[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Startup Configuration files

----- Original Message ----- 
From: "Magnus Sundberg" <Magnus.Sundberg@dican.se>
To: "Peter Robb" <deb@newproject.pl>
Sent: Tuesday, November 04, 2003 4:49 PM
Subject: Re: Firewall Startup Configuration files


> Peter Robb wrote:
> > Agreed, but what's the timing for loading the rules and bringing up the interfaces...
> > I refer rules first and interfaces next. Then the routing is also after the rules...
> >
> > I think the whole question is whether to put some kind of filtering in place before
> > the firewall goes live.
> > Even bringing up local interfaces after the external is live and working...
> > Would that make more sense?
> >
> > Regards,
> > Peter.
> >
> >
>
> Hi again,
> Well this is my opinion on how to run a linux firewall, as well
> as most linux servers.
>
> 1. Make a plain simple, stupid, no frills installation.
> 2. Change a minimum of configuration files and document these
>
> This puts a lot of restrictions on how much you can change the
> startup script, thats the origin of my first question.
>
> I beleive it is quite easy to configure your firewall in the
> first place, but you run into quite a lot of trouble when you
> need to upgrade it.
> I want to install and configure once and somewhat forget.
> It has been a royal pain to upgrade my current RedHat firewall
> with iptables and kernel security patches.

I don't believe anyone will ever get away from that problem..
If you do a kernel you need to reboot..
And maybe recompile kernel modules to match...

> About bringing up interfaces in the correct order, I ran into
> trouble with loading filter rules earlier with the interfaces
> shut down, I had some problem with the RedHat startup files.

I have had problems with iptables scripts that are reading variables that only exist after the interfaces/routing is up, so I don't
use them any more. I like my rules up earlier than that..

> I believe that all your applications that reside on the firewall
> shall be secure, or at least updated within a day from a security
> alert. This will protect us from everybody except a few that are
> impossible to stop anyway.
> With secure applications will your firewall be quite secure
> anyway during the brief period from the start of the interfaces
> to the loading of the firewall rules.

Yes, but once it may happen that there is a problem with one interface or service starting which can make this delay a very long
time...

> By the way NAT and DNAT does not protect you from evil neighbours
> at your ISP. One of my internal networks was earlier 192.168.1.0/24.
> An evil neighbour can send a source routed package to my gateway
> further on to one of my internal machines...
> No the ISP does not filter out these addresses, because it is not
> possible in their DSL equipment.

That is what the reverse path filter is for, rp_filter, in your /etc/sysctl.conf file

> By the way, I have not that big contact area into people running
> firewalls etc. But I must admit, that if you keep your computers
> updated according to latest patchlist, I have only heard
> anectdotal stories of cracked computers, more like the
> academical, "it is still possible"
> Is this opinion correct?

Not so correct... Most admins would like to believe they are up to date, but we can only be as good as the software. A buffer
overflow is still a problem no matter how good we are at making firewall rules.
That's why Hogwash was started, to be an inline filter checking for "un-normal" activity.
But that's extra work too...  How often do you scan log files?

Regards,
Peter.
Reply to: