[Firehol-support] Isolating HOST communications
Peter Farrell
peter.d.farrell at gmail.com
Mon Oct 17 11:41:07 BST 2005
Hello Costa,
My apologies for not being more clear.
Let me cut it down to the bare essentials, and start the question by
stating what I wish to achieve:
Overall, the goal is to limit the ability of an attacker to compromise
our internal systems, should a break-in occur.
In the case of our database servers, we want to set the firewall rules
up so that they only accept incoming mysql connections from a
particular src IP address (the mysql master)
and only send their mysql reply's back to the same address.
Background 1:
I want to specify which hosts can communicate w/ each other given a
particular service.
For example:
>5 mysql slaves should ONLY send/receive mysql data to MASTER
>MASTER should ONLY send/receive mysql data to SLAVES{1-5}
Question 1:
Do you simply use 'src' and 'dst' with your 'server' and 'client' to
specify which hosts are acceptable?
Can you define a server by it's IP address in 'network definitions'
then reference that with 'src' and 'dst' to control
traffic to and from it?
Would you set up the server / client in firehol.conf as follows:
==========================================================
# Network definitions
zone2_ips="192.168.2.2/24"
mysql_data="192.168.3.4" #IP address of mysql MASTER
# Custom service definitions
server_nrpe_ports="tcp/5666"
client_nrpe_ports="default"
# Local services this server should allow.
local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"
# At what frequency to accept local requests?
local_requests="50/sec"
# Interface No 1.
interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.0/32
policy reject
server apcupsdnis accept
server ICMP accept
server mysql accept src "${mysql_data}"
server nrpe accept
server ntp accept
server ssh accept
client apcupsdnis accept
client nrpe accept
client mysql accept dst "${mysql_data}"
client ssh accept
============================================
Question 2:
On the line for the interface:
interface eth0 zone2 src "${zone2_ips}" dst 192.168.2.0/32
When you keep the 'dst <address>' on the line, does that mean that any
traffic bound for an address that isn't in that range gets dropped?
If you left it open, (i.e. did not include any 'dst' statement) would
it allow all traffic out, no matter the address?
If you wanted to allow 'dst' traffic on more than one network, would
you simply string them together on that line?
Such as: interface eth0 zone2 src "${zone2_ips}" dst {192.168.0.0/32
192.168.1.0/32 192.168.2.0/32 192.168.3.0/32}
If that is correct, could you just define it earlier in the config and
reference it like I've done with the 'src = zone2_ips' ?
============================================
Thank you for any direction / advice / clarification.
-Peter
On 10/15/05, Costa Tsaousis <costa at tsaousis.gr> wrote:
> Peter,
>
> I am very sorry, but I got really confused. Could you please make more
> precise questions?
>
> Keep in mind that FireHOL is just a packet filtering firewall, with a
> few helpers for NAT, etc. FireHOL does not change your routing (it
> doesn't even know it), does not set or get default gateways and does not
> care about routable or unroutable networks. If your network topology is
> right, FireHOL will just allow you to enforce a policy about the
> communication that is allowed or by utilizing NAT allow you to have
> networks talk to each other, that otherwise (by the topology design)
> they cannot.
>
> Costa
>
> Peter Farrell wrote:
>
> >*Sorry - perhaps I didn't format it properly for the list previously?
> >
> >
> >Hello:
> >We are in the process of implementing FireHOL across our network.
> >We have a tiered network / firewall structure.
> >DMZ [hosts] Zone1 [hosts] Zone2 [hosts] Zone3 [hosts] Intranet
> >Each host has interfaces that face opposite zones.
> >eg. eth0:DMZ and eth1:ZONE1
> >eg. eth0:ZONE1 and eth1:ZONE2
> >etc.
> >
> >We're attempting to get Zone3 sorted out currently.
> >We have nothing but a mysql master and several slaves in that zone.
> >We want the master to be able to communicate to anywhere in Zone2 and
> >anywhere in Zone3.
> >We want the slaves to be a bit more locked down, and only accept mysql
> >communications from the master, nagios communications from the nagios
> >server in Zone2, ntpd sync info from a time server in Zone2, etc.
