On Sat, 2014-11-22 at 11:42 +0100, Wouter Verhelst wrote: > Except that if a firewall "protects" a user from using their printer > (random example, not sure how likely) Well most security guys are probably sceptical about any automagical confiugration of things like a printer... so "protects" can actually really mean protect here. But apart from that, other distros seem to manage that problem (simply allowing the CUPS ports?) > and they have no way of fixing > that (or even understanding what's wrong), that's not very helpful. This > is why I said "with the current state of affairs". > > Before we enable a firewall by default, we should, IMO, have the > following: > - A way for a user to configure it without understanding iptables. IMHO, this is a bad idea. If a user doesn't know what he's doing that he usually makes more harm than good. People probably have to accept the fact that they cannot blindly act without any knowledge and this still work. > - A way for a user to debug (without understanding iptables) if things > don't work. Mhh, that I agree,... OTOH, having some basic knowledge on iptables and debuggin is rather easy, at least speaking about simple cases like "I block my CUPS port"... other cases like IPv6 needs ICMPv6 to work or things that require protocol level knowledge are nothing that one can really automagical debug for a user without the willingness to learn about these things. > - A way for a package maintainer to assert that this particular package > needs a hole in the firewall to be useful, and that this hole needs to > be available to a particular group of remote machines. E.g., cups > would not expect connections from the other end of the world, while > webservers would. This is really a bad idea. Most sysadmins probably wouldn't want their firewall rules to be automagically changed by some pseudo-smart mechanism. In fact, no one can really know how fire wall rules are set up, and even the placement of a rule make completely change the semantics. > I'm sure the first of those exists, someone with more of an opinion > about it than me should have a look at the available options and decide > what should be made the default. If Debian should really get a default set of rules, than one should probably avoid any software bloat by making a fancy system default, which many users may not even need. I think netfilter-presistent is the best thing here (even though it had some security issues last time I've looked at it), since it's basically just a loading facility and nothing more. I.e. what other distros ship with their standard iptables package. > I know for sure that the latter does not exist; a spec should probably > be written and proposed. In order for this to not result in yet another > systemd-style "discussion", said spec should preferably be written > without a particular implementation in mind (so that all implementations > can use it). As I've said,... basically impossible to implement something like that generically, especially when you look at more complex netfilter setups, which do more than just default-DROP and selectively allow certain ports... just think that people could to it vice versa (default-ALLOW, selectively DROP), or that policy matching mechanisms are in place, or anything else where ordering matters. I've just proposed a small default set of rules which blocks most incoming stuff that is not from ESTABLISHED/RELATED... I've added the default rules which I'm using at the faculty... think away the IPsec handling stuff, the way I specially handle fail2ban, and add you printer rules,... and I think it should already work for 99% cases. These are actually the rules I'm using on my desktop as well, and so far (except for CUPS or zeroconf stuff) I haven't seen any software having network troubles with that. Cheers, Chris.
*filter #******************************************************************************* #*** Policies *** #******************************************************************************* #deny incoming packets per default :INPUT DROP [0:0] #deny forwarding packets per default :FORWARD DROP [0:0] #allow outgoing packets per default :OUTPUT ACCEPT [0:0] #******************************************************************************* #*** Basic Rules *** #******************************************************************************* #allow incoming and outgoing packets on the loopback network interface -A INPUT --in-interface lo -j ACCEPT -A OUTPUT --out-interface lo -j ACCEPT #handle IPsec-only sources/destinations #Warning: This MUST come before any accepting rules (except the ones for the loopback network interface), especially (but not limited to) the “ESTABLISHED,RELATED-rule” below. -N ipsec-only-in -N ipsec-only-out #Note: One SHOULD NOT additionally match against any of the host’s (local) addresses or interfaces here, since that could lead to accidentally accepting packets from/to IPsec-only sources/destinations. #TODO: Optionally, add special-use IPv6 addresses: #-A INPUT --source invalid.ip6-localhost,… -j ipsec-only-in #-A OUTPUT --destination invalid.ip6-localhost,… -j ipsec-only-out #TODO: Optionally, add peers here: #-A INPUT --source 0.eth0.iface.example.invalid.addr.ip6-localhost,… -j ipsec-only-in #-A OUTPUT --destination 0.eth0.iface.example.invalid.addr.ip6-localhost,… -j ipsec-only-out #allow incoming packets from established and related connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow incoming and outgoing ICMP packets -A INPUT --protocol icmpv6 -j ACCEPT -A OUTPUT --protocol icmpv6 -j ACCEPT #deny packets which are either explicitly untracked or not associated with a known connection -A INPUT -m state --state UNTRACKED,INVALID -j DROP -A FORWARD -m state --state UNTRACKED,INVALID -j DROP -A OUTPUT -m state --state UNTRACKED,INVALID -j DROP #******************************************************************************* #*** Handle IPsec-Only Sources/Destinations *** #******************************************************************************* #do not handle packets that were or are going to be IPsec processed -A ipsec-only-in -m policy --strict --dir in --pol ipsec --mode tunnel --proto esp -j RETURN -A ipsec-only-out -m policy --strict --dir out --pol ipsec --mode tunnel --proto esp -j RETURN #allow incoming packets for ISAKMP / IKE #Note: Without this, IPsec connections could not be established with IPsec-only sources/destinations. #Note: Usually, it would not make much sense to additionally match against any addresses or interfaces here. The only exception is, if one wants to have IPsec-only sources/destinations and additionally only allow ISAKMP / IKE exchange