ASL firewall

From Atomicorp Wiki
Revision as of 15:44, 28 November 2012 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

Introduction

ASL has two different ways you can configure the firewall on your system:

1) Fast/Easy Mode

This configuration system should be the one most new users are familiar with. This system lets you quickly define a list of ports to allow or deny in a list. For most uses the Fast/Easy mode is what you will want to use.

2) Advanced Firewall Rule Manager

This is a full featured netfilter GUI. This will allow you to define arbitrary chains, actions, modules and other advanced iptables features. This is recommended for advanced users.

How the firewall works

The ASL stateful packet inspection firewall works much like other Linux firewalls. It inserts rules into the Linux kernel which govern how the kernel will handle network traffic. The firewall works in a "first come first served" matching model. That means rules are read in, in order, and the rule to match "wins". For example, if you have two firewall rules:

  1. Allow traffic on port 80
  2. Block all traffic

If a connection comes in on port 80, the firewall will run through the rules in the order you configure. As the first rule says to allow traffic on port 80, the rule will match, the traffic will be allowed and processing will stop.

However, if a packet comes in on port 23, the firewall will run through the rules again and this time rule 1 will not match. Processing will continue to rule 2, which will match and block the traffic.

Another example:

  1. Block all traffic
  2. Allow traffic on port 80

In this case, if a connection comes in on port 80 it will be blocked. This is because rule 1 is to block all traffic. Even though there is a later rule to allow traffic on port 80, this rule will never match because rule 1 matched and blocked the traffic.

This is normal behaviour for firewalls. Rules are processed in order. Therefore, the order of rules is very important to how a firewall will behave. Make sure you understand the order of your rules to ensure that they are performing as you expect.

Stateful packet inspection

When used, the ASL firewall keeps track of the state of network connections. The ASL firewall is designed to distinguish legitimate packets for different types of connections, and to only allow packets matching a known active connection.

This behaviour can be disabled through the rule manager.

Fast/Easy Mode

To access the Fast/Easy mode, just click on Configuration Tab in the ASL GUI, then select the "ASL Configuration" menu option. From there scroll down to the Firewall Configuration settings. These are the settings you can configure and what they do:

FW_INBOUND_TCP_SERVICES

List of allowed inbound TCP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default.

Example: 22,21,25,53,80,443,465,110,143,993,995,587,8443,30000

Setting this to "no" will remove all blocks, and will allow all TCP ports to be accessed.

FW_INBOUND_UDP_SERVICES

List of allowed inbound UDP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default.

Example: 53,123

Setting this to "no" will remove all blocks, and will allow all UDP ports to be accessed.

FW_OUTPUT_TCP_SERVICES

List of allowed outbound TCP connections, in a comma delimited format. Just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. You do not need to add any rules for services that are listening. For example, if you allow port 80 in, you do not need to allow port 80 out. ASL uses a stateful firewall and will allow listening services to communicate out. This list is for client initiated requests outbound from the server. For example, if a user wanted to ssh from the server to another server, you would need to allow port 22 out. You do not need to allow port 22 out to allow connections to the ssh service running on the server.

Example: 25,80,443,465,123

Note: Remember to allow port 443, so that ASL can update itself. ASL uses SSL to update. Please see this FAQ:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Firewalls_and_Upgrades.2FUpdates

Setting this to "no" will remove all blocks, and will allow all outbound TCP ports to be accessed.

FW_OUTPUT_UDP_SERVICES

List of allowed outbound UDP connections, in a comma delimited format. Just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. You do not need to add any rules for services that are listening. For example, if you allow port 53 in, you do not need to allow port 53 out. ASL uses a stateful firewall and will allow listening services to communicate out. This list is for client initiated requests outbound from the server. However, if you had a service that needed to open connections outbound on its own, for example a DNS server would open connections on its own to look up domain names, you would need to allow port 53 out. You do not need to allow port 53 out to allow connections to the dns service running on the server, only if the DNS server needed to make its own independent connections outbound.

Example: 53,123

Engine settings

The Fast/Easy Mode also allows you to configure the core functionality of the netfilter engine. The following is a list of options you can set and what they do.

FW_OUTPUT_MTA

Outbound MTA policy, enabling this rule class will only allow outbound tcp/25 connections for users in the access list /etc/asl/firewall/mta-output-acl. This allows you to restrict outbound SMTP connections to specific users, such as the Mail Servers (MTA) user, which would require your users to use your local mail server for outbound connections. This allows you to filter all outbound email for spam, and prevents your users from setting up spam bots to send email out directly.

Simply put a list of the user names you wish to allow outbound SMTP connections from in the /etc/asl/firewall/mta-output-acl file. The format is one username per line.

In general, you will only want to use the username of the MTA, not your actually users. For example, if qmail-send ran as the user "qmail", you would add that. If postfix ran as the user "postfix", add that. If you had a user "jdoe" that sent mail through your mail server, you would not add jdoe to the /etc/asl/firewall/mta-output-acl file.

So the most important step is to determine what user(s) your mail server uses to send mail. The table below contains a list of the users typically used by the most popular mail servers. Please confirm that this is correct for your mail server configuration, as some vendors change these names:

Mail Server Typical Usernames
Postfix postfix
QMail qmails
Exim mailnull
Sendmail smmsp

Please check with your mail server vendor to confirm the username that the mail server will use to send mail.

FW_LASSO

Enable/Disable the Spamhaus Lasso blacklist. Enabling this option will block all hosts on the current Spamhaus Lasso blacklist.

FW_DSHIELD

Enable/Disable the DShield blacklist. Enabling this option will block all hosts on the current DShield blacklist.

FW_TOR

Enable/Disable the TOR exit node list. Enabling this option will block all current TOR exit nodes.

FW_ACCEPT_REDIRECTS

This option controls how the system will respond to redirects. The default setting of "no" is recommended and is also the default setting in Linux. You should not enable this setting unless you know what you are doing. Enabling this can make it possible for an attacker to bypass your firewall rules.

FW_ACCEPT_SOURCE_ROUTE

This option controls how the system will respond to a Source Route packet. It is highly recommend you not enable this, and leave the default setting of "no". Source Routed packets can bypass all your firewall rules, are not necessary for proper network functioning and are a relic of IPv4 that should never be used for secure networking.

FW_ICMP_IGNORE_ALL

This option controls how the system will respond to any ICMP broadcast request, such as a ping. It is recommended you not enable this option if you want your system to respond to pings and other ICMP queries.

FW_ICMP_IGNORE_BROADCASTS

This option controls how the system will respond to bogus ICMP broadcast request (so called smurf attacks). It is recommended you enable this option.

FW_IGNORE_ICMP_BOGUS

This option controls how the system will respond to bogus ICMP requests. It is recommended you enable this option.

FW_IPV4_FORWARD

This option enables and disable IPv4 forwarding. If your system is not forwarding traffic to another host, then it is highly recommended you disable forwarding. The default is to disable forwarding.

FW_IPV6_FORWARD

This option enables and disable IPv6 forwarding. If your system is not forwarding traffic to another host, then it is highly recommended you disable forwarding. The default is to disable forwarding.

FW_PROXY_ARP

Enable/Disable proxy arp. It is recommend you not enable this, and leave the default setting of "no". Unless your system is acting as a layer two bridge, you will not need to proxy ARP packets. Enabling this if you are not bridging may result in unexpected networking side effects.

FW_RP_FILTER

Enable/Disable rp_filter. This option controls the Reverse Path Filtering capability in netfilter. This controls whether a response packet is allowed to go out an interface that the request did not originate from. For example, if a system has two interfaces eth0 and eth1, and a packet comes in on eth0. If the system responded, and tried to send the request out eth1 if RP_FILTER was enabled this would be denied. This is to help prevent specific types of routing attacks as well as to restrict egress packets from the system. On systems with complex routing tables, and virtual interfaces this may cause problems as packets will not always exit the same interface they came in on. Therefore, the default is not to enable this. If you do enable this, you should test to make sure your systems configuration will work correctly with this type of restriction.

