[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Multiple firewall profiles with shorewall

On 10/26/06, Douglas Tutty <dtutty@porchlight.ca> wrote:


For security on a public network (including the internet) sshd should
not be listening on the public interface.  As an added layer, it should
also be firewalled.  Both layers need to be tailored to fit.  sshd can
be told what interface to listen to with ListenAddress.  Since you don't
want to listen on the internet, it can stay with just the IP address
when you're connected to your own network.  If you left port 22 open on
the firewall but ignored by sshd would a brute force ssh attack be

But it's still preferable to firewall the port (security in depth).

Any service you offer for the benefit of your local systems should be
hardened anyway to only listen to your own network.

It's still better to be able to firewall the ports to block access
from the outside in addition to hardening the services. Security in
depth. After all, in an ideal world where all services were perfectly
hardened and bug free, there wouldn't be much need for firewalls in
the first place!

> >take into consideration.  If a firewall is just the last step of
> >securing the box, how do you, for example, tell ssh to allow connections
> >from one and not the other if they are both ath0.
> That's exactly why I want the firewall to block ssh connections when
> I'm on a public network
> >Personally, I like your kludge with ath0/ath1.  I don't know to what you
> >refer as not portable to other drivers.  If it changed to eth0/1 you
> >would have to change the shorewall config file anyway.
> I believe that many (most?) drivers don't offer you a choice of names
> for the interfaces they find.

For example, if you have two NICs, you can use either kernel (if the
driver is built-in) or module paramaters to specify if a particular card
gets called eth0 or eth1.

I believe you are mistaken; device names are usually assigned by the
kernel before the driver even loads, often based on fixed hardware
considerations. However, with udev it is apparently possible to assign
more or less arbitrary names; see this article [0].

Some services select what to listen to by interface name (e.g. eth0 or
eth1), others by IP address.  You need to look at the services you want
to offer and ensure they only listen where they should.  Shorewall, I
think, defines zones by interface name so these should be different
between your private network and the public (e.g. airport hot spot).

That's correct, which is why we're discussing whether it is possible
to name an arbitrary device differently based on the network config.

Its not a case of either-or.  You should have both types of security.

Again, this is exactly why I want to have multiple profiles, to have
this additional measure of security.

Perhaps someone with a security background can jump in?


Thanks again for the help.


Reply to: