|
horatio-firewall − Network access authentication firewall script |
|
horatio-firewall |
|
horatio-firewall is a bash script which initializes the firewall for Horatio. In general, you should probably only be using horatio-firewall as an example of how to set up a firewall for use with Horatio. The primary purpose of the base firewall for Horatio is to defend the firewall machine and the hosts behind it from the activities on the untrusted network. As a result, most of the rules apply to incoming packets from the untrusted network. The secondary purpose of the base firewall is to allow enough communication for the hosts on the untrusted network to be configured and to log into the firewall access control. The tertiary purpose of the firewall is to allow almost unrestricted access to hosts which have been added to the firewall access. Only specific ports (described below) are blocked. This makes the horatio-firewall script much more permissive than might be needed in other environments. The final purpose of the base firewall script is to finish configuring the firewall host to act as the Horatio gateway, including setting up proxy ARP and IP forwarding. The horatio-firewall script distributed with horatio should not be used as distributed—please review it for your local security policies. Since it mostly consists of configurable rules, the activities of the script as distributed will be discussed in the CONFIGURATION section below. |
|
The first steps of horatio-firewall are to define some parameters. |
|
Commands, IP addresses, and interfaces |
|
ipc |
|
An abbreviation for the ipchains command. |
|
tn |
The hostname (or IP address) of the firewall’s network interface on the trusted network. |
|
|
un |
The hostname of the interface on the untrusted network. |
|
|
ti |
The name (i.e. eth0) of the interface on the trusted network. |
|
|
ui |
The name of the interface on the untrusted network. |
|
Port Numbers |
|
These port variables can be either names from /etc/services or port numbers. |
|
dhcpp |
|
The DHCP UDP port. It theoretically should be necessary to explicitly allow DHCP service on the untrusted interface, but apparently the ISC DHCP server listens promiscuously, making that unnecessary. |
|
dnsp |
|
The DNS port. DNS is the one exception to the forwarding chain’s default policy of not forwarding packets for hosts that are not logged in. UDP access to the DNS servers listed in /etc/resolv.conf is allowed in order to allow the untrusted hosts to resolve the firewall’s name. |
|
httpp, httpsp |
|
The HTTP and HTTPS ports. TCP access to these ports from the untrusted interface to the untrusted IP address is allowed by the input chain. To prevent confusion, access to these ports from the trusted interface is denied. |
|
netbiosnsp, netbiosdgmp, netbiossnp |
|
NETBIOS ports to be blocked. Both TCP and UDP packets are blocked by the input chain. |
|
nfsdp, sunrpcp |
|
NFS service ports. Packets to these ports for either TCP or UDP from the ui are denied by the input chain. |
|
printerp |
|
LPD port. This is currently allowed, once the host has logged in. |
|
snmpp, snmptrapp |
|
SNMP and SNMP trap ports. These are denied by the input chain, particularly after recent security problems. |
|
ciscop |
|
Cisco SNMP port mentioned in a SANS alert. Packets to this port and the SNMP ports above for UDP from the ui are denied by the input chain. |
|
syslogp |
|
Syslog port. TCP and UDP packets are denied by the input chain. |
|
uucpp |
|
UUCP port. TCP packets are denied by the input chain. |
|
ICMP |
|
ICMP packets from the untrusted interface are accepted (but will not be forarded unless the host has logged in). |
|
IP Chains |
|
The order of the rules in the firewall is important. When looking at the script, be aware that some rules are appended to their appropriate rule chain with -A and others are inserted at the beginning of the chain with -I 1. The firewall uses the input chain for most of the filtering, in order to protect the firewall machine. The default policy is set to accept all packets, but then to add rules to deny packets whose destination is the IP address of either the trusted interface or the untrusted interface that arrive from the untrusted interface. Also, it denys packets that arrive from the trusted network interface destined for the untrusted interface’s address. Finally, it filters the incoming packets that may be destined to pass through the firewall, based on the port rules described above. The default policy of the forwarding chain is to forward nothing, with the initially configured exception of UDP DNS packets to the known DNS servers from /etc/resolv.conf. When a host is added to the firewall access after logging in, two rules are added to the forwarding chain, allowing traffic to and from that host to be forwarded. The output chain has no rules and is unfiltered. |
|
Proxy ARP and IP Forwarding |
|
The final actions of the firewall script are to enable IP forwarding in the Linux kernel and to enable Proxy ARP (which is needed by UTCS’ routing configuration—it may be unnecessary and is not particularly desirable in other setups). |
|
horatio(8), horatio-hostlist(8), bash(1), ipchains(8) |
|
horatio-firewall is mostly one giant security bug. |
|
— |
Tommy M. McGuire (mcguire@cs.utexas.edu) wrote this. |