FW_SYN_COOKIES

Enable/Disable SYN cookies. This option controls the use of SYN cookies. This is a Denial of Service protection feature of netfilter, and we recommend you enable this option.

FW_TCP_ECN

Enable/Disable Excplicit Congestion Notification (ECN). This will allow you to enable/disable ECN.

There are three options:

Yes: Enable ECN

No: Disable ECN

Requested: Only use ECN if the client requests it. (Available in ASL 3.0.26)

For most systems, you should set this to Yes or Requested. We recommend you not disable this unless you know how this will effect your system.

FW_TCP_TIMESTAMPS

Enable/Disable TCP timestamps. This will allow you to enable TCP timestamps which may help with the network performance and quality of some protocols.

For most systems, you should set this to Yes. We recommend you not disable this unless you know how this will effect your system.

FW_TCP_WINDOW_SCALING

Enable/Disable TCP Window Scaling. This will allow you to enable TCP Window scaling which may help with the network performance and quality of some protocols.

For most systems, you should set this to Yes. We recommend you not disable this unless you know how this will effect your system.

Advanced Firewall Rule Manager

The Advanced Rule Manager is designed to let you directly control the netfilter engine in Linux through an advanced GUI system. If you are not familiar with how advanced Linux firewalling works please use the Fast/Easy Mode for simple firewall changes.

Access the firewall rule manager

Step 1: Log into the ASL GUI

Step 2: Click on the Firewall Tab.

Step 3: Click on the firewall rules menu item.

This will open the firewall rules window.

Rule Types

Linux supports three types of firewall rules:

NAT

Network Address Translation Rules: These rules are used to change the source and/or destination of packets.

Mangle

This types of rules are used to modify or "mangle" packets before they are processed

Filter

These types of rules are used to filter or "block" packets. These are the most common rules and are probably the type of rule you want if you want to allow or block traffic to specific port.

Filter subtypes
INPUT

These are rules for traffic going to the server itself. These are the most common subtype, and are what you want if you are looking to allow traffic to a port, or to block traffic to a port.

OUTPUT

There are rule for traffic coming out of the server, and being generated by the server.

FORWARD

This subtype is for all all other traffic that is not INPUT or OUTPUT. Specifically, this would be traffic that is passing through the server if the server were acting as a classic firewall for another system. FORWARD rules have nothing to do with the server itself.

Jump Targets

In Linux these tell the rule to jump to an action. This is a way of telling Linux what to do, such as to allow, deny or do something else if the rule is triggered.

ACCEPT

Accept the traffic. This will allow the traffic.

DROP

Silently drop the packet. The client will get no response from the server.

REJECT

Reject the packet. The client will get a reject at the TCP or UDP layer from the server.

Rule options

Using the firewall manager

Adding a firewall rule

Step 1: Select the type of rule you want to add from the list above

Step 2: Select the subtype of the rule you want to add from the list above

Step 3: From the firewall rule manager, select the subtype. For example, to add a filter -> INPUT rule select "INPUT" under the filter tree branch.

this will pull up any INPUT rules you have on the system. To add a new rule select "Add Rule".

Step 4: Select the subtype by selecting it under "Chain". For example, if you want to add an INPUT rule select Table "filter", this should autoselect "INPUT". If it does not just select INPUT as the "Chain".

Step 5: Select the command, Append or Insert. In the Linux, Append means to add the rule after all other rules. Linux firewalling is linear, that means it processes the rules in order "first come first served". Appending places it last. Insert places the rule first, and with insert you can also set the rule number in case you prefer that the rule run second, third, etc.