> >Additionally, after this is sorted, to only accept incoming SSH
> >connections from a valid 'jump-host' somewhere on the network as yet
> >undetermined.
> >
> >*Final question:
> >What is the line:
> >interface eth1 interface2 src not "${UNROUTABLE_IPS} 192.168.3.0/24"
> >dst 192.168.3.5/32
> >Used for? Are you meant to put in double entries for all interfaces
> >that act as the default gateway for each machine? If I leave the line
> >out, is the net effect saying "allow traffic to this interface
> >regardless if it is routable or not"?
> >
> >I think we're close in regards to the config, but could someone just
> >have a look and chip in their advice as well?
> >When we run the config w/ the commented out bits 'un-commented' the
> >firewall fails to start.
> >*Perhaps when I define 'mysql' as 'acceptable traffic' early on, it
> >needs to be a different variable name, as there is already a client
> >and server of that same name?
> >The config file is from a SLAVE mysql server in Zone3
> >
> >Thanks in advance for your time.
> >-Peter Farrell
> >RedHat SysAdmin
> >Scarce Skills Ltd.
> >Newport, S. Wales - UK
> >
> >-------------------------------------------------------------------------------------------------------------------------
> >#
> >#!/etc/init.d/firehol
> >#
> >version 5
> >#
> >
> ># Network definitions
> >zone2_ips="192.168.2.0/24"
> >zone3_ips="192.168.3.0/24"
> >
> ># Acceptable HOST traffic addresses
> >#apcupsd="192.168.2.1 192.168.1.3"
> >#nagios="192.168.2.3 192.168.1.5"
> >#mysql="192.168.3.4"
> >#ssh="192.168.2.0/32 192.168.3.0/32"
> >#
> ># These aren't working at all.
> ># We want to specify the hosts that can communicate w/ this machine.
> ># i.e. ONLY send/receive mysql from the mysql master, nagios info
> ># from the nagios host, etc.
> >#
> ># Custom service definitions
> >server_nrpe_ports="tcp/5666"
> >client_nrpe_ports="default"
> >
> ># Local services this server should allow.
> >local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"
> >
> ># At what frequency to accept local requests?
> >local_requests="50/sec"
> >
> ># Interface No 1.
> >interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.2/32
> >
> > # The default policy is DROP. You can be more polite with REJECT.
> > policy reject
> >
> > # Here are the services listening on eth0.
> > server apcupsdnis accept # src "${apcupsd}"
> > server ICMP accept
> > server mysql accept # src "${mysql}"
> > server nrpe accept # src "${nagios}"
> > server ntp accept
> > server ssh accept # src "${ssh}"
> >
> > client apcupsdnis accept
> > client nrpe accept
> > client mysql accept
> > client ssh accept
> >
> ># Interface No 2.
> >interface eth1 zone3 src "${zone3_ips}" #dst 192.168.3.0/32
> >
> > # The default policy is DROP. You can be more polite with REJECT.
> > policy reject
> >
> > # Here are the services listening on eth1.
> > server apcupsdnis accept # src "${apcupsd}"
> > server ICMP accept
> > server mysql accept # src "${mysql}"
> > server nrpe accept # src "${nagios}"
> > server ntp accept
> > server ssh accept # src "${ssh}"
> >
> > client apcupsdnis accept
> > client nrpe accept
> > client mysql accept
> > client ssh accept
> >--------------------------------------------------------------------------------------------------------------------
> >
> >
> >--
> >To contact me, please follow this link:
> >http://public.xdi.org/=Peter.D.Farrell
> >
> >Thank you.
> >Peter Farrell
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by:
> >Power Architecture Resource Center: Free content, downloads, discussions,
> >and more. http://solutions.newsforge.com/ibmarch.tmpl
> >_______________________________________________
> >Firehol-support mailing list
> >Firehol-support at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/firehol-support
> >
> >
>
>
>
--
To contact me, please follow this link:
http://public.xdi.org/=Peter.D.Farrell
Thank you.
Peter Farrell
More information about the Firehol-support
mailing list