Re: [suse-security] firewals package - NFS exports
Thanks to the people who provided me with answers. Here is what seems to be working. The machine is on an internal network, and I need NFS (client + server) unblocked. Yes I know - this seriously downgrades the efficiency of the firewall, it's more a learning experience for me and I figure running it is still better than nothing. I definitely want to run the firewall when I take the machine home and dial up!! (The holes here only affect eth0, not ppp0). The programming here probably causes hangs/large timeouts if a queried NFS server doesn't respond (e.g. during boot). To do the job properly, one would have to listen into the conversation on port 111 (portmapper), and generate rules on the fly for the NFS connections established via that port. Or at least that's how I understand it. Is there any software for doing that? Volker Here my setup, if anyone wants to play as well (for SuSEfirewall 3.1): First, because it can't be done through a variable, I need a hook into SuSEfirewall, calling a function: --- SuSEfirewall-3.1.orig Sun Sep 3 20:45:40 2000 +++ SuSEfirewall Sun Sep 3 21:15:37 2000 @@ -927,6 +927,10 @@ $IPCHAINS -A input -j "$DENY" -p udp -l ( $IPCHAINS -A forward -j "$DENY" -p tcp -y -l ) > /dev/null 2>&1 } +###################### +# Add more rules, VK # +test "$FW_CUSTOM_RULES" = yes && fw_custom_rules +###################### $IPCHAINS -A input -j "$DENY" $LDA ( $IPCHAINS -A forward -j "$DENY" $LDA ) > /dev/null 2>&1 The is is just before the input chain finishes with "deny + log all". In firewall.rc.config, insert: # # 9b.) # Deal with some rules we need to enter manually. # (This requires a quick change to SuSEfirewall.) # SuSEfirewall will block all input udp ports which are listened to when the # firewall is started - this includes all active autofs-mounts! # Show NFS service info: rpcinfo -p [host] # VK 2, 3, 5 Sep 00 # FW_CUSTOM_RULES="no" FW_CUSTOM_RULES="yes" # uncomment to execute function at end of SuSEfirewall # isifup() { $IFCONFIG "$1" 2>/dev/null | $GREP '^ *UP ' >/dev/null } fw_custom_rules() { # This function is called by SuSEfirewall. # It inserts some rules preventing logging of certain denied packets, # and opens sufficient ports to make NFS functional. local ports sn host pck port prog ### If we have no eth0, don't bother with NFS isifup eth0 || return ### Don't log denied netbios broadcast rubbish $IPCHAINS -A input -j "$DENY" -p udp -i eth0 -d 5.5.5.0/24 138 $IPCHAINS -A input -j "$DENY" -p udp -i eth0 -d 5.5.5.0/24 137 ### Don't log sharity daemon broadcasts port="`$NETSTAT -an -u -p 2>/dev/null \ | $SED -e '/^udp.*0\.0\.\0.\0:[0-9].*\/sharityd *$/ !d'\ -e 's/[^:]*:\([0-9]*\) .*$/\1/'`" #echo $port $IPCHAINS -I input 4 -j "$DENY" -p udp -i eth0 \ -s "$FQHOSTNAME" "$port" --dport "$port" ### Deal with NFS add_nfs_rules ### Don't log boot server broadcasts / client requests $IPCHAINS -A input -j "$DENY" -p udp -i eth0 \ -s 5.5.5.0/24 bootps --dport bootpc $IPCHAINS -A input -j "$DENY" -p udp -i eth0 \ -s 5.5.5.0/24 bootps --dport bootpc $IPCHAINS -A input -j "$DENY" -p udp -i eth0 \ -s 5.5.5.0/24 bootps --dport bootpc $IPCHAINS -A input -j "$DENY" -p udp -i eth0 \ --sport bootpc --dport bootps ### Block specific high ports # 12345:12346 netbus, (script kiddie) trojan # 31337 back orifice # Can't append at end (would be after general accept for high ports). # This inserting at some number is dodgy. for ports in 12345:12346 31337; do $IPCHAINS -I input 39 -l -j "$DENY" -p udp \ -d "$FQHOSTNAME" "$ports" $IPCHAINS -I input 39 -l -j "$DENY" -p tcp \ -d "$FQHOSTNAME" "$ports" done } add_nfs_rules() { ### Deal with NFS stuff; accept but log # bad but we can't do any better # 700:750 790:950 970:1020 for ports in 600:1023; do # Allow some subnets/specific ports for sn in 1 2 3; do $IPCHAINS -A input -l -j "$ACCEPT" -i eth0 -p udp \ -s 5.5.$sn.0/255.255.255.0 111 -d "$FQHOSTNAME" $ports $IPCHAINS -A input -l -j "$ACCEPT" -i eth0 -p tcp \ -s 5.5.$sn.0/255.255.255.0 111 -d "$FQHOSTNAME" $ports $IPCHAINS -A input -l -j "$ACCEPT" -i eth0 -p udp \ -s 5.5.