Package: ferm Version: 2.2-3 Severity: wishlist Tags: upstream Please consider the attached ruleset as an alternative to the default. It is functionally equivalent and the user needs not change anything, but it provides the following benefits:
1. IPsec and SSH acceptance are configurable at the top;
2. It is possible to exclude additional interfaces like lo (e.g.
interfaces used for SAN);
3. It is trivially possible to configure REJECT instead of DROP,
which is nicer on everyone;
4. Instead of droppping INVALID packets and then passing through
filter rules, three new chains {input,forward,output}-new are
available which receive only truly NEW packets. However, since
processing then falls back to the main chains, their use is
optional (though recommended);
5. The same ruleset applies to both IPv4 and IPv6.
This is what the result looks like:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:forward-new - [0:0]
:input-new - [0:0]
:output-new - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j input-new
-A FORWARD -m state --state INVALID -j REJECT --reject-with
icmp-admin-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW -j forward-new
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW -j output-new
-A forward-new -p icmp -j ACCEPT
-A input-new -p icmp -j ACCEPT
-A input-new -p udp -m udp --dport 500 -j ACCEPT
-A input-new -p esp -j ACCEPT
-A input-new -p ah -j ACCEPT
-A input-new -p tcp -m tcp --dport 22 -j ACCEPT
-A output-new -j ACCEPT
COMMIT
For reference, this is the current result:
*filter
:INPUT DROP [19:1342]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ferm depends on:
ii debconf 1.5.53
ii iptables 1.4.21-2
ii lsb-base 4.1+Debian13
ii perl 5.20.1-1
Versions of packages ferm recommends:
ii libnet-dns-perl 0.80-1
ferm suggests no packages.
--
.''`. martin f. krafft <[email protected]> @martinkrafft
: :' : proud Debian developer
`. `'` http://people.debian.org/~madduck
`- Debian - when you have better things to do than fixing systems
# ferm.conf # # Sensible, secure default ferm configuration file with configurable # parameters and IPv4/IPv6 support. # # Copyright (c) 2009-2014 Martin F. Krafft <[email protected]> # Released under the GPLv2+, like ferm itself. # ### DEFAULTS ################################################################ @def $ACCEPT_INCOMING_IPSEC = 1; @def $ACCEPT_INCOMING_SSH = 1; @def $UNWALLED_IFACES = (lo); @def $REJECT_INSTEAD_OF_DROP = 0; # names of the chains that should then actually be used for filtering @def $INPUT_FILTER_CHAIN = input-new; @def $FORWARD_FILTER_CHAIN = forward-new; @def $OUTPUT_FILTER_CHAIN = output-new; ### CHAIN POLICIES ########################################################### domain (ip ip6) { # be on the safe side and drop everything table filter chain (INPUT FORWARD OUTPUT) policy DROP; # … which does not make sense in the mangle table table mangle chain (INPUT PREROUTING FORWARD POSTROUTING OUTPUT) policy ACCEPT; } domain ip { # no nat table in the ip6 domain table nat chain (PREROUTING POSTROUTING OUTPUT) policy ACCEPT; } ### HELPERS ################################################################# @def &CONNTRACK_NEW_PACKETS_INTO($sourcechain, $newchain) = { table filter chain $sourcechain { # reject invalid packets mod state state INVALID REJECT reject-with icmp-admin-prohibited; # accept existing connections. mod state state (ESTABLISHED RELATED) ACCEPT; # and put new connections into their own chain. This is safer since it # lets packets that conntrack cannot qualify properly fall through into the # policy, rather than to let it run through the regular filter chains. mod state state NEW jump $newchain; } } ### FILTER RULES ############################################################# ## STANDARDS # exclude unwalled interfaces first domain (ip ip6) table filter chain INPUT interface $UNWALLED_IFACES ACCEPT; ## INPUT domain (ip ip6) chain $INPUT_FILTER_CHAIN; domain (ip ip6) &CONNTRACK_NEW_PACKETS_INTO(INPUT, $INPUT_FILTER_CHAIN); domain (ip ip6) table filter chain $INPUT_FILTER_CHAIN proto icmp ACCEPT; @if $ACCEPT_INCOMING_IPSEC { domain ip chain $INPUT_FILTER_CHAIN { proto udp dport 500 ACCEPT; proto (esp ah) ACCEPT; } } @if $ACCEPT_INCOMING_SSH { domain ip chain $INPUT_FILTER_CHAIN proto tcp dport ssh ACCEPT; } ## FORWARD domain (ip ip6) chain $FORWARD_FILTER_CHAIN; domain (ip ip6) &CONNTRACK_NEW_PACKETS_INTO(FORWARD, $FORWARD_FILTER_CHAIN); domain (ip ip6) table filter chain $FORWARD_FILTER_CHAIN proto icmp ACCEPT; ## OUTPUT domain (ip ip6) chain $OUTPUT_FILTER_CHAIN; domain (ip ip6) &CONNTRACK_NEW_PACKETS_INTO(OUTPUT, $OUTPUT_FILTER_CHAIN); # next rule not needed due to catchall below #domain (ip ip6) table filter chain $OUTPUT_FILTER_CHAIN proto icmp ACCEPT; domain (ip ip6) chain $OUTPUT_FILTER_CHAIN jump ACCEPT; ### REJECT POLICY ############################################################ @if $REJECT_INSTEAD_OF_DROP { # DROP is a bit harsh, let's be nice and REJECT. This does not really # expose any more information and might even serve to decrease the # interest of an attacker. domain (ip ip6) chain (INPUT FORWARD OUTPUT) REJECT reject-with icmp-port-unreachable; }
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
