Re: How to manage a firewall script with minor tweaks for different machines?

To: debian-user@lists.debian.org
Subject: Re: How to manage a firewall script with minor tweaks for different machines?
From: john doe <johndoe65534@mail.com>
Date: Sat, 12 Jun 2021 19:20:32 +0200
Message-id: <[🔎] 2c00ad31-1fbf-a07f-a3ee-25070745d0a6@mail.com>
In-reply-to: <[🔎] sm0a6nvkr4l.fsf@lakka.kapsi.fi>
References: <[🔎] sm0a6nvkr4l.fsf@lakka.kapsi.fi>

On 6/12/2021 6:02 PM, Anssi Saari wrote:


I've recently setup nftables firewalls on the machines of my little home
network. I was a little optimistic and thought I could get by with a
simple one that only allows ssh and nfs in i.e. two TCP ports and mDNS
with its slightly more complex rules.

But then... One machine has a radius server that needs UDP port 1812
open. And another is a print server with CUPS and SMB which apparently
need at least TCP ports 631 and 137 open.

How could I neatly incorporate these minor tweaks in a single nft
script? I was thinking of git branches where I can make changes to the
"main" firewall and merge those changes to the slightly tweaked
branches. Or possibly also some preprocessor type of thing that
generates three versions of the firewall script. Or just generate the
whole nft scripts with the small variants. Just wondering what other
people are doing with this sort of thing?

I also need some way of pushing these firewall scripts and other config
stuff over to the machines too. It's not a huge network but manually
logging into each machine, overwriting /etc/nftables.conf and restarting
nftables.service is a pain. cdist looks interesting and simple, does
anyone have experience with it?


You could have one common file that includes a custum file (1).
You would have one custum file per host (custum-cups, custum-smb ...).

This approach would require to always push two files(common and
custum-*) using SSH for example.

To automate that pushing step and reloading of the rules, you would have
to create a litle script that would do that based on argument:

$ push.sh cups

$ cat push.sh
#!/bin/sh

case $1 in
    cups)
        remote_ip = '<REMOTE-IP-OF-CUPS-SERVER>'
        scp common-cups custum $remote_ip:<REMOTEPATH>
        ;;
    smb)
        remote_ip = '<REMOTE-IP-OF-SMB-SERVER>'
        scp common custum-smb $remote_ip:<REMOTEPATH>
        ;;
esac

ssh $server_ip "<REMOTE-COMMAND-TO-EXECUTE>"



Note 1: I'm not using nftables, so I don't know the actual command to
reload your newly pushed config nor the location for the rules files! :)

Note 2: The script is an example only and should not be used as such.

HTH.

1)  https://wiki.nftables.org/wiki-nftables/index.php/Scripting

--
John Doe

Reply to:

Follow-Ups:
- Re: How to manage a firewall script with minor tweaks for different machines?
  - From: Anssi Saari <as@sci.fi>

References:
- How to manage a firewall script with minor tweaks for different machines?
  - From: Anssi Saari <as@sci.fi>

Prev by Date: Re: cannot mount smartphone anymore
Next by Date: Re: cannot mount smartphone anymore
Previous by thread: Re: How to manage a firewall script with minor tweaks for different machines?
Next by thread: Re: How to manage a firewall script with minor tweaks for different machines?
Index(es):
- Date
- Thread