Double stack IPv4&&IPv6 for a firewall

Double stack IPv4&&IPv6 for a firewall

[Arturo Borrero]

[-- Attachment #1: Type: text/plain, Size: 1018 bytes --]

Hi there!

The way is recommended to implement IPv6 in a network while IPv4 is 
still alive is double stack.
In a network where all have DNS records, double stack means that each 
FQDN has an A reg. and an AAAA reg.

So, deploying a DNS-based firewall takes you to duplicate the ruleset, 
first for iptables/ip6tables and then for ipset family inet/ipset family 
inet6

The question is:

Do anyone knows a program, framework, script, method or whatever to face 
this situation?

I'm talking of an 'abstraction' method that hides the differences 
between iptables/ip6tables, as long as is using almost always FQDNs with 
both DNS regs to configure the ruleset.

Best regards.


-- 
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4238 bytes --]

Re: Double stack IPv4&&IPv6 for a firewall

[John A. Sullivan III]

On Fri, 2012-08-24 at 12:40 +0200, Arturo Borrero wrote:
> Hi there!
> 
> The way is recommended to implement IPv6 in a network while IPv4 is 
> still alive is double stack.
> In a network where all have DNS records, double stack means that each 
> FQDN has an A reg. and an AAAA reg.
> 
> So, deploying a DNS-based firewall takes you to duplicate the ruleset, 
> first for iptables/ip6tables and then for ipset family inet/ipset family 
> inet6
> 
> The question is:
> 
> Do anyone knows a program, framework, script, method or whatever to face 
> this situation?
> 
> I'm talking of an 'abstraction' method that hides the differences 
> between iptables/ip6tables, as long as is using almost always FQDNs with 
> both DNS regs to configure the ruleset.
> 
> Best regards.
> 
> 
Hmm . . . perhaps it has changed but, when I investigated it years ago,
using FQDNs for iptables rules was problematic in that the names were
only resolved at the time the rules were loaded.  If any of the
addresses change, the firewall is completely unaware of the change as it
does not resolve the name on each query.  Is that still the case? - John

Re: Double stack IPv4&&IPv6 for a firewall

[Jan Engelhardt]

On Friday 2012-08-24 16:29, John A. Sullivan III wrote:

>On Fri, 2012-08-24 at 12:40 +0200, Arturo Borrero wrote:
>> Hi there!
>> 
>> The way is recommended to implement IPv6 in a network while IPv4 is 
>> still alive is double stack.
>> In a network where all have DNS records, double stack means that each 
>> FQDN has an A reg. and an AAAA reg.
>> 
>> So, deploying a DNS-based firewall takes you to duplicate the ruleset, 
>> first for iptables/ip6tables and then for ipset family inet/ipset family 
>> inet6
>> 
>> The question is:
>> 
>> Do anyone knows a program, framework, script, method or whatever to face 
>> this situation?
>> 
>> I'm talking of an 'abstraction' method that hides the differences 
>> between iptables/ip6tables, as long as is using almost always FQDNs with 
>> both DNS regs to configure the ruleset.
>> 
>> Best regards.
>> 
>> 
>Hmm . . . perhaps it has changed but, when I investigated it years ago,
>using FQDNs for iptables rules was problematic in that the names were
>only resolved at the time the rules were loaded.  If any of the
>addresses change, the firewall is completely unaware of the change as it
>does not resolve the name on each query.  Is that still the case? - John

Naturally, since DNS lookups will introduce a shitload of latency and 
error potential (like, when DNS itself fails) were it done for every 
packet.

Re: Double stack IPv4&&IPv6 for a firewall

[Jan Engelhardt]

On Friday 2012-08-24 23:12, Arturo Borrero wrote:
>
>DNS lookups are a problem in a big ruleset (~10.000) rules, so the point is
>to do some kind of local cache.

So run a local BIND server, lwresd, dnsmasq, nscd, or whatever.

>As I supposed, the doble stack method is not being well aproached yet.

What isn't?

>The code (bash) is here:
>https://github.com/aborrero/fw-admin

sh is amongst the *slowest* of all. Your README.md says

>You usally set your ruleset in this way:
>
>$IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024: --dport
>$SSH_PORT -j ACCEPT 

If you begin with something like this, no wonder it's all going slow,
because you are needlessy reloading all the damn rules.
That's why smart people use iptables-restore.

Also, the --sport 1024: is pretty dull, because there is no RFC
that forbids the use of numbers lower than that.


>Also, fw-admin is just a complex bash script

Its greatest problem, btw.