Step 6: Select the protocol by clicking on the "n/a" drop down. The drop down before this allows you to add a "negative", for example if you want to add a rule to say "not tcp". If you want this rule to be for TCP, just select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

Step 8: Type in the destination for this rule. If you are creating a rule for the server itself, for example to allow connections to a specific port, just leave this blank.

Step 9: Type in the source port. If you are a creating a rule to allow connections to the server from another server, leave this blank.

Step 10: Type in the Destination port. For example, if you want to allow connections to port 22, type in 22.

Step 11: Set the interface. If you want to set this rule for all interfaces, leave the default of "n/a".

Step 12: Set the "Jump Target". In the link this is sort of like the "action". You will see a number of options described above, such as ACCEPT, REJECT. Please see above for more information about these. In general, if you want to allow a connection, select "ACCEPT".

Step 13: Select Add Rule.

Your new rule is now implemented.

Examples

Using the Fast/Easy mode

How to block all incoming TCP connections except to certain ports

Step 1: Log into the ASL GUI

Step 2: Click the Configuration Tab

Step 3: Select the ASL Configuration menu option.

Step 4: Scroll down to Firewall configuration

Step 5: Enter the list of TCP ports you want to allow into the FW_INBOUND_TCP_SERVICES list.

Example:

21,22,25,80,110,143,443,993,995,8443,30000

Step 6: Click Update

Your new rule is now implemented.

Using the Advanced Firewall Manager

How to block all incoming connections to a TCP port

Step 1: Log into the ASL GUI

Step 2: Click the Firewall Tab

Step 3: Select the Firewall Rules menu option.

Step 4: Click the "Add Rule" button.

Step 5: For table, select filter.

Step 6: For Chain select "INPUT"

Step 7: For command select "Insert"

Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the source IP/Network for this rule. If you want to block all sources, just leave this blank.

Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".

Step 9: Set the "Jump Target" to "DROP" or "REJECT". DROP will silently block the attempt so the client is not sure why it was blocked, REJECT will send ICMP destination denied packets to the client applications network stack telling the stack that the connection was dropped at the network level.

Step 10: Then press the Add Rule button.

Your new rule is now implemented.

How to allow connections to a port

Fast Mode Method

To add TCP ports to the allowed inbound list, please see the FW_INBOUND_TCP_SERVICES option.

To add UDP ports to the allowed inbound list, please see the FW_INBOUND_UDP_SERVICES option.

Advanced Firewall Management Method

Step 1: Log into the ASL GUI

Step 2: Click the Firewall Tab

Step 3: Select the Firewall Rules menu option.

Step 4: Click the "Add Rule" button.

Step 5: For table, select filter.

Step 6: For Chain select "INPUT"

Step 7: For command select "Insert"

Step 6: Select the protocol. For example, for TCP select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections to port 22, type in 22. Leave the first drop down as "-".

Step 9: Set the "Jump Target" to "ACCEPT".

How to allow outbound connections to a port

Fast Mode Method

To add TCP ports to the allowed outbound list, please see the FW_OUTPUT_TCP_SERVICES option.

To add UDP ports to the allowed outbound list, please see the FW_OUTPUT_UDP_SERVICES option.


Advanced Firewall Management Method

Note: This is only necessary if you have setup either ASL or your firewall rules to only allow connections outbound to certain ports. By default ASL does not block any outbound ports.

Step 1: Log into the ASL GUI

Step 2: Click the Firewall Tab

Step 3: Select the Firewall Rules menu option.

Step 4: Click the "Add Rule" button.

Step 5: For table, select filter.

Step 6: For Chain select "OUTPUT"

Step 7: For command select "Insert"

Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the destination IP/Network for this rule. If you want to allow outbound connections on the port to any network or destination, just leave this blank.

Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections outbound port 25, type in 25. Leave the first drop down as "-".

Step 9: Set the "Jump Target" to "ACCEPT".

Step 10: Then press the Add Rule button.

Your new rule is now implemented.

Personal tools