[Fwbuilder-discussion] Security problem or me are an dumb user
Brought to you by:
mikehorn
Menu
▾
▴
[Fwbuilder-discussion] Security problem or me are an dumb user
|
From: Jesse G. <je...@ni...> - 2007-12-17 21:50:58
|
Hello,
Thanks for fwbuilder! it's a great program!
I am having trouble accomplishing that which I wish to do, however.
Basically, I think I need to add DENY rules to one of the PREROUTING
tables, but can't figure out how to make fwbuilder do that.
(I've been using and loving iptables for years, but I'm trying to get
our firewall set up so others at work, who don't know iptables, have a
nice graphical interface to use. I know how to solve the problem with
iptables, just not with fwbuilder.)
Consider this scenario: (This isn't exactly my situation, but this is a
good simple example that well describes my slightly more complicated
situation.)
Lets assume the following:
------
I'm a Cable Internet user.
MAC level packets from other Cable users modems hit my modem, and, if
they set their default gw to my public IP, could deliver a packet with
arbitrary source and destination addresses.
I have a public IP, 1.1.1.232.
I have 8 computers behind the firewall - 10.0.0.2,3,4,5,6,7,8,9.
(10.0.0.1 being the Inside interface IP on fwbuilder.)
I'm running a webserver on 10.0.0.2, port 80.
---------
Now here's my problem:
I need to block all traffic on its way into "Outside" (the outside
interface) that is not "to" 1.1.1.232, otherwise if another cable user
delivers, for example, a packet "to" 10.0.0.8 to 'Outside' , iptables
will forward it right on to 10.0.0.8. (Yes, I tried this. It does work.)
So then I set a Policy rule (in fwbuilder) to deny all traffic that that
comes in "Outside" and is not "to" Outside's address.
But then, the NAT rule (again, in fwbuilder) which translates 1.1.1.232
to 10.0.0.2 does it's translation /before/ the Policy gets evaluated,
which causes the newly translated packet to appear to the Policy (which
operates on the FORWARD and INPUT filters) to be "to" 10.0.0.2 and as
having come in via 'Outside', and is then blocked.
If I then allow all traffic to go out of 'Inside' (the inside interface)
then the forward rule works, but then traffic that is "to" any local
10.x IP, which is delivered to 1.1.1.232's MAC address ('Outside') also
gets through.
Thus, I cannot figure out how to allow my one IP and port to be
published (without making a seperate allow rule for every single
"published" service I run.
If it were iptables, I would just do:
iptables -t mangle -A PREROUTING -i eth1 -d 1.1.1.232 -j ACCEPT #Accept
only traffic to public ip.
iptables -t mangle -A PREROUTING -i eth1 DROP
(which easily accommodates multiple public IPs as well.)
And since it's in the PREROUTING, it can /easily/ judge bewteen packets
that came rogue as "to" 10.0.0.8" and those which it itself has
translated "to" 10.0.0.2 because PREROUTING/mangle is run before the nat
thereof.
"Assume firewall is part of 'any'" is /not/ checked for the main
firewall or for any rules.
(I tried it both ways. Didn't seem to have any affect.)
In reality, I currently have two public IPs on 'Outside' and several
private IPs on 'Inside' and have 11 NAT rules, and forward various
services (sometimes 10 different port ranges) to about 8 different
internal IPs. So to go make a separate allow rule for each and every NAT
rule would be a confusing lot of work, and seems hardly the right way to
keep packets addressed 'to' 10.0.0.8 from being admitted in via the
'Outside' interface.
Is there no way for fwbuilder to tell the difference between a packet it
DNATted "to" 10.0.0.8 and one that came in the 'Outside' interface
already addressed to 10.0.0.8 ?
I would be most grateful for any suggestions. Thanks!
-Jesse
--
Nikola Engineering Inc.
224 W. Washington St.
Suite 104
Sequim, WA 98382-3371
Tel (360)582-1051
Fax (360)582-1104
|