Re: Double stack IPv4&&IPv6 for a firewall

[Julien Vehent]

On 2012-08-24 19:46, Jan Engelhardt wrote:
> On Friday 2012-08-24 23:12, Arturo Borrero wrote:

>>You usally set your ruleset in this way:
>>
>>$IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024: 
>> --dport
>>$SSH_PORT -j ACCEPT
>
> If you begin with something like this, no wonder it's all going slow,
> because you are needlessy reloading all the damn rules.
> That's why smart people use iptables-restore.
>

Oh, only about ~2000 times faster in my tests :p
http://www.slideshare.net/slideshow/embed_code/14051936?startSlide=22


-- 
Julien Vehent - http://jve.linuxwal.info

Re: Double stack IPv4&&IPv6 for a firewall

[Arturo Borrero]

> On 2012-08-24 19:46, Jan Engelhardt wrote:
> > On Friday 2012-08-24 23:12, Arturo Borrero wrote:
>
> >>You usally set your ruleset in this way:
> >>
> >>$IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024:
> >> --dport
> >>$SSH_PORT -j ACCEPT
> >
> > If you begin with something like this, no wonder it's all going slow,
> > because you are needlessy reloading all the damn rules.
> > That's why smart people use iptables-restore.
> >
>
> Oh, only about ~2000 times faster in my tests :p
> http://www.slideshare.net/slideshow/embed_code/14051936?startSlide=22

Well, but the problem of writting two different rulesets with the same
info is still unsolved.

And If you permit my point of view, I think it's harder to solve using
iptables-restore than using bash and iptables/ip6tables (because
variables, additional flexibility of bash, etc...)

Maybe the point would be to generate with Bash a iptables-restore
ruleset to load to kernel, but not load the ruleset directly from
Bash...


--
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informatico Cientifico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía

Re: Double stack IPv4&&IPv6 for a firewall

[Julien Vehent]

On 2012-08-28 04:55, Arturo Borrero wrote:
> Maybe the point would be to generate with Bash a iptables-restore
> ruleset to load to kernel, but not load the ruleset directly from
> Bash...
>
>

Correct. The syntax of iptables-restore is similar to the one of iptables, 
with the addition of the ordering that needs to be respected. Then, simply 
issue `iptables-restore < /path/to/ruleset`.

- Julien

Re: Double stack IPv4&&IPv6 for a firewall

[Amos Jeffries]

On 28/08/2012 8:55 p.m., Arturo Borrero wrote:
>> On 2012-08-24 19:46, Jan Engelhardt wrote:
>>> On Friday 2012-08-24 23:12, Arturo Borrero wrote:
>>>> You usally set your ruleset in this way:
>>>>
>>>> $IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024:
>>>> --dport
>>>> $SSH_PORT -j ACCEPT
>>> If you begin with something like this, no wonder it's all going slow,
>>> because you are needlessy reloading all the damn rules.
>>> That's why smart people use iptables-restore.
>>>
>> Oh, only about ~2000 times faster in my tests :p
>> http://www.slideshare.net/slideshow/embed_code/14051936?startSlide=22
> Well, but the problem of writting two different rulesets with the same
> info is still unsolved.
>
> And If you permit my point of view, I think it's harder to solve using
> iptables-restore than using bash and iptables/ip6tables (because
> variables, additional flexibility of bash, etc...)
>
> Maybe the point would be to generate with Bash a iptables-restore
> ruleset to load to kernel, but not load the ruleset directly from
> Bash...

I use a wrapper generator called "ferm". It generates the 
iptables/ip6tables once with a lot of flexibility, then uses 
iptables-save/restore to operate the system.

AYJ

Re: Double stack IPv4&&IPv6 for a firewall

[Arturo Borrero]

[-- Attachment #1: Type: text/plain, Size: 751 bytes --]

On 28/08/12 13:45, Amos Jeffries wrote:
> I use a wrapper generator called "ferm". It generates the 
> iptables/ip6tables once with a lot of flexibility, then uses 
> iptables-save/restore to operate the system.

Reading `ferm' documentation, it seems that the original issue is still 
latent:

domain [ip|ip6]

You have yo choose one of the two keywords, what forces you to write the 
firewall twice.

Or i'm wrong?

-- 
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4238 bytes --]

Re: Double stack IPv4&&IPv6 for a firewall

[Amos Jeffries]

On 29/08/2012 12:08 a.m., Arturo Borrero wrote:
> On 28/08/12 13:45, Amos Jeffries wrote:
>> I use a wrapper generator called "ferm". It generates the 
>> iptables/ip6tables once with a lot of flexibility, then uses 
>> iptables-save/restore to operate the system.
>
> Reading `ferm' documentation, it seems that the original issue is 
> still latent:
>
> domain [ip|ip6]
>
> You have yo choose one of the two keywords, what forces you to write 
> the firewall twice.
>
> Or i'm wrong?
>

If you wish you can write "domain (ip ip6) { .. } ". which expands the 
.. rules list for both.

AYJ