Re: PCI Compliance, gee fun.

[Eric Leblond <eric@regit.org>]

Hi,

On Tue, 2012-11-13 at 11:45 -0500, John Lauro wrote:
> You could do some sort of template to generate iptables-restore format
> and refresh it every so often (once an hour, or day).

It should be possible to use the --comment option and to store inside
this the used DNS name. This will allow to store the information in the
iptables-save format. This will not fix the restoration but it could be
a good base for a conversion script.

BR,

> Yes, dyamic DNS is fairly common on application layer firewalls.  That
> said, they don't run in the kernel and their resolvers are fairly good
> at caching that info...  Running things through proxy servers or other
> things can allow you to make your rules use dns names there.
> 
> PS: I would assume that the "DNS" requirement is only for external
> services that publish by DNS name only and not for internal services
> or gateway services that publish the IP to use outside of DNS.
> 
> 
> On Tue, Nov 13, 2012 at 11:32 AM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> > On Tue, Nov 13, 2012 at 11:18:55AM -0500, Greg Folkert wrote:
> >> I'm being told by my PCI QSA that IPTables supports DNS Names in kernel.
> >
> > You obviously know this is wrong.
> >
> >> He is forcing me to use "DNS Names" in my "iptables-restore" formatted
> >> save file. I am using a Fedora (FC2) based Firewall (with some updated
> >> packages to fix things)... its quite Old... (which they also don't like)
> >> using IPTables v1.2.9.
> >>
> >> The problem is, IPTables only deals with "IP Addresses" in its structure
> >> and doesn't have "dynamic" IP resolution and only resolves on
> >> "runtime/load". Now if I use "iptables-save" the file format does NOT in
> >> fact use DNS and only dumps the IP Address.
> >>
> >> What I need is the actual documentation that seems TERRIBLY hard to find
> >> on this very subject...
> >
> > The iptables(8) manual:
> > "
> > [!] -s, --source address[/mask][,...]
> >     Source specification. Address can be either a network name, a
> >     hostname, a network IP address (with /mask), or a plain IP
> >     address. Hostnames will be resolved once only, before the rule
> >     is submitted to the kernel. Please note that specifying any name
> >     to be resolved with a remote query such as DNS is a really bad
> >     idea. ...
> > "
> >
> > The iptables-restore(8) manual is very short and does not cover these
> > specifics, but it does refer to iptables in "SEE ALSO". And perhaps a
> > patch would be accepted. :)
> >
> >> He is also claiming that other firewalls solutions (aka Proprietary, aka
> >> Cisco) "dynamically" resolve rules... which I believe is incorrect, as
> >> well.
> >
> > I don't know Cisco et al, but I don't see how this would be practical
> > without some kind of backend to monitor DNS for changes and update a
> > list of IP addresses.
> >
> > (You could do the same thing with iptables and ipset(8), FWIW, albeit
> > not so easily on your Fedorasaurus, of course.)
> >
> >> Please point me at some place I can find "authoritative" documentation
> >> for this situation for me to either "suck it up" or to give him direct
> >> docs for him to include in our Audit.
> >>
> >> Thanks. Hopefully I have stated the issue well enough.
> >
> > Good luck.
> > --
> >   http://rob0.nodns4.us/ -- system administration and consulting
> >   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html