How did you come with this idea? |
route "smtp http ftp" accept src not "a.client b.client c.client" dst "a.server b.server c.server"
It is 92 iptables statements and it would be more than 1000 if in the clients list there was the UNROUTABLE_IPS variable!!!
Also, this is why I like the client statement so much. Personally, I expect all production systems to be configured with client statements that specifically allow only client requests that are really needed. Although it is pretty helpfull for workstations, I consider client all accept as a security thread for production servers.
Who are you and why should I trust you for handling my firewall? |
Don't trust me. You are supposed to audit FireHOL services at least once, and if you agree, trust it, not me.
Is the produced iptables firewall optimized? |
For the moment, I prefer to keep all the "jumps" there, since it makes the iptables rules a lot more clear and easy to understand. If you believe that I should work on this and you can prove that the "jumps" that could be moved deeper are really expensive at the place they are now, send me a note and I'll do my best.
If you are so interested about performance, you should know that FireHOL places all rules in the iptables firewall, in the same order they appear in the configuration file. So placing your most heavy interface at the top, and within this interface the most heavy service first will really save a lot of processing for iptables.
FireHOL is toooooooooo slow! |
Processing of FireHOL configuration files is somewhat slow since all processing is done by BASH (I have not programmed a parser, BASH runs the configuration as if it was a BASH script). This processing however, even if it takes several seconds, it does not affect your security, since the running firewall is not touched during this phase.
Firewall activation is again slow in a few situations, especially if you have lists of hosts that should be allowed or rejected (like UNROUTABLE_IPS). During the processing phase, FireHOL produces a list of the iptables commands to be executed at the activation phase. This list of iptables commands, first clears the running firewall and then it runs iptables commands, one-by-one, until all have executed. As an example, my personal machine configuration file is about 50 lines. These 50 lines produce about 900 iptables statements. For BASH these 900 iptables statements are also followed by another statement to check if the command succeded or failed, which totals to about 1800 BASH statements to be executed. In my machine these 1800 commands take about 8 seconds to be executed. During these 8 seconds the firewall is from totally empty (all traffic allowed) to simply incomplete (some traffic is allowed or dropped explicitly, all other is allowed to pass).
I have written FireHOL in such a way that you can restart the firewall any time you like without disrupting the running traffic. Try it. Start downloading a file, and in the middle of it, restart FireHOL. No change. The download proceeds without any disruption. The only chance for traffic disruption is when you have NAT rules. For just a fraction of the total activation time (normally less than a second, since NAT rules are the first to be executed - i.e. the first few of the huge iptables list) your system will run without them, meaning that no new NATed traffic will be accepted (established connections will work). Again, this will be just for a fraction of a second.
I see you now thinking: OK, but what happens if someone connects to my systems to unwanted services during the activation time? Well, FireHOL's beauty is that it explicitly allows the connections in both ways of the firewall. Most of the other iptables generators allow all established connections to pass unchecked. FireHOL doesn't. It allows the established connections that match the services you have allowed. Nothing more. This means that even if someone is lucky enough to connect to a non-allowed service during the activation time, he will simply be blocked as soon as the firewall activation completes. This gives a window of just a few seconds at which someone could be able to connect to and use private services. Even if he manages to get access within these few seconds, his socket will simply timeout after FireHOL completes.
I installed FireHOL but where is it located? I cannot run it! |
On Ubuntu, become root and modify /etc/default/firehol to have START_FIREHOL=YES, then, as root, start it with "/etc/init.d/firehol start". To make it start automatically run "update-rc.d firehol defaults".
Is there a list of the system commands FireHOL needs? |
I really need help designing the configuration. Could you help? |
In general, I will try to avoid helping you on manual configuring your specific firewall; I commit however on making helpme detect correctly every single case. I believe, this will benefit all the community, not just you.
In any case, I guess I have done a good job in designing FireHOL the way you expect it to work, and that the documentation is helpful enough, since all the support tools are pretty silent. Of course you are welcome to ask anything you might need regarding FireHOL.
How can I mangle the packets (set TOS, MARK, etc)? |
Why I cannot use the service definitions in helpers? |
I have made a few experiments with MARKs but I stuck because there are bugs in the iptables logic when using MARKs. These bugs exist in most kernels distributed today with the main Linux distributions.
|
$Id: faq.html,v 1.7 2007/05/20 18:36:49 ktsaou Exp $
FireHOL, a firewall for humans... |