Enhancement #2935
Firewall fallback when IPS is not running
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
Traffic through the firewall is allowed or blocked according to user defined rules. If IPS is enabled, allowed traffic is also inspected for potential threats. If the IPS doesn't run, allowed traffic is also blocked, the firewall cuts every connection.
Assuming that the majority of allowed traffic is good, I'd prefer to allow it if the IPS is not running.
Associated revisions
Shorewall config: use NFQUEUE bypass. Refs #2935
Update config for Shorewall 4.6, add NFQUEUE bypass. Refs #2935
spec: requires shorewall >=4.6 Refs #2935
Merge branch 'b2935'. Refs #2935
Merge branch 'b2935' Refs #2935
History
#1 Updated by Filippo Carletti almost 7 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
Pre-requisites:
- shorewall-4.6 (requires)
- NFQBY custom action
- ACCEPT:NFQBY policy
- NFQBY target in rules
- ?section (cosmetic)
$ cat /etc/shorewall/action.NFQBY ?format 2 IPTABLES(NFQUEUE --queue-bypass)
#2 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti almost 7 years ago
- new variables in
/etc/shorewall/shorewall.conf
, most relevant ones are:- INLINE_MATCHES=Yes
- RESTORE_ROUTEMARKS=Yes
- USE_RT_NAMES=No
- RPFILTER_DISPOSITION=DROP
- UNTRACKED_DISPOSITION=CONTINUE
- shorewall script has been moved from
/sbin/shorewall
to/usr/sbin/shorewall
- to create NFQBY action a new template should be created for
/etc/shorewall/actions
- change
tcpflags
options for all interfaces - update policy fragment inside nethserver-openvpn package
- also 'tcrules' file has been superseded by the 'mangle' file (but we can delay this one)
#4 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
- nethserver-firewall-base
- nethserver-openvpn
- build both package from b2935 branch
- install Shorewall 4.6
- install the new packages
#5 Updated by Filippo Carletti almost 7 years ago
- enable snort from server-manager
- ping 8.8.8.8 should have no packet loss
- service snortd stop
- ping 8.8.8.8 should have no answer
- update from testing
- ping 8.8.8.8 should have no packet loss
- service snortd start
- ping 8.8.8.8 should have no packet loss
#6 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.1.1-1.3git220dbcc.ns6.noarch.rpm
- nethserver-openvpn-1.1.0-2.0git81e3f2e6.ns6.noarch.rpm
- shorewall-4.6.4.3-1.el6.noarch.rpm
- shorewall-core-4.6.4.3-1.el6.noarch.rpm
#7 Updated by Filippo Carletti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
I have verified that the above behaviour is respected.
I also took a snapshot of iptables output before and after upgrade to compare active rules, both with and without snort.
The rules were always identical.
#8 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-firewall-base-2.2.0-1.ns6.noarch.rpm
- nethserver-openvpn-1.1.1-1.ns6.noarch.rpm