with only some of their addresses/interfaces; all others would be effectively blocked. -A ipsec-only-in --protocol udp -m multiport --destination-ports isakmp,ipsec-nat-t -j ACCEPT -A ipsec-only-out --protocol udp -m multiport --destination-ports isakmp,ipsec-nat-t -j ACCEPT #deny all non-ESP packets (packets that are not subject to IPsec) -A ipsec-only-in ! --protocol esp -j REJECT --reject-with icmp6-adm-prohibited -A ipsec-only-out ! --protocol esp -j REJECT --reject-with icmp6-adm-prohibited #******************************************************************************* #*** Secure Shell *** #******************************************************************************* #Note: This rule serves as a hook for fail2ban. It never matches, since all incoming packets on the loopback network interface are already accepted above. -A INPUT --in-interface lo -m comment --comment "f2b-hook-sshd" #allow incoming packets for SSH #-A INPUT --destination 0.ssh.srv.ip6-localhost --protocol tcp -m tcp --destination-port ssh --syn -j ACCEPT #******************************************************************************* #*** Internet Security Association and Key Management Protocol / *** #*** Internet Key Exchange *** #******************************************************************************* #allow incoming packets for ISAKMP / IKE #Note: IPsec-only sources/destinations are already handled above. #-A INPUT --source invalid --destination 0.isakmp-ike.srv.ip6-localhost --protocol udp -m multiport --destination-ports isakmp,ipsec-nat-t -j ACCEPT #******************************************************************************* #*** Everything Else *** #******************************************************************************* #deny incoming packets with “Destination Unreachable (Port Unreachable)” ICMP messages -A INPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT
*filter #******************************************************************************* #*** Policies *** #******************************************************************************* #deny incoming packets per default :INPUT DROP [0:0] #deny forwarding packets per default :FORWARD DROP [0:0] #allow outgoing packets per default :OUTPUT ACCEPT [0:0] #******************************************************************************* #*** Basic Rules *** #******************************************************************************* #allow incoming and outgoing packets on the loopback network interface -A INPUT --in-interface lo -j ACCEPT -A OUTPUT --out-interface lo -j ACCEPT #handle IPsec-only sources/destinations #Warning: This MUST come before any accepting rules (except the ones for the loopback network interface), especially (but not limited to) the “ESTABLISHED,RELATED-rule” below. -N ipsec-only-in -N ipsec-only-out #Note: One SHOULD NOT additionally match against any of the host’s (local) addresses or interfaces here, since that could lead to accidentally accepting packets from/to IPsec-only sources/destinations. #TODO: Optionally, add special-use IPv4 addresses: #-A INPUT --source invalid.localhost,… -j ipsec-only-in #-A OUTPUT --destination invalid.localhost,… -j ipsec-only-out #TODO: Optionally, add peers here: #-A INPUT --source 0.eth0.iface.example.invalid.addr.localhost,… -j ipsec-only-in #-A OUTPUT --destination 0.eth0.iface.example.invalid.addr.localhost,… -j ipsec-only-out #allow incoming packets from established and related connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow incoming and outgoing ICMP packets -A INPUT --protocol icmp -j ACCEPT -A OUTPUT --protocol icmp -j ACCEPT #deny packets which are either explicitly untracked or not associated with a known connection -A INPUT -m state --state UNTRACKED,INVALID -j DROP -A FORWARD -m state --state UNTRACKED,INVALID -j DROP -A OUTPUT -m state --state UNTRACKED,INVALID -j DROP #******************************************************************************* #*** Handle IPsec-Only Sources/Destinations *** #******************************************************************************* #do not handle packets that were or are going to be IPsec processed -A ipsec-only-in -m policy --strict --dir in --pol ipsec --mode tunnel --proto esp -j RETURN -A ipsec-only-out -m policy --strict --dir out --pol ipsec --mode tunnel --proto esp -j RETURN #allow incoming packets for ISAKMP / IKE #Note: Without this, IPsec connections could not be established with IPsec-only sources/destinations. #Note: Usually, it would not make much sense to additionally match against any addresses or interfaces here. The only exception is, if one wants to have IPsec-only sources/destinations and additionally only allow ISAKMP / IKE exchange with only some of their addresses/interfaces; all others would be effectively blocked. -A ipsec-only-in --protocol udp -m multiport --destination-ports isakmp,ipsec-nat-t -j ACCEPT -A ipsec-only-out --protocol udp -m multiport --destination-ports isakmp,ipsec-nat-t -j ACCEPT #deny all non-ESP packets (packets that are not subject to IPsec) -A ipsec-only-in ! --protocol esp -j REJECT --reject-with icmp-admin-prohibited -A ipsec-only-out ! --protocol esp -j REJECT --reject-with icmp-admin-prohibited #******************************************************************************* #*** Secure Shell *** #******************************************************************************* #Note: This rule serves as a hook for fail2ban. It never matches, since all incoming packets on the loopback network interface are already accepted above. -A INPUT --in-interface lo -m comment --comment "f2b-hook-sshd" #allow incoming packets for SSH #-A INPUT --destination 0.ssh.srv.localhost --protocol tcp -m tcp --destination-port ssh --syn -j ACCEPT #******************************************************************************* #*** Internet Security Association and Key Management Protocol / *** #*** Internet Key Exchange *** #******************************************************************************* #allow incoming packets for ISAKMP / IKE #Note: IPsec-only sources/destinations are already handled above. #-A INPUT --source invalid --destination 0.isakmp-ike.srv.localhost --protocol udp -m multiport --destination-ports isakmp,ipsec-nat-t -j ACCEPT #******************************************************************************* #*** Everything Else *** #******************************************************************************* #deny incoming packets with “Destination Unreachable (Port Unreachable)” ICMP messages -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT
Attachment:
smime.p7s
Description: S/MIME cryptographic signature