$sn.0/255.255.255.0 2049 -d "$FQHOSTNAME" $ports done # Allow specific servers, many ports for host in lupus kea pukeko; do $IPCHAINS -A input -l -j "$ACCEPT" -i eth0 -p udp \ -s $host $ports -d "$FQHOSTNAME" $ports done # Query specific servers, allow queried ports # This has no timeout for server response - could lock on boot! for host in lupus kea; do #the sort needs to be on the udp/tcp column! rpcinfo -p $host \ | $GREP -E '(nfs|mountd|rstatd|rstatd|nlockmgr|status)$' \ | $SORT +2 \ | $AWK '{line=$3" "$4" "$5; if (line != last) print line; last=line}' \ | while read pck port prog; do #echo \ $IPCHAINS -A input -l -j "$ACCEPT" -i eth0 -p $pck \ -s $host $port -d "$FQHOSTNAME" $ports done done done # Unblock specific ports again; these are typically existing NFS mounts # though we can't tell for sure. There goes the security... for port in \ `$NETSTAT -an -u -p 2>/dev/null \ | $SED -e '/^udp * [0-9]* *[0-9]* *[0-9.]*:[0-9]* *[0-9.:*]* *- *$/ !d'\ -e 's/[^:]*:\([0-9]*\) .*$/\1/'`; do echo "unblocking to local udp port $port" $IPCHAINS -D input -l -j "$DENY" -p udp -d "$FQHOSTNAME" $port # 2>/dev/null done }
On Tue, Sep 05, 2000 at 17:23 +1200, Volker Kuhlmann wrote:
Here my setup, if anyone wants to play as well (for SuSEfirewall 3.1):
First, because it can't be done through a variable, I need a hook into SuSEfirewall, calling a function:
--- SuSEfirewall-3.1.orig Sun Sep 3 20:45:40 2000 +++ SuSEfirewall Sun Sep 3 21:15:37 2000 @@ -927,6 +927,10 @@ $IPCHAINS -A input -j "$DENY" -p udp -l ( $IPCHAINS -A forward -j "$DENY" -p tcp -y -l ) > /dev/null 2>&1 } +###################### +# Add more rules, VK # +test "$FW_CUSTOM_RULES" = yes && fw_custom_rules +###################### $IPCHAINS -A input -j "$DENY" $LDA ( $IPCHAINS -A forward -j "$DENY" $LDA ) > /dev/null 2>&1
The is is just before the input chain finishes with "deny + log all".
In firewall.rc.config, insert:
[ ... ] FW_CUSTOM_RULES="no" FW_CUSTOM_RULES="yes" # uncomment to execute function at end of SuSEfirewall # isifup() { $IFCONFIG "$1" 2>/dev/null | $GREP '^ *UP ' >/dev/null } fw_custom_rules() { # This function is called by SuSEfirewall. # It inserts some rules preventing logging of certain denied packets, # and opens sufficient ports to make NFS functional. [ ... ] }
I wouldn't mess up rc.config with "code". Instead it would be better to stick with rc.config as a bunch of variables and ask SuSE to extend the firewall script like sketched below (didn't think very long about pathnames, adjust what's incorrect or inflexible as you please). ----- SuSEfirewall ---------------------------------------------- ... IPCHAINS=... ... +# optional(?): empty function body as a fallback, +# would be overridden when sourcing the specified script +fw_custom_rules() { + # EMPTY +} + +# make use of what the user supplies us with +[ -r "$FW_CUSTOMRULES" ] && . "$FW_CUSTOMRULES" ... # code as above ... +# call the hook function +fw_custom_rules # code as above ... ... ----- SuSEfirewall ---------------------------------------------- ----- /etc/rc.config -------------------------------------------- ... +# script's filename with local rules in addition to or as a +# substitute for what can be done with the FW_* variables +# e.g. FW_CUSTOMRULES=/sbin/init.d/rc.d/firewall.custom +FW_CUSTOMRULES="" ... ----- /etc/rc.config -------------------------------------------- ----- /sbin/init.d/rc.d/firewall.custom ------------------------- ... do whatever you like, the way you want to ... ----- /sbin/init.d/rc.d/firewall.custom ------------------------- This allows for - leaving everything as it is after installation :> - adding or modifying rules as you see fit - leave the FW_ variables alone and doing it *all* yourself :) - switching between several rule sets just by pointing to a different function (i.e. script) And it leaves the rc.config "semantics" as it is. :) Of course there's room for improvement: - specify relative pathnames and look for (as well as source, of course) a `dirname $0`/$FW_CUSTOMRULES file -- but this means to explicitely exclude empty FW_CUSTOMRULES settings - deliver some "usually asked for" scripts in /usr/doc/packages with the SuSEfirewall script virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (2)
-
Gerhard Sittig
-
Volker Kuhlmann