Centralized Firewall configuration for Linux systems
Background
Every network service is a potential entry point for an attacker. It is highly recommended to disable useless network services and control access to legitimate ones.
Establishing security perimeters using firewalls is generally a nice method to enforce a controlled access to the system from the network.
This page suggests a local firewall implementation method aimed at managing a large number of computer dynamically. This procedure aims at offering:
- A better protection against attacks from the LAN
- A highly adaptative firewall configuration
- Fast configuration change (emergency rollback, blacklisting, etc.) on different sets of nodes
- A convenient way to get ready for the closure of high-number ports on the CERN firewall, which will be rolled out during 2006.
Details: LCG-FW infrastructure
Server
A simple Web service has been made available on
lcg-fw.cern.ch to provide
iptables configuration files.
The default rule is to
drop all incoming connections. A number of exception
groups are defined and can be added to the system, so that many system profiles and exceptions can be covered.
For instance, a group
HTTP_SERVER could be configured to include services that require incoming connections on port TCP/80 from everywhere.
Nodes can be registered on the server with multiple groups matching different services.
As a result, when a node connects to the server, a configuration file will be returned according to the incoming address of the node.
Client
A machine can then download its
iptables configuration files from the server. A package called
lcg-fw has been built to automate this task every hour.
As a results, firewall changes can be deployed on all the registered nodes within one hour.
No configuration is required on the node, as the server will build the configuration file according to the hostname of the node sending the request.
If the machine is not registered to obtain a specific configuration,
lcg-fw.cern.ch will provide a default secure configuration.
The client, called
lcg-fw, includes:
- A failover mechanism, that would reinstall the previous working configuration, should a problem occur during the process
- A randomization of the hourly retrieval of the configuration file
This service is available to CERN machines and can be used on any SLC machine.
lcg-fw (the package for the clients) is available as an RPM from
http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/security/sl3/en/i386/RPMS.lcg_sl3/
It is suggested that the node installs
lcg-fw using a package management tool such as apt or yum. For instance, adding the following source to your apt configuration will enable your machine to install and update easily the package:
rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/security/sl3/en/i386 lcg_sl3
How to install lcg-fw
The
lcg-fw package should be installed by default on the freshly installed PPS and PROD systems.
To install the command on existing nodes, please follow the following steps:
echo "rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/security/sl3/en/i386 lcg_sl3" > /etc/apt/sources.list.d/security.list && apt-get update ;
apt-get install lcg-fw
Please note:
- The firewall rules should be applied within one hour. Rules can be applied quicker (less than 3 minutes) by running the cron job manually:
/etc/cron.hourly/firewall.cron
- You should check a valid template has been assigned by reading the first lines of /etc/sysconfig/iptables
- You can check at anytime if packets have been rejected by the local firewall by greping "DENIED" from /var/log/message
(Not every denied packet reveals a problem: you may see that your node has been scanned, or received probed from legitimate but misconfigured nodes)
Changing the firewall configuration on a node
The default
lcg-fw configuration is to only offer SSH access to the CERN LAN.
In order to change the firewall template that has been allocated to a node, you can contact
gd-security-services@cern.ch by specifying what type of service your host will be providing. An updated template will be issued and automatically installed on the node (providing its runs
lcg-fw).
If you attempt to manually change the firewall rules on a node running
lcg-fw, the registered profile will be re-installed the next time the hourly cron job is run.
If you wish to make a temporary change, you can either:
- Contact gd-firewall@cernNOSPAMPLEASE.ch to change temporarily the firewall template
- Deprecated: you can change the local rules by suspending the update of the firewall template. This can be done by issuing the following command on the node:
chmod -x /etc/cron.hourly/firewall.cron
The local firewall status of GD machines is visible at
https://lcg-fw.cern.ch/public/
.
Sample configuration file
In the following example
pcitgd-si.cern.ch has been registered as a server that
only needed SSH access from some CERN subnets.
The server provided the following configuration file:
# Automated iptables configuration from lcg-fw.cern.ch
# Wednesday 15th February 2006 18:14:39
#
# pcitgd-si.cern.ch is using the following firewall groups:
# GD_LAN_SSH;
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Maintaining established connections
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Enable local loop and ICMP-ping
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
# Drop invalid packets
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# Incoming SSH connections from the CERN LAN
-A INPUT -s 137.138.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.141.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.142.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
Browsing the configuration of the GD nodes
The list of hosts using the local firewall service is available from:
https://lcg-fw.cern.ch/public/
Please register to
gd-firewall@cernNOSPAMPLEASE.ch if you wish to browse the deployment details of this local firewall on LCG nodes.
A Web page with up-to-date information about the firewall configuration and deployment on all the nodes has been configured.
-- Romain Wartel - 27 Nov 2006