[Fwbuilder-discussion] Security problem or me are an dumb user
Brought to you by:
mikehorn
From: Jesse G. <je...@ni...> - 2007-12-17 21:50:58
|
Hello, Thanks for fwbuilder! it's a great program! I am having trouble accomplishing that which I wish to do, however. Basically, I think I need to add DENY rules to one of the PREROUTING tables, but can't figure out how to make fwbuilder do that. (I've been using and loving iptables for years, but I'm trying to get our firewall set up so others at work, who don't know iptables, have a nice graphical interface to use. I know how to solve the problem with iptables, just not with fwbuilder.) Consider this scenario: (This isn't exactly my situation, but this is a good simple example that well describes my slightly more complicated situation.) Lets assume the following: ------ I'm a Cable Internet user. MAC level packets from other Cable users modems hit my modem, and, if they set their default gw to my public IP, could deliver a packet with arbitrary source and destination addresses. I have a public IP, 1.1.1.232. I have 8 computers behind the firewall - 10.0.0.2,3,4,5,6,7,8,9. (10.0.0.1 being the Inside interface IP on fwbuilder.) I'm running a webserver on 10.0.0.2, port 80. --------- Now here's my problem: I need to block all traffic on its way into "Outside" (the outside interface) that is not "to" 1.1.1.232, otherwise if another cable user delivers, for example, a packet "to" 10.0.0.8 to 'Outside' , iptables will forward it right on to 10.0.0.8. (Yes, I tried this. It does work.) So then I set a Policy rule (in fwbuilder) to deny all traffic that that comes in "Outside" and is not "to" Outside's address. But then, the NAT rule (again, in fwbuilder) which translates 1.1.1.232 to 10.0.0.2 does it's translation /before/ the Policy gets evaluated, which causes the newly translated packet to appear to the Policy (which operates on the FORWARD and INPUT filters) to be "to" 10.0.0.2 and as having come in via 'Outside', and is then blocked. If I then allow all traffic to go out of 'Inside' (the inside interface) then the forward rule works, but then traffic that is "to" any local 10.x IP, which is delivered to 1.1.1.232's MAC address ('Outside') also gets through. Thus, I cannot figure out how to allow my one IP and port to be published (without making a seperate allow rule for every single "published" service I run. If it were iptables, I would just do: iptables -t mangle -A PREROUTING -i eth1 -d 1.1.1.232 -j ACCEPT #Accept only traffic to public ip. iptables -t mangle -A PREROUTING -i eth1 DROP (which easily accommodates multiple public IPs as well.) And since it's in the PREROUTING, it can /easily/ judge bewteen packets that came rogue as "to" 10.0.0.8" and those which it itself has translated "to" 10.0.0.2 because PREROUTING/mangle is run before the nat thereof. "Assume firewall is part of 'any'" is /not/ checked for the main firewall or for any rules. (I tried it both ways. Didn't seem to have any affect.) In reality, I currently have two public IPs on 'Outside' and several private IPs on 'Inside' and have 11 NAT rules, and forward various services (sometimes 10 different port ranges) to about 8 different internal IPs. So to go make a separate allow rule for each and every NAT rule would be a confusing lot of work, and seems hardly the right way to keep packets addressed 'to' 10.0.0.8 from being admitted in via the 'Outside' interface. Is there no way for fwbuilder to tell the difference between a packet it DNATted "to" 10.0.0.8 and one that came in the 'Outside' interface already addressed to 10.0.0.8 ? I would be most grateful for any suggestions. Thanks! -Jesse -- Nikola Engineering Inc. 224 W. Washington St. Suite 104 Sequim, WA 98382-3371 Tel (360)582-1051 Fax (360)582-1104 |