Centralized Firewall configuration for Linux systems

Background

Every network service is a potential entry point for an attacker. It is highly recommended to disable useless network services and control access to legitimate ones. Establishing security perimeters using firewalls is generally a nice method to enforce a controlled access to the system from the network.

This page suggests a local firewall implementation method aimed at managing a large number of computer dynamically. This procedure aims at offering:

  • A better protection against attacks from the LAN
  • A highly adaptative firewall configuration
  • Fast configuration change (emergency rollback, blacklisting, etc.) on different sets of nodes
  • A convenient way to get ready for the closure of high-number ports on the CERN firewall, which will be rolled out during 2006.

Details: LCG-FW infrastructure

Server

A simple Web service has been made available on lcg-fw.cern.ch to provide iptables configuration files. The default rule is to drop all incoming connections. A number of exception groups are defined and can be added to the system, so that many system profiles and exceptions can be covered. For instance, a group HTTP_SERVER could be configured to include services that require incoming connections on port TCP/80 from everywhere.

Nodes can be registered on the server with multiple groups matching different services.

As a result, when a node connects to the server, a configuration file will be returned according to the incoming address of the node.

Client

A machine can then download its iptables configuration files from the server. A package called lcg-fw has been built to automate this task every hour. As a results, firewall changes can be deployed on all the registered nodes within one hour.

No configuration is required on the node, as the server will build the configuration file according to the hostname of the node sending the request. If the machine is not registered to obtain a specific configuration, lcg-fw.cern.ch will provide a default secure configuration.

The client, called lcg-fw, includes:

  • A failover mechanism, that would reinstall the previous working configuration, should a problem occur during the process
  • A randomization of the hourly retrieval of the configuration file

This service is available to CERN machines and can be used on any SLC machine. lcg-fw (the package for the clients) is available as an RPM from http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/security/sl3/en/i386/RPMS.lcg_sl3/

It is suggested that the node installs lcg-fw using a package management tool such as apt or yum. For instance, adding the following source to your apt configuration will enable your machine to install and update easily the package:

rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/security/sl3/en/i386 lcg_sl3 

How to install lcg-fw

The lcg-fw package should be installed by default on the freshly installed PPS and PROD systems. To install the command on existing nodes, please follow the following steps:

echo "rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/security/sl3/en/i386 lcg_sl3" > /etc/apt/sources.list.d/security.list && apt-get update ;
apt-get install lcg-fw

Please note:

  • The firewall rules should be applied within one hour. Rules can be applied quicker (less than 3 minutes) by running the cron job manually:
/etc/cron.hourly/firewall.cron
  • You should check a valid template has been assigned by reading the first lines of /etc/sysconfig/iptables
  • You can check at anytime if packets have been rejected by the local firewall by greping "DENIED" from /var/log/message
(Not every denied packet reveals a problem: you may see that your node has been scanned, or received probed from legitimate but misconfigured nodes)

Changing the firewall configuration on a node

The default lcg-fw configuration is to only offer SSH access to the CERN LAN.

In order to change the firewall template that has been allocated to a node, you can contact gd-security-services@cern.ch by specifying what type of service your host will be providing. An updated template will be issued and automatically installed on the node (providing its runs lcg-fw).

If you attempt to manually change the firewall rules on a node running lcg-fw, the registered profile will be re-installed the next time the hourly cron job is run. If you wish to make a temporary change, you can either:

  • Contact gd-firewall@cernNOSPAMPLEASE.ch to change temporarily the firewall template
  • Deprecated: you can change the local rules by suspending the update of the firewall template. This can be done by issuing the following command on the node:
chmod -x /etc/cron.hourly/firewall.cron

The local firewall status of GD machines is visible at https://lcg-fw.cern.ch/public/.

Sample configuration file

In the following example pcitgd-si.cern.ch has been registered as a server that only needed SSH access from some CERN subnets. The server provided the following configuration file:
# Automated iptables configuration from lcg-fw.cern.ch
# Wednesday 15th February 2006 18:14:39
#
# pcitgd-si.cern.ch is using the following firewall groups:
# GD_LAN_SSH;
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Maintaining established connections
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Enable local loop and ICMP-ping
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp --icmp-type timestamp-request -j DROP

# Drop invalid packets
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP


# Incoming SSH connections from the CERN LAN
-A INPUT -s 137.138.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.141.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.142.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT


COMMIT

Browsing the configuration of the GD nodes

The list of hosts using the local firewall service is available from: https://lcg-fw.cern.ch/public/

Please register to gd-firewall@cernNOSPAMPLEASE.ch if you wish to browse the deployment details of this local firewall on LCG nodes. A Web page with up-to-date information about the firewall configuration and deployment on all the nodes has been configured.

-- Romain Wartel - 27 Nov 2006

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r9 - 2007-07-17 - RomainWartel
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback