Topic: Linux - Firewall development project.

[arne]

People are different and I think there is rather few persons that does Linux firewall development just for the joy of making firewalls. But I do.

Trying to start some treads about firewall development on this forum has not been very successfull as there is allways somone that something like "please do not discuss anything about modifying the smeserver firewall".

I think it is a good idea to respect the contribs forum to be used for the intended purpose so that project that will not fit in should be moved somewhere else.

At the moment I am running a 3 port SME server with wan, lan and dmz/wlan that I think performs just fantastic, and I think it is just to bad not to work further on to such a project.

By the way the firewall is actually not a SME Server firewall it is a general Linux firewall implemtation that should be able to run wherever there is a Linux kernel.

But aren't there a lot of such firewalls allredy from before ? - yes and now - I think there is not many well structured and easy to handle of such firewalls.  When I say "firewall" I actually mean the configuration script for a Netfilter firewall. (That will set up the firewalling functions of the Linux firewall.)

To run "the firewall application" on a complex gatewayserver like the SME Server will be a project in one end. To run it an a minimalistic operating system like the floppyfw would be a project in the other end  http://www.zelow.no/floppyfw/ On the other hand the firewall application should be able to run on both systems (And other Linux distros like the Ubuntu, etc.)

What could the advantages be - well a lot more detailed control of the datastream and a more flexible use of the server function, and not at least the fun of doing it. Increased security as well ? - well I think so. Then there could also be an intersting thing to develop some automated system for generating the firewall configuration from a easy to overview user panel. (php and web based ?)

I think that the firewall should be made as 2 Nic (WAN/LAN) and a 3 Nic (WAN/LAN/WLAN) and possible also 4 Nic (WAN/LAN/WLAN/DMZ) (?) alternatives. and with full fine grained traffic controll between all network segments. (Yes it could also work on the SME Server or any standard Linux distro with or without server functions.)

If there is any interest for such a project it could be made a web page or some wiki for the project. If such a webpage is made everything will be open source so SME Server developers and anyone can use the stuff. If there is no-one that want to participate or do anything in such a project, I still will do it, but I will not take the additional work of doing a web page for the project.

If anyone should be interested they can leave a few words here on this tread or send a mail.

By the way no knowledge of firewall is required, but knowledge of firewalls is on the other side not a problem.   What it is all about, as I will se it, is user experiences and testing. A good firewall as I would see it is noting less and nothing more than the sum of all user testing, user requierements, discussions and feedbacks. (If there is any.)

If there is anything negative about using the SME Server as platform it could also be a Ubuntu, a Centos or anything with a Linux kernel.

To run the firewall on a SME Server will require absolutely no modifications except for eventually a 3'rd network adapter for dmz/wlan.

Posted via a 3 card SME server/gateway that seems to be working rather well 

Some good reading stuff to start out with (Chapter 14) http://www.linuxhomenetworking.com/wiki/index.php/Main_Page


 

[pfloor]

Moved to contribs section as it is more appropriate here.

[arne]

Thanks ! You are right.

[dmay]

You raise a lot of points however 'we' of course only care about SME, so please focus your discussion to enhancing the SME firewall services. If you feel you can build a better firewall, please do so. If you integrate your work into the SME template, db and server-manager it has a greater chance of being accepted by the core dev team. If you wish to communicate with the core dev team (I recommend you do so) open a firewall NFR bug.

Darrell

[arne]

I will do !

The only problem of creating something, is that you will have to go trough the prosess of creating it. It is difficult to come up with an end result of such a creative process, without doing the process.

If I could create a bether firewall ? - How can I know ? The idea was to try to do some co-development if anyone were interrested.

The question in the question is "what is a bether firewall" ? The one who knows the answer has actually allmost created it.

The idea was to take away the creative process of creating a firewall away from this forum to somewhere else, and then return with a more worked out suggestion at a later stage.

I made one 3 port firewall today, as a revision zero, that I thought I also should simplify down to be a 2 port firewall tomorrow, as a start of a process. It contains a few functions that I think the standard sme server firewall does not have, rate and burst control to protect against dos attach and filtering of outgoing trafic. But rate and burst control means "trouble" and filtering of outgoing trafic certainly means "trouble",- and an increased level of security. How can I know if it is a bether firewall ? It is bether for me, but to know if it is bether for other people, they will have to try it and give some feedback and eventually come up with some suggestions.

I will try to come up with a suggestion as soon as I can. I think that the revision zero if the 3 port firewall works very good, until now and after some hors testing during the day but I dont know how such a disign could fit into the template system. I would believe that a simplified version with only 2 network adaptors would fit in more easy - but would things like rate and bust control and filtering of outgoing traffic fit into the existing sme server configuration environment ? That's another question.

To find out what is the good and not so good solution, there will be needed som activities "out in the open air" to do "the game and the play of firewalling", to come up with some creative solutions, where some of them might fit into the template system ,and some of them might not.

By the way thanks a lot for an excelent contrib, the sme version of phpmyadmin. I installed it yesterday.

[TrevorB]

I think that the revision zero if the 3 port firewall works very good, until now and after some hors testing during the day but I dont know how such a disign could fit into the template system.

Post what you did, and someone may be able to help define how to do it with the templating system.

But, as others have suggested, I'd would do this via a New feature Request (NFR) in Bugzilla. Stating what you are doing (just focus on one area per NFR). Then add what you have done, others can then guide you on the templating etc., or add the code themselves.

You'll find that you will get lot more support from the developers via this approach.

Trevor B

[arne]

Post what you did, and someone may be able to help define how to do it with the templating system.

Have really not get started yet, and there will bee neded to do a lot more before the templatesystem (I believe).

#!/bin/sh


#Enabeling and configuring the third NIC
ifconfig eth2 up
ifconfig eth2 10.0.1.1 netmask 255.255.255.0

LAN="eth0"
WAN="eth1"
DMZ="eth2"

EXTIP="80.90.100.110"
INTIP="10.0.0.1"
DMZIP="10.0.1.1"

# Moduler
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc




# Flush and reset old rules.
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

#iptables -X rate-burst
#iptables -X rate-burst2

#iptables -F rate-burst
#iptables -F rate-burst2

# Setting policies, default rules.
# All ports to closed.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Limit on burst and rate for dos attach on internal servers.
#iptables -N rate-burst-input
#iptables -A INPUT -p tcp --syn -j rate-burst-input
#iptables -A syn-flood -m limit --limit 50/s --limit-burst 80 -j RETURN
#iptables -A syn-flood -j DROP


#Limit on burst and rate for dos attach on gateway processes.
#iptables -N rate-burst-forward
#iptables -A FORWARD -p tcp --syn -j rate-burst-forward
#iptables -A syn-flood -m limit --limit 50/s --limit-burst 80 -j RETURN
#iptables -A syn-flood -j DROP

# Filter out non valid tcp-flags
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Filter out non valid tcp-flags
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


# A outgoing nat connection via eth1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


# Openin up to the local processes on the firewall/gateway pc
iptables -A INPUT -i lo -j ACCEPT

# Drop packets from some certain bad source ip's
iptables -A INPUT -i $WAN -s 123.123.123.123 -j DROP
iptables -A FORWARD -i $WAN -s 123.123.123.123 -j DROP


#From internet WAN to the gateway processes:
iptables -A INPUT -i $WAN -d $EXTIP -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN -d $EXTIP -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $WAN -d $EXTIP -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -i $WAN -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -i $WAN -p udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -i $WAN -p udp --dport 4569 -j ACCEPT



#From LAN to the gateway processes
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 22 -s 10.0.0.0/24 -j ACCEPT #ssh
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT #http
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT #https
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 3128 -s 10.0.0.0/24 -j ACCEPT #Squid
iptables -A INPUT -i $LAN -d $INTIP -p udp --dport 53 -s 10.0.0.0/24 -j ACCEPT #Dns
iptables -A INPUT -i $LAN -p icmp --icmp-type echo-request -s 10.0.0.0/24 -j ACCEPT #Ping

iptables -A INPUT -i $LAN -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -i $LAN -p udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -i $LAN -p udp --dport 4569 -j ACCEPT


#From DMZ to the gateway processes
iptables -A INPUT -i $DMZ -p tcp --dport 22 -s 10.0.1.0/24 -j ACCEPT #ssh
iptables -A INPUT -i $DMZ -p tcp --dport 80 -s 10.0.1.0/24 -j ACCEPT #http
iptables -A INPUT -i $DMZ -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT #https
iptables -A INPUT -i $DMZ -p tcp --dport 3128 -s 10.0.1.0/24 -j ACCEPT #Squid
iptables -A INPUT -i $DMZ -p udp --dport 53 -s 10.0.1.0/24 -j ACCEPT #Dns
iptables -A INPUT -i $DMZ -p icmp --icmp-type echo-request -s 10.0.0.0/24 -j ACCEPT #Ping

#iptables -A INPUT -i $LAN -j ACCEPT #OPEN FOR ALL TRAFFIC#######
#iptables -A INPUT -i $DMZ -j ACCEPT #OPEN FOR ALL TRAFFIC#######




#Statefull inspection for the input to the local processes on the gateway.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#Control the datatraffic out from the gateway local processes
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -j ACCEPT #ALL OPEN#####

# Statefull inspection out from the gateway local processes
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Outgoing trafick from Lan to internet:

# filtering from lan to internet
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 21 -j ACCEPT #telnet
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 23 -j ACCEPT #ftp
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 53 -j ACCEPT #dns oppslag
iptables -A FORWARD -i $LAN -o $WAN -p udp --dport 53 -j ACCEPT #dns oppslag
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 80 -j ACCEPT #http web
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 119 -j ACCEPT #news
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 143 -j ACCEPT #imap
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 443 -j ACCEPT #https web

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT #OPEN FOR ALL TRAFFIC########

#Incomming traffic from internet to lan server functions.

iptables -A FORWARD -i eth1 -p tcp --dport 4662 -j ACCEPT
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 4662 -j DNAT --to-destination 10.0.0.202

iptables -A FORWARD -i eth1 -p udp --dport 4672 -j ACCEPT
iptables -t nat -A PREROUTING -i $WAN -p udp --dport 4672 -j DNAT --to-destination 10.0.0.202



# Traffic from lan to dmz server funtions
iptables -A FORWARD -i $LAN -o $DMZ -p tcp --dport 25 -j ACCEPT #smtp mail

iptables -A FORWARD -i $LAN -o $DMZ -p tcp --dport 110 -j ACCEPT #pop3

iptables -A FORWARD -i $LAN -o $DMZ -p tcp --dport 143 -j ACCEPT #imap


# Statefull inspection for all traffic trough the FORWARD chain.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Traffic from internet to DMZ:
iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 25 -j ACCEPT #smtp mail server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 110 -j ACCEPT #pop3 server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 110 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 143 -j ACCEPT #imap server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 143 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 465 -j ACCEPT #ssl-smtp server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 465 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 993 -j ACCEPT #ssl-imap server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 993 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 995 -j ACCEPT #ssl pop3 server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 995 -j DNAT --to-destination 10.0.1.2



# Traffic from dmz to internet:
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 21 -j ACCEPT #ftp client
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT #smtp mail
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 53 -j ACCEPT #dns client
iptables -A FORWARD -i $DMZ -o $WAN -p udp --dport 53 -j ACCEPT #dns client
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 80 -j ACCEPT #http client
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 110 -j ACCEPT #pop client


# aktiverer ip forwarding #
echo 1 > /proc/sys/net/ipv4/ip_forward

[arne]

Forgot one thing ..

Procedure:

1. Intall a standard sme gateway installation with 2 network adapters. eth0 and eth1 will then be configured.

2. Add the third netvork card. (That will automatically be eth2 and should be used for dmz/wlan)

3. Run the script and you are up and running with a 3 port SME server gateway with a detailes and finegrained controll of trafic in all of the traffic directions pluss dos protection if you want to use it. (If you do some editing of the script and rerunn it.)

There is some issues with the dhcp and the dns clients on the dmz segment. I just configuring manually for the testing. (But if a wireless router were used connected to the dmz card this could be easy overcommed.)

************

And one other thing:

And all the ports and protocoll definitions is not set right for a "universal use" at the sme server, as this (above) was an result of a one day's work in an "inspired moment". But the structure should be there so it should only be to fill the proper datas inn.

To fill in the right ports and protocolls it will be a major thing to understand how the ip packets traverses the Linux kernel:
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-5.html
http://www.linuxguruz.com/iptables/howto/


************

And a third thing as well:

The way I control traffic directions on is by specifying the traffic directions between network adapters. (eth0, eth1, eth2)

I wonder if this method could have som hidden dissadvantages. (During the years I have not found them).

For reasons that I do not completely understand this method does not work if you run the Linux firewall in bridge mode (but I wonder if that what really happen is that the Linux kernel translates adapter adresses like eth0 to a netvork ip address. Actually I believe that this is tha case (??).

One alternative way is to specify the trafic directions by using ip based subnet adresses, which will produce some more volume of configuration script and make it slightly more difficult to read.

If anyone should know about advances for the one over the other (exept in bridge mode) I would be courious to know.

[raem]

arne

As has been suggested by me and others, you really need to submit this code to bugzilla, as a NFR. That way the core developers & other coders will get to read it.
All development is being done in bugzilla, rather than in the forums.
The developers are unlikely to respond to code presented in the forums as the forums have poor tracking & control mechanisms.
Create the bug and post a link to the bug back into this thread so future forum readers can easily link to the bug and read the progress.

[arne]

I will do, and I will not discuss or mention firewalls anymore on this forum. (Before 12 October 2008)

I have really not get started yet but I will try to come up with a 2 card and a 3 card suggestion.

(If I can find somhere where it can be done some testing and some discussion about the Netfilter firewall.)


To turn things around a litle bit:

"Is there anybody out there that would like to do some nice work and testing of a firewall contrib ?"

"Discussion board will be supplied for a free and openhearted discussion about the Netfilter firewall "

[pfloor]

I have really not get started yet but I will try to come up with a 2 card and a 3 card suggestion.

(If I can find somhere where it can be done some testing and some discussion about the Netfilter firewall.)

