.

Oh, one point about rate limiting for SSH. I implemented it to limit if ALL connections exceeded 3/min. There is an alternative which shuts down per source IP address, using the action macro:

Code: Select all

Limit:none:SSHA,3,60 Pub fw tcp ssh

This approach does not help if you are being attacked by a zombie net, where the connections are coming in from different IP addresses. And given that SSH is not a mainline function for Amahi, I went with the first approach. Actually on MY system, I move SSH to a different port AND rate limit!

So I will now leave working on Shorewall alone for a bit, let others try it out. It may be a while for Shorewall6, depending on a few things. Next is the ntp server stuff I promised.