Re: redesigning my firewall -- concepts and suggestions for a more structured layout

[Chris Brenton <cbrenton@chrisbrenton.org>]

On Fri, 2003-09-26 at 00:31, Alistair Tonner wrote:
>
> 	My firewall has over time 	
> 	modified and grown, and twiddled its way into a morass of rules that last
> 	week gave me utter fits when I inserted a rule in which I goofed, and b0rked
> 	the internal network filesharing system.  And couldn't see it right off as to 
> 	why ... 

One of the things I'm big on is testing policies when ever changes get
made. The old "nmap on one side, tcpdump on the other" to verify the
policy is what you expect it to be. I've caught a lot of nasty stuff
that way (like accidentally permitting the DNS on the DMZ to access
TCP/UDP 53 on all internal systems).

> 	I am endevouring to remake the basic "my multi-pc home lan needs
> 	a firewall" firewall into something more organized, and I intend, as an
> 	exercise to write it *cough* myself.  My question is .... given the above
> 	basic premise, and a DROP default policy across all chains, Is it more
> 	effcient, processing wise, to have all the rules in a flat line, or, since it
> 	can make things easier to debug, have it parsed up in user chains.

Unless you are talking a lot of rules (like a few hundred given decent
hardware) I think this is a personal choice. Really it comes down to
your thought process, is it liniar or multitask? If the former, keep the
rules in a row. If the latter, break them up what ever way makes the
most sense to you. The idea is to keep the rule base clear enough that
you don't shoot yourself in the foot. ;-)

> 	My logic is this.  I can break my network traffic flow into 6 directionally
> 	oriented chains ( internet to server, internet to lan, lan to server, lan to
> 	internet, server to internet, and server to lan) ... I *feel* that it makes
> 	better logical sense to setup user chains for each direction, and 
> 	*then* have, at the top of each directional chain a jump to a chain
> 	that handles things that go in all directions ( i.e. established related 
> 	and dns and things), then append rules that apply to that specific direction.

If this makes the most sense to you and will help you keep the flow
straight, do it this way. :-)

> 	From a system load perspective I recall that minimizing the number of rules
> 	a packet must traverse lowers load.  Does my logic fall down somehwere here
> 	that I am missing? 

Not at all. First off, this rule is a little fuzzy in that the break
point is at different spots for different firewalls. For example I've
seen a performance increase with Cisco IOS by reordering as few as 50
rules. I've reordered 500+ rules on Netscreen 1000's with no noticable
difference in performance.

The break point for Netscreen (in my experience) is around 150-200
rules. Hit that number of rules and it might make sense to reorder for
performance reasons. Your mileage may vary. 

Now with all that said, I think your idea makes a lot of sense and would
certainly help to minimize the number of rules that get processed.
Again, unless you are talking 150+ rules, the big thing you want to
focus on is setting up the rules in a way that makes sense to you. If
breaking it out by direction fits that for you, then that's the way to
go.

> 	Is the use of -m multiport to put several accepted ports into one rule an 
> 	imporovement in efficiency (a la fewer rules to traverse) or a burden based
> 	on something in the multiport code adding load?

Its a different purpose. If you are looking to process connection
establishment to multiple ports in a single rule, something like:
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 135:139 -j LOG
--log-prefix " MS_CRAP "

will do the trick. The multiport option is designed to match people
hitting multiple server ports, for example during a port scan.

> 	Please don't suggest any packages that setup rules for me.  I want the
> 	challenge of doing this m'self. (with a little input from the list of course)

Would not think of it. ;-)

One thing I would suggest however is a set of rules that makes the log
review process a bit easier however. I have a bunch of rules like this:

iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN -d 0/0 --dport
17300 -j LOG --log-prefix " KUANG2_SCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN -d 0/0 --dport
17300 -j REJECT --reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j LOG
--log-prefix " SYNFINSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j REJECT
--reject-with icmp-host-unreachable

Now each morning I run a cron job that is basically a bunch of grep
commands that puts all kang2 traffic in a single file, synfinscans in a
single file, etc. I then focus on the interesting stuff that is left
over that I don't have a label for. This makes log review go 8much*
faster.

HTH,
C