Enhancement #2935

Firewall fallback when IPS is not running

Added by Filippo Carletti almost 5 years ago. Updated almost 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Traffic through the firewall is allowed or blocked according to user defined rules. If IPS is enabled, allowed traffic is also inspected for potential threats. If the IPS doesn't run, allowed traffic is also blocked, the firewall cuts every connection.
Assuming that the majority of allowed traffic is good, I'd prefer to allow it if the IPS is not running.

Associated revisions

Revision 401c4108
Added by Giacomo Sanchietti almost 5 years ago

Shorewall config: use NFQUEUE bypass. Refs #2935

Revision 03a4df73
Added by Giacomo Sanchietti almost 5 years ago

Update config for Shorewall 4.6, add NFQUEUE bypass. Refs #2935

Revision 11d32775
Added by Giacomo Sanchietti almost 5 years ago

spec: requires shorewall >=4.6 Refs #2935

Revision 220dbccd
Added by Giacomo Sanchietti almost 5 years ago

Merge branch 'b2935'. Refs #2935

Revision 81e3f2e6
Added by Giacomo Sanchietti almost 5 years ago

Merge branch 'b2935' Refs #2935

History

#1 Updated by Filippo Carletti almost 5 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20
It's possible to bypass the IPS if it's not running using the --queue-bypass option of iptables.
Pre-requisites:
  • shorewall-4.6 (requires)
  • NFQBY custom action
  • ACCEPT:NFQBY policy
  • NFQBY target in rules
  • ?section (cosmetic)
$ cat /etc/shorewall/action.NFQBY 
?format 2
IPTABLES(NFQUEUE --queue-bypass)

#2 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti almost 5 years ago

Also consider following modifications:
  • new variables in /etc/shorewall/shorewall.conf, most relevant ones are:
    • INLINE_MATCHES=Yes
    • RESTORE_ROUTEMARKS=Yes
    • USE_RT_NAMES=No
    • RPFILTER_DISPOSITION=DROP
    • UNTRACKED_DISPOSITION=CONTINUE
  • shorewall script has been moved from /sbin/shorewall to /usr/sbin/shorewall
  • to create NFQBY action a new template should be created for /etc/shorewall/actions
  • change tcpflags options for all interfaces
  • update policy fragment inside nethserver-openvpn package
  • also 'tcrules' file has been superseded by the 'mangle' file (but we can delay this one)

#4 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60
Implementation on branch b2935 inside following repositories:
  • nethserver-firewall-base
  • nethserver-openvpn
For testing purpose:
  • build both package from b2935 branch
  • install Shorewall 4.6
  • install the new packages
Shorewall packages:

#5 Updated by Filippo Carletti almost 5 years ago

Test case:
  • enable snort from server-manager
  • ping 8.8.8.8 should have no packet loss
  • service snortd stop
  • ping 8.8.8.8 should have no answer
  • update from testing
  • ping 8.8.8.8 should have no packet loss
  • service snortd start
  • ping 8.8.8.8 should have no packet loss

#6 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-2.1.1-1.3git220dbcc.ns6.noarch.rpm
  • nethserver-openvpn-1.1.0-2.0git81e3f2e6.ns6.noarch.rpm
  • shorewall-4.6.4.3-1.el6.noarch.rpm
  • shorewall-core-4.6.4.3-1.el6.noarch.rpm

#7 Updated by Filippo Carletti almost 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

I have verified that the above behaviour is respected.
I also took a snapshot of iptables output before and after upgrade to compare active rules, both with and without snort.
The rules were always identical.

#8 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-2.2.0-1.ns6.noarch.rpm
  • nethserver-openvpn-1.1.1-1.ns6.noarch.rpm

Also available in: Atom PDF