Web lists-archives.com

Firewall Builder firewall for a "pull" backup server




On 03/13/2017 08:58 PM, David Christensen wrote:
> With a "pull" arrangement (e.g. the server backs up all the
> workstations) -- if a workstation gets compromised, the backups should
> be safe (and might have clues about the intrusion).

On 03/17/2017 10:16 PM, David Christensen wrote:
> The backup server can be firewalled with no incoming ports and
> outgoing ports limited to SSH and other required ports.

I spent some time with my Debian 7.11 amd64 backup server and Firewall Builder today.


I had previously created a firewall using the Firewall Builder wizard and a template. Trying again today, I see a "Create New Firewall" icon -> iptables, Linux 2.4/2.6, "Use preconfigured firewall templates", "Use standard template objects" -> "host fw template 1" (workstation with single interface, dynamic IP, incoming SSH allowed). The created policy looks more sophisticated than what I obtained in the past.


Starting with my old, existing policy that gave me incoming firewalling, I tried adding outgoing firewalling. After several edit/ compile/ test cycles, this is what I ended up with:

Group		0
Source		backup
Destination	Any
Service		Any
Interface	LAN
Direction	Inbound
Action		Deny
Time		Any
Options		log
Comment 	anti spoofing rule

This policy denies incoming connections on the LAN interface that claim to come from the host IP.


Group		1
Source		backup
Destination	Any
Service		ICMP ping request, TCP ssh, UDP domain, UDP ntp
Interface	LAN
Direction	Outbound
Action		Accept
Time		Any
Options
Comment

This policy accepts outgoing ping, SSH, DNS, and NTP on the LAN interface coming from the host IP.


Group		2
Source		Any
Destination	backup
Service		ICMP ping request
Interface	LAN
Direction	Inbound
Action		Accept
Time		Any
Options
Comment

This policy accepts incoming ping on the LAN interface destined for the host IP.


Group		3
Source		Any
Destination	Any
Service		Any
Interface	loopback
Direction	Both
Action		Accept
Time		Any
Options
Comment

This policy accepts all connections on the loopback interface.


Group		4
Source		Any
Destination	Any
Service		Any
Interface	Any
Direction	Both
Action		Deny
Time		Any
Options		log
Comment

This policy denies anything that doesn't match any of the above.


My backup server can now find other hosts (DNS), ping them, and pull backups via SSH/rsync. My LAN hosts can ping the backup server, but nmap can find no open incoming ports:

2017-03-31 17:38:32 dpchrist@jesse ~
$ nmap -A -Pn backup

Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-31 17:38 PDT
Nmap scan report for backup (<redacted>)
Host is up.
rDNS record for <redacted>: backup.holgerdanske.com
All 1000 scanned ports on backup (<redacted>) are filtered

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.62 seconds



On 03/17/2017 10:16 PM, David Christensen wrote:
> I still need to figure out the "other required outgoing ports".

On 03/22/2017 03:35 AM, Dan Purgert wrote:
> Unfortunately, pretty much "all ephemeral ports", if the server is
> running things that initiate connections.  Some programs allow you to
> specify what ports they're connecting from, but not all.

On 03/22/2017 03:45 AM, tomas@xxxxxxxxxx wrote:
> That's what ESTABLISHED is for, in firewall jargon (you accept packets
> belonging to an established TCP connection).

The key is "stateless" vs. "stateful" firewalls:

https://en.wikipedia.org/wiki/Stateful_firewall


Linux/ iptables implements a stateful firewall.


Firewall Builder provides a "stateless" option (among others) for each policy.


Any suggestions or comments?


David