Re: Multiple firewall profiles with shorewall
On Thu, Oct 26, 2006 at 01:03:32PM -0400, celejar wrote:
> On 10/26/06, Douglas Tutty <dtutty@porchlight.ca> wrote:
> >On Thu, Oct 26, 2006 at 12:13:53PM -0400, celejar wrote:
> >> Hi,
> >>
> >> I use shorewall to create a local (personal) firewall on my sid
> >> machine. I have a wireless nic which is sometimes connected to my
> >> private wireless network which I control and can secure (with WPA or
> >> WPA2), and sometimes to other networks which are insecure (eg. airport
> >> hotspot). I use ifscheme to manage the different network
> >> configurations, and I obviously have different security assumptions
> >> about the two situations. What is the standard way to have shorewall
> >> treat the two situations differently? I'm using the Madwifi driver, so
> >> a simple trick is to simply bring up the card as ath0 on the private
> >> network and ath1 on the public network and to write shorewall config
> >> files accordingly, but this is a bit of a kludge and not portable to
> >> other drivers.
> >> The most straightforward technique I can think of is to call pre-up
> >> scripts in /etc/network/interfaces that will manipulate the shorewall
> >> config files (eg. modify /etc/shorewall/zones , policy, and/or rules)
> >> but I'm wondering if there's a more standard way to do this - it seems
> >> like a fairly common requirement.
> >
> >How would you treat the two networks differently? What ports would you
> >have open on one and not the other? There may be more than shorewall to
>
> I doubt I'd want to open port 22 and allow brute force ssh attacks,
> for example. There also other services that I run for the benefit of
> my local systems that I would either have to stop or take much more
> care to harden.
>
For security on a public network (including the internet) sshd should
not be listening on the public interface. As an added layer, it should
also be firewalled. Both layers need to be tailored to fit. sshd can
be told what interface to listen to with ListenAddress. Since you don't
want to listen on the internet, it can stay with just the IP address
when you're connected to your own network. If you left port 22 open on
the firewall but ignored by sshd would a brute force ssh attack be
possible?
Any service you offer for the benefit of your local systems should be
hardened anyway to only listen to your own network.
> >take into consideration. If a firewall is just the last step of
> >securing the box, how do you, for example, tell ssh to allow connections
> >from one and not the other if they are both ath0.
>
> That's exactly why I want the firewall to block ssh connections when
> I'm on a public network
>
> >Personally, I like your kludge with ath0/ath1. I don't know to what you
> >refer as not portable to other drivers. If it changed to eth0/1 you
> >would have to change the shorewall config file anyway.
>
> I believe that many (most?) drivers don't offer you a choice of names
> for the interfaces they find.
For example, if you have two NICs, you can use either kernel (if the
driver is built-in) or module paramaters to specify if a particular card
gets called eth0 or eth1.
Some services select what to listen to by interface name (e.g. eth0 or
eth1), others by IP address. You need to look at the services you want
to offer and ensure they only listen where they should. Shorewall, I
think, defines zones by interface name so these should be different
between your private network and the public (e.g. airport hot spot).
Its not a case of either-or. You should have both types of security.
Perhaps someone with a security background can jump in?
Doug.
Reply to: