Linux: Using Firewall Support for Host Security
This was posted to cmu.comp.os.linux by Christopher J. White <cwhite+@andrew.cmu.edu>
on October 18, 1998:
From: Christopher J White <cwhite+@andrew.cmu.edu>
Newsgroups: cmu.comp.os.linux
Subject: Firewalling rules
Date: Sun, 18 Oct 1998 12:00:54 -0400
Organization: Sophomore, Electrical and Computer Engineering, Carnegie Mellon, Pittsburgh, PA
Lines: 1
Hi all-
In the wake of a few recent cracks, portscans, and so forth, I wrote a
set of firewalling rules for my machine which are designed specifically
for CMU. As distributed, they allow all outbound traffic, handle the
loopback properly, allow incoming X, Zephyr, Kerberos, and finger from
CMU only and incoming SMTP from Andrew only. If you have any comments
or suggestions, please send them my way; I am particularly interested in
knowing whether all of the Kerberos rules are actually necessary for a
machine which does not have a Kerberos instance. Thanks; have fun!
-Chris White
About the rules: Below is a shell script to be installed in
/etc/init.d/firewall and run on startup. If you set your IP address
manually or run lpd, make sure to change the x.y in the appropriate
lines before running the script.
cmu-ip-firewall.sh
--- Chris White <cwhite+@andrew.cmu.edu> --- "Behold your Music!" ---
\font\f=msbm10\f\footline={}\vbox to\vsize{\vfill\hfill\char'147}\bye
This followup explains how to enable firewalling under Linux:
From: Christopher J White <cwhite+@andrew.cmu.edu>
Newsgroups: cmu.comp.os.linux
Subject: Re: Firewalling rules
Date: Mon, 19 Oct 1998 15:40:48 -0400
Organization: Sophomore, Electrical and Computer Engineering, Carnegie Mellon, Pittsburgh, PA
To enable firewalling: In the 'Networking Options' section, enable
'Network firewalls,' 'TCP/IP Networking,' and 'IP: firewalling.'
If you want to log packets that match firewall rules, make sure 'IP:
firewall packet logging' is enabled, then add a -o to every rule that
you want to log. My ruleset only logs misuses of the 127.* network at
the moment; tack a $LOG onto any rule in the script to enable logging
for that rule. Hope this helps!
-Chris White
--- Chris White <cwhite+@andrew.cmu.edu> --- "Behold your Music!" ---
\font\f=msbm10\f\footline={}\vbox to\vsize{\vfill\hfill\char'147}\bye
This followup was posted to cmu.comp.os.linux by Christopher J. White <cwhite+@andrew.cmu.edu>
on October 25, 1998:
Path: mail1.andrew.cmu.edu!bb3.andrew.cmu.edu!andrew.cmu.edu!cwhite+
From: Christopher J White <cwhite+@andrew.cmu.edu>
Newsgroups: cmu.comp.os.linux
Subject: Firewalling rules: update
Date: Sun, 25 Oct 1998 14:13:58 -0500
Organization: Sophomore, Electrical and Computer Engineering, Carnegie Mellon, Pittsburgh, PA
Lines: 41
Message-ID: <0qArVq200YUf05Q1Q0@andrew.cmu.edu>
References:
<0q_tL0200YUh0C7WQ0@andrew.cmu.edu>
NNTP-Posting-Host: po6.andrew.cmu.edu
X-Added: With Flames (outnews v2.6)
Xref: mail1.andrew.cmu.edu cmu.comp.os.linux:2904
I have found one major problem with the firewalling rules that I
posted a bit back: they break suid-root ssh. The problem is that
suid-root ssh (not sshd) creates privileged local sockets for
anonnymity; privileged sockets cannot be associated with any user
except root and so attackers cannot find out who owns a particular ssh
connection.
There are three ways to get ssh to work with the firewalling rules:
- Make ssh (_not_ sshd) non-suid root (i.e. chmod 555 `which ssh`).
This option is recommended for all except the truly paranoid. Note
that if you take this route, you will probably not want to run identd
(which the firewalling rules by default don't allow access to anyway).
- In the 'Host *' section of your ssh.conf, add the line
useprivilegedport no . I suggest you use this option if you have
problems with a non-suid root ssh.
- Edit the firewall rules. If you really want that much anonymity,
you can change the two rules immediately below "TCP Rules", at the
bottom of the file. In the port range at the end of both lines
(1024:65535), change the 1024 to a 1000 if you don't run too many
sshes at once, and to something lower if you do. You should keep the
number as high as possible, although never above 1024.
One other minor problem that folks have encountered with the rules - if
you have an incomplete /etc/services file, not all of the rules will
work and the results will probably be puzzling, to say the least. If
your /etc/services doesn't have entries for ftp-data, the kerberos
sockets, etc., you can grab conf.tar.gz from griffon's excellent
kerberos distribution (ftp.snurgle.org/pub/cmu) and pull the
/etc/services out of there. Don't untar the whole thing unless you
install kerberos, though, and don't install kerberos except according to
griffon's directions.
Good luck; as always, feel free to post any questions here or email me
directly if you like. Have fun!
-Chris White
--- Chris White <cwhite+@andrew.cmu.edu> --- "Behold your Music!" ---
\font\f=msbm10\f\footline={}\vbox to\vsize{\vfill\hfill\char'147}\bye
Editor's Note:
As ftp.snurgle.org may not be up for the next N years, here's the list
of /etc/services entries that should be present:
ftp-data 20/tcp
kerberos5 88/udp # kerberos5 port as desired by HP/DCE
klogin 543/tcp # Kerberos authenticated rlogin
ktshell 715/tcp # kerberos ticket passing shell
ktlogin 716/tcp # kerberos ticket passing login
ektlogin 717/tcp # kerberos ticket passing login
ktftp 718/udp # kerberized tftp
kerberos-iv 750/udp # as registered with IANA
kerberos 750/udp # Kerberos Authentication
kerberos_master 751/udp # Passwd changing service
afs3-kaserver 7004/udp # AFS/Kerberos authentication service
afskauth 7004/udp # AFS/Kerberos authentication service
kerberos 750/tcp kdc # Kerberos (server) tcp
krbupdate 760/tcp kreg # Kerberos registration
kpasswd 761/tcp kpwd # Kerberos "passwd"
If you know of any others, please let us know.
|
