You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
169 lines
5.1 KiB
169 lines
5.1 KiB
%
|
|
% Firewalls.tex
|
|
%
|
|
% Fork Sand IT Manual
|
|
%
|
|
% Copyright (C) 2018, Fork Sand, Inc.
|
|
% Copyright (C) 2017, Jeff Moe
|
|
% Copyright (C) 2016, 2017 Aleph Objects, Inc.
|
|
%
|
|
% This document is licensed under the Creative Commons Attribution 4.0
|
|
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
|
%
|
|
Firewalls keep the bad packets out, mostly. And let some good packets out.
|
|
|
|
\section{Overview}
|
|
What is the network doing?
|
|
|
|
\begin{itemize}
|
|
\item snort
|
|
\item MRTG
|
|
\item Aguri
|
|
\end{itemize}
|
|
|
|
%
|
|
% Authentication
|
|
|
|
\section{Authentication}
|
|
Two-factor authentication using TOTP.
|
|
|
|
%
|
|
% Hardware
|
|
|
|
\section{Firewall Hardware Overview}
|
|
Hardware.
|
|
|
|
|
|
Some resellers:
|
|
\begin{itemize}
|
|
\item \url{https://www.deciso.com/}
|
|
\item \url{https://www.pfwhardware.com/}
|
|
\item \url{https://www.osnet.eu/}
|
|
\end{itemize}
|
|
|
|
\begin{itemize}
|
|
\item (8) 1 gig ethernet ports
|
|
Connects to (1) 100M ethernet upstream fiber optic
|
|
Connects to (1) 100M ethernet upstream wifi
|
|
Various LAN
|
|
\item (Hot swap?) Dual Power Supplies
|
|
\item (How swap?) RAID (Linux md), with SSD storage.
|
|
\item 2.5'' drive bays
|
|
\item Total ~8GHz CPU
|
|
\item ~8-16 gigs RAM ? Depends on OS.
|
|
\item Two servers total, for standby/failover
|
|
\end{itemize}
|
|
|
|
%
|
|
% Firewall
|
|
\section{Overview}
|
|
Most servers and workstations run GNU/Linux, which uses iptables.
|
|
|
|
|
|
\section{iptables}
|
|
iptables is part of the Netfilter project and has been included by default in
|
|
the Linux kernel for many years.
|
|
|
|
\begin{figure}[h!]
|
|
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png}
|
|
\caption{Netfilter Website}
|
|
\label{fig:www-netfilter}
|
|
\end{figure}
|
|
|
|
\section{Requirements}
|
|
There are a lot of operating systems to consider to use as a firewall...
|
|
|
|
Notes on some requirements in a firewall.
|
|
|
|
\begin{itemize}
|
|
\item Must be free software.
|
|
\item The project must still be alive.
|
|
\item Does it use a hardened kernel?
|
|
\item How does it do security updates?
|
|
\item Are there open security issues?
|
|
\item Are there any CVEs?
|
|
\item How are security issues handled?
|
|
\item Is there a list of security issues?
|
|
\item Does it have a wifi portal? (Should that be a separate box or in OpenWRT?)
|
|
\item Does upstream https actually work?
|
|
\item UTM - Unified Threat Management (e.g. snort, etc.)
|
|
\item Load balancing between multiple upstreams (without BGP).
|
|
\item Load balancing between dual local routers.
|
|
\item Fail over to standby router (e.g. pfsync).
|
|
\item ``Anti-virus'', SMTP, POP scans? Meh? (e.g. OpenBSD has greylist/tarpit.)
|
|
\item Packet cleansing (e.g. tcp header randomization).
|
|
\item Do we want DNS, DHCP, etc? Probably not?
|
|
\item OpenVPN (built into router, or thru it?).
|
|
\item Network graphing (MRTG, aguri, etc.)
|
|
\item No broken ``community'' editions.
|
|
\item Have mirrored server doing analysis?
|
|
\item NAT options? cone, etc.
|
|
\item Local system monitoring (e.g. system temp, hdd status, etc.)
|
|
\item sshd
|
|
\item GSM, pppd ?
|
|
\item Two-factor authentication.
|
|
\item snort, suricata
|
|
\end{itemize}
|
|
|
|
|
|
\section{Firewall Operating Systems in Use}
|
|
\subsection{Debian}
|
|
|
|
\href{https://www.debian.org/}{Debian}
|
|
|
|
Debian is used for nearly everything. It could easily be used as a
|
|
router/firewall. There are better, more tuned options.
|
|
|
|
Linux's iptables is used on servers.
|
|
|
|
\begin{figure}[h!]
|
|
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
|
|
\caption{Debian Website}
|
|
\label{fig:www-debian-in-firewalls-chapter}
|
|
\end{figure}
|
|
|
|
\subsection{Proxmox setups iptables-firewall}
|
|
During Proxmox installation on the nodes, firewall is being confugured.
|
|
Some of nodes configurations can be found in chapter Free software under
|
|
path apps/forksand-nodes-bootstrap/...
|
|
|
|
especially in two of files is mentioned:
|
|
\begin{minted}{sh}
|
|
# Firewalling is done through Proxmox.
|
|
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
|
|
\end{minted}
|
|
|
|
\begin{minted}{sh}
|
|
# Enable firewall.
|
|
# Datacenter --> shark4 (host) --> Firewall --> Add.
|
|
# Enable firewall for datacenter:
|
|
# Datacenter --> Firewall --> Options --> Firewall --> Yes
|
|
# Datacenter --> Firewall --> Options --> Firewall --> Yes
|
|
# Enable firewall for shark4:
|
|
# Datacenter --> Firewall --> Add.
|
|
\end{minted}
|
|
|
|
\textcolor[rgb]{0.80,0.00,0.00}{
|
|
Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\
|
|
Find out why mention of firewall in hk1 node is discarded.
|
|
}
|
|
|
|
\begin{minted}{sh}
|
|
# Enable firewall.
|
|
# Datacenter --> truck (host) --> Firewall --> Add.
|
|
# Enable firewall for datacenter:
|
|
# Datacenter --> Firewall --> Options --> Firewall --> Yes
|
|
# Datacenter --> Firewall --> Options --> Firewall --> Yes
|
|
# Enable firewall for truck:
|
|
# Datacenter --> Firewall --> Add.
|
|
\end{minted}
|
|
|
|
Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.
|
|
|
|
Also certain Ansible including virtual machines enable iptables configuratiion.
|
|
For example ansible-debian-male contains mikegleasonjr.firewall.
|
|
\href{https://github.com/mikegleasonjr/ansible-role-firewall}{
|
|
ansible firewall\char`_v4\char`_configure example on github
|
|
}
|
|
May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/
|