You have been told MANY MANY time where to discuss and test code enhancements/changes to SME.  USE BUGZILLA, it's that plain and simple.

Bugzilla has been in place for code development since 7.X (and another bug system before that) and that is where ALL code should be discussed/tested.  Trying to develop code in the forums does not work well, your discussion can get lost and forgoton, you can't attach code, you can't track problems or progress, etc.

http://bugs.contribs.org/

Create a new bug and ask for your own contrib section and you will have your own area to work in.  If your work is acceptable and enhances the core, it can easily be incorporated and moved into the base.

Bugzilla is the only way to do it correctly.

[shawnbishop]

Im in....

Dont know how I will contribute, but will try..

Lets register it in the bugzilla department...

[arne]

That's a nice thing. I have made Bug 3468. I will give it a try, event though I think such a firewall project is more a contrib than a "bug".

It is not difficult to help with the firewall contrib/bug.

It is not neccessary to know much about firewalls to make some firewall improvements.

If one have some ideas about how the server and the network and workstation really should work, this would be the most important information. Also, then to discover things does not work like expected is quite important. I believe that a firewall design, based on Netfilter, that is to have some basic ideas about how it should work and then to check if it does what it should.

There is a lot of contribs going on and I do not really understand why a firewall contrib should be diffrent from other contribs, exept for that a firewall project will need, by its nature more discussion and more testing around it, as a firewall will affect the whole functinality and properties of the gateway server, and possibly it could have some influence over the workstations as well..

By the way I don't know how this bug system work, but I give it a try.

[pfloor]

That's a nice thing. I have made Bug 3468. I will give it a try, event though I think such a firewall project is more a contrib than a "bug".

I guess this is where your misunderstanding begins.

Bugzilla is not just to report bugs (as the name implies).  It does track bugs AND IS ALSO a complete development tracking system for software development, testing and release of the core OS and contributions associated with SME.  Everything can be broken up into sections and sub-sections.  It is very flexible and does a good job tracking progress.  It allows you to create a bug (like you did) and then attach sub-bugs (as dependencies) so you can track multiple pieces of your work all at once.  You would use it as such:

1-Create main bug (like you did) and then break up each change/addition into smaller, more manageable bugs like so:
2-Create a new bug (like add abc) and make it a dependany of main bug.
3-Create another bug (like fix xyz) and make it a dependency of the main bug.
You can even create dependencies on other dependencies, etc, etc.

Then after you solve and close all the dependency bugs, you can close the main bug.

Other advantages to Bugzilla:

Unlike the forums, you can't edit, change, erase or delete anything in Bugzilla.  Everything is done in a time-line fashion and nothing gets lost or edited.  Everything done in the past can always be re-looked at and corrected if needed.  It tracks every change as they occur.

Bugzilla also allows you to upload log files, patches, pictures, RPM's, etc.  The forum doesn't allow any of this.

[pfloor]

Arne,

Another thing you need to do is Study, Learn and Embrace the Configuration Database and Template Design philosophy of the SME Server.  Have you read the Developer's Manual?
http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/devguide.html

Your script above may work for you but maybe I don't want 3 (or even 2) NICS.  Also, your script probably won't work if the server is set up to use pppoe on the external interface.  The template system takes those variables (and many, many more) into consideration and (in very simple terms) does the following:

If I want 1 NIC in server-only mode the template system prepares and writes the correct masq file to accomplish and accommodate my needs.

If I want 2 NICS in Private Server-Gateway mode, the templates give me what I need.

If I want Server-Gateway mode, the templates open up the correct ports.

And if I want 3 NICS then the templates should do the right thing in that instance.

You need to build on the templates to "do the right thing" when someone chooses a 3 NIC setup.

However, you need to do this in steps.  First you need to set up the templates and/or config DB to properly configure the server to use 3 NICs.  Then you need to modify the masq templates so they write the correct masq file when someone chooses to use 3 NICs. If you have multiple options for the 3rd NIC then you need to make sure the templates write out the correct masq file depending on what option is chosen for the 3rd NIC.

The structure is already there for you to add to it.  It's actually very easy once you understand how it works. 

Once you have the underlying code working then you need to decide if something belongs in the admin panel or even possibly in the Server-Manager GUI.

By design, hardware related changes belong in the admin panel as they are usually only needed upon the server's initial setup.  The 3rd NIC setup probably doesn't need to be there as it can be configured with some simple config db commands after initial installation.

If you want to control the masq settings in the Server-Manager GUI, you can then begin to write a manager panel to control the different settings if that's where you want the control to be.  You can make the manager panel as simple or as complicated as you like.

You can't just blow away the current masq script and templates and start over with a "one size fits all" script for the firewall, there are just too many configuration variables to consider and it's much, much more complicated than that.

Is this making any sense to you?