forksand-it-manual/source/Firewalls.tex

%
% Firewalls.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\Glspl{firewall} keep the bad packets out, mostly. And let some good packets out.

\section{Overview}
What is the network doing?

\begin{itemize}
 \item snort
 %\item MRTG
 %\item Aguri
\end{itemize}

\section{Authentication}
Two-factor authentication using TOTP.

\section{IPtables-firewall}
\subsection{Overview}
Most servers and workstations run GNU/Linux, which uses iptables.

\subsection{iptables}
iptables is part of the Netfilter project and has been included by default in
the Linux kernel for many years.

\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png}
 \caption{Netfilter Website}
 \label{fig:www-netfilter}
\end{figure}

\subsection{Requirements}
There are a lot of operating systems to consider to use as a \gls{firewall}...

Notes on some requirements in a \gls{firewall}.

\begin{itemize}
 \item Must be free software.
 \item The project must still be alive.
 \item Does it use a hardened kernel?
 \item How does it do security updates?
 \item Are there open security issues?
 \item Are there any CVEs?
 \item How are security issues handled?
 \item Is there a list of security issues?
 \item Does it have a wifi portal? (Should that be a separate box or in OpenWRT?)
 \item Does upstream https actually work?
 \item UTM - Unified Threat Management (e.g. snort, etc.)
 \item Load balancing between multiple upstreams (without BGP).
 \item Load balancing between dual local routers.
 \item Fail over to standby router (e.g. pfsync).
 \item ``Anti-virus'', SMTP, POP scans? Meh? (e.g. OpenBSD has greylist/tarpit.)
 \item Packet cleansing (e.g. tcp header randomization).
 \item Do we want DNS, DHCP, etc? Probably not?
 \item OpenVPN (built into router, or thru it?).
 \item Network graphing (MRTG, aguri, etc.)
 \item No broken ``community'' editions.
 \item Have mirrored server doing analysis?
 \item NAT options? cone, etc.
 \item Local system monitoring (e.g. system temp, hdd status, etc.)
 \item sshd
 \item GSM, pppd ?
 \item Two-factor authentication.
 \item snort, suricata
\end{itemize}


\subsection{\Gls{firewall} Operating Systems in Use}

\Large{\href{https://www.debian.org/}{Debian}}

Debian is used for nearly everything. It could easily be used as a
router-firewall. There are better, more tuned options.

Linux's iptables is used on servers.

\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
 \caption{Debian Website}
 \label{fig:www-debian-in-firewalls-chapter}
\end{figure}

\Large{Proxmox setups iptables-firewall}
During Proxmox installation on the nodes, \gls{firewall} is being confugured.
Some of nodes configurations can be found in chapter Free software under 
path apps/forksand-nodes-bootstrap/...

especially in two of files is mentioned:
\begin{minted}{sh}
# Firewalling is done through Proxmox.
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
\end{minted}

\begin{minted}{sh}
# Enable firewall.
# Datacenter --> shark4 (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for shark4:
# Datacenter --> Firewall --> Add.
\end{minted}

\textcolor[rgb]{0.80,0.00,0.00}{
Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\
Find out why mention of firewall in hk1 node is discarded.
}

\begin{minted}{sh}
# Enable firewall.
# Datacenter --> truck (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for truck:
# Datacenter --> Firewall --> Add.
\end{minted}

Also Nextcloud chapter mentiones configs of iptables-firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.

Also certain Ansible including virtual machines enable iptables configuratiion.
For example ansible-debian-male contains mikegleasonjr.firewall.
\href{https://github.com/mikegleasonjr/ansible-role-firewall}{
ansible firewall\char`_v4\char`_configure example on github
}
May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/
Initial draft of Fork Sand IT Manual 7 years ago			`%`
			`% Firewalls.tex`
			`%`
			`% Fork Sand IT Manual`
			`%`
			`% Copyright (C) 2018, Fork Sand, Inc.`
			`% Copyright (C) 2017, Jeff Moe`
			`% Copyright (C) 2016, 2017 Aleph Objects, Inc.`
			`%`
			`% This document is licensed under the Creative Commons Attribution 4.0`
			`% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.`
			`%`
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`\Glspl{firewall} keep the bad packets out, mostly. And let some good packets out.`
Initial draft of Fork Sand IT Manual 7 years ago
			`\section{Overview}`
			`What is the network doing?`

			`\begin{itemize}`
			`\item snort`
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`%\item MRTG`
			`%\item Aguri`
Initial draft of Fork Sand IT Manual 7 years ago			`\end{itemize}`

Lots of updates, new co-location 7 years ago			`\section{Authentication}`
Initial draft of Fork Sand IT Manual 7 years ago			`Two-factor authentication using TOTP.`

Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`\section{IPtables-firewall}`
firewall hardware for cluster briefly described 7 years ago			`\subsection{Overview}`
Initial draft of Fork Sand IT Manual 7 years ago			`Most servers and workstations run GNU/Linux, which uses iptables.`

firewall hardware for cluster briefly described 7 years ago			`\subsection{iptables}`
Initial draft of Fork Sand IT Manual 7 years ago			`iptables is part of the Netfilter project and has been included by default in`
			`the Linux kernel for many years.`

Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`\begin{figure}[!htb]`
Initial draft of Fork Sand IT Manual 7 years ago			`\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png}`
			`\caption{Netfilter Website}`
			`\label{fig:www-netfilter}`
			`\end{figure}`

firewall hardware for cluster briefly described 7 years ago			`\subsection{Requirements}`
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`There are a lot of operating systems to consider to use as a \gls{firewall}...`
Initial draft of Fork Sand IT Manual 7 years ago
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`Notes on some requirements in a \gls{firewall}.`
Initial draft of Fork Sand IT Manual 7 years ago
			`\begin{itemize}`
			`\item Must be free software.`
			`\item The project must still be alive.`
			`\item Does it use a hardened kernel?`
			`\item How does it do security updates?`
			`\item Are there open security issues?`
			`\item Are there any CVEs?`
			`\item How are security issues handled?`
			`\item Is there a list of security issues?`
			`\item Does it have a wifi portal? (Should that be a separate box or in OpenWRT?)`
			`\item Does upstream https actually work?`
			`\item UTM - Unified Threat Management (e.g. snort, etc.)`
			`\item Load balancing between multiple upstreams (without BGP).`
			`\item Load balancing between dual local routers.`
			`\item Fail over to standby router (e.g. pfsync).`
			\item ``Anti-virus'', SMTP, POP scans? Meh? (e.g. OpenBSD has greylist/tarpit.)
			`\item Packet cleansing (e.g. tcp header randomization).`
			`\item Do we want DNS, DHCP, etc? Probably not?`
			`\item OpenVPN (built into router, or thru it?).`
			`\item Network graphing (MRTG, aguri, etc.)`
			\item No broken ``community'' editions.
			`\item Have mirrored server doing analysis?`
			`\item NAT options? cone, etc.`
			`\item Local system monitoring (e.g. system temp, hdd status, etc.)`
			`\item sshd`
			`\item GSM, pppd ?`
			`\item Two-factor authentication.`
			`\item snort, suricata`
			`\end{itemize}`


Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`\subsection{\Gls{firewall} Operating Systems in Use}`
Lots of updates, new co-location 7 years ago
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`\Large{\href{https://www.debian.org/}{Debian}}`
Initial draft of Fork Sand IT Manual 7 years ago
			`Debian is used for nearly everything. It could easily be used as a`
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`router-firewall. There are better, more tuned options.`
Initial draft of Fork Sand IT Manual 7 years ago
			`Linux's iptables is used on servers.`

Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`\begin{figure}[!htb]`
Initial draft of Fork Sand IT Manual 7 years ago			`\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}`
			`\caption{Debian Website}`
Lots of updates, new co-location 7 years ago			`\label{fig:www-debian-in-firewalls-chapter}`
Initial draft of Fork Sand IT Manual 7 years ago			`\end{figure}`

firewall hardware for cluster briefly described 7 years ago			`\Large{Proxmox setups iptables-firewall}`
Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`During Proxmox installation on the nodes, \gls{firewall} is being confugured.`
Lots of updates, new co-location 7 years ago			`Some of nodes configurations can be found in chapter Free software under`
			`path apps/forksand-nodes-bootstrap/...`

			`especially in two of files is mentioned:`
			`\begin{minted}{sh}`
			`# Firewalling is done through Proxmox.`
			`cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'`
			`\end{minted}`

			`\begin{minted}{sh}`
			`# Enable firewall.`
			`# Datacenter --> shark4 (host) --> Firewall --> Add.`
			`# Enable firewall for datacenter:`
			`# Datacenter --> Firewall --> Options --> Firewall --> Yes`
			`# Datacenter --> Firewall --> Options --> Firewall --> Yes`
			`# Enable firewall for shark4:`
			`# Datacenter --> Firewall --> Add.`
			`\end{minted}`

			`\textcolor[rgb]{0.80,0.00,0.00}{`
			`Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\`
			`Find out why mention of firewall in hk1 node is discarded.`
			`}`

			`\begin{minted}{sh}`
			`# Enable firewall.`
			`# Datacenter --> truck (host) --> Firewall --> Add.`
			`# Enable firewall for datacenter:`
			`# Datacenter --> Firewall --> Options --> Firewall --> Yes`
			`# Datacenter --> Firewall --> Options --> Firewall --> Yes`
			`# Enable firewall for truck:`
			`# Datacenter --> Firewall --> Add.`
			`\end{minted}`

Started glossary, firewall split, added attachments, minor fixes, 7 years ago			`Also Nextcloud chapter mentiones configs of iptables-firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.`
Lots of updates, new co-location 7 years ago
			`Also certain Ansible including virtual machines enable iptables configuratiion.`
			`For example ansible-debian-male contains mikegleasonjr.firewall.`
			`\href{https://github.com/mikegleasonjr/ansible-role-firewall}{`
			ansible firewall\char`_v4\char`_configure example on github
			`}`
			`May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/`