All_about_network

Firehol is an nice and easy overlay for IPtables – which means it will allow you to manage IPtables without going really learn their syntax by providing simple config file and few scripts that will do the work for you.

For better description see the FireHOL’s  homepage. As this is not a firewall in the real meaning of the word so if you need a full-scale solution you should consider using something more powerful (e.g. software or even hardware firewall). But if you are looking for some solid but simple solution for Linux FireHOL is what you were looking for.

So at first what firehol can and can’t. As FireHOL is basicaly just a way how to write the iptables entries it has more or less the same possibilities and limitations. Iptables programme is a way how to access the NetFilter (which is part of the kernel), and FireHOL is just an simpler way how to write the iptables access rules  in a form of simple config file.  As for you getting the idea – iptables have  ”chains of rules” which means you can do something like ACL rules where these rules belong to one ACL. These basic chains are predefined: INPUT, OUTPUT, and FORWARD. Each of these chains have some some action like ACEPT, REJECT of DROP. So this is really very similar to ACLs – just much more extensive. But there is one small problem (or davantage if you want) – as IPtables operates on L3 and L4 with all kinds of protocols. The rules are held in one huge table so things can get little more than complex very easily. This can result in difficult orientation in case of problem occurence. For example very simple config done in FireHOL (shown later) results in 139 lines of rules in iptables (you can use command “iptables -L” to review your rules).

So that’s for limitations and background. But what actually FireHOL (IPTables) can do. Well it is simple it can do almost everything. From simple firewall to protect a single server to setup where this will be a primary way to secure acceses between LAN,DMZ and WAN and thus relieveing your overloading router. The possibilities are really wide.

If you wisit the mainpage of FireHOL project you can notice that the last release is more than year old but that is just as there are no changes in IPtables and neither in any related piece of code.

This being said there is few bonuses which make firehol better choice than IPTables. As FireHOL is not a service it adds no overhead, but it adds few perks IPTables do not have (at least I am no aware of it).

• First one is command “firehol try” when you can try if your config will not cut you off before saving the IPtables chains.
• Second is command “firehol panic” which after some small sonfig will cut off all connections except of predefined ssh so in case of attack you can efectively re-gain at least some control over your mashine.
• Third is command “firehol helpme” which will try to guess what services are running on your server and even generates some sample config file you can use for start.
• Foutrh and final is that FireHOLstores it’s config in much nicer and more “human-readable” from than IPtables.

So these are the advantages, and there is one more – if you are in need of manipulating the IPtables directly you can do that. Unfortunately when you will re-generate the IPtables rules with firehol the changes will be lost. So maybe it is a good idea to have your manual changes backed up with “iptables-save” command.

So now when the dry theory is behind us let’s go for some quick and dirty setup of firehol as a simple server/ PC station firewall.

As usually firehol is a standard debian package and after installation it will expect a config file in /etc/firehol But as we did not yet create one there will be none. The point is when you install FireHOL on debian it will be automatically added to rc default which means it will run automatically after boot and if there was a sample config you could end up unable to connect to your box.

Wll step one is to su to root (as IPtables are not accessible by common users) and run

charon:~# firehol helpme > firehol.conf

: firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
——————————————————————————–
FireHOL controls your firewall. You should want to get updates quickly.
Subscribe (at the home page) to get notified of new releases.
——————————————————————————–
FireHOL will now try to figure out its configuration file on this system.
Please have all the services and network interfaces on this system running.
Your running firewall will not be stopped or altered.
You can re-run the same command with output redirection to get the config
to a file. Example:
/sbin/firehol helpme >/tmp/firehol.conf

Building list of known services.
Please wait…
Press RETURN to start. [continue] >

— snip — snip — snip — snip —

charon:~#

This will result in file firehol.conf with estimation of your services and rules they probably need.
As Firehol is primarily intended to be on router the result will be much different than expected.

# Date: Sun Apr 19 15:45:46 CEST 2009 on host charon
#
# The TODOs bellow, are YOUR to-dos!

### DEBUG: Processing interface ‘eth0′
### DEBUG: Processing IP 192.168.1.88 of interface ‘eth0′
### DEBUG: Is 192.168.1.88 part of network 192.168.1.0/24? yes

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.1.88 (net: “192.168.1.0/24″).
# TODO: Change “interface1″ to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove ‘dst 192.168.1.88′ if this is dynamically assigned.
interface eth0 interface1 src “192.168.1.0/24″ dst 192.168.1.88

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don’t trust the clients behind eth0 (net “192.168.1.0/24″),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server https accept
server ICMP accept
server ident accept
server ssh accept
server sunrpc accept

# The following eth0 server ports are not known by FireHOL:
# tcp/2222 tcp/44854 tcp/6998 udp/59836 udp/939
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site – http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

# The above 2 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don’t setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).

# No router statements have been produced, because your server
# is not configured for forwarding traffic.

This output is the best you can get. Sometimes (especially when you have more NICs or you run in bit more complicated environment you can also get seconf interface (even hough it is assigned the same IP and is the same eth device) with ${UNROUTABLE_IPS} option. This option is to avoid routing to IANA reserved adress space. As in my config these all options are irrelevant I can stick to just one interface (as the setup is not intendet to route anything anywhere). After stripping the unnecessary comments and removind the src and dst parameter (which will only mean I have no trusted and untrusted network and everyone is untrusted). I will end up with the following config.

interface eth0 Netowrk_access

# default is DROP,polite is REJECT (no timeouts).
policy reject

protection strong

# Here are the services listening on eth0.
server https accept
server ICMP accept
#server ident accept
server ssh accept
#server sunrpc accept
# The following eth0 server ports are not known by FireHOL:
# tcp/2222 tcp/57004 udp/56542 udp/766

# The following means that this machine can REQUEST anything via eth0.
client all accept

Now you can notice that FireHOL was able to locate some services but was unable to create rules for them (as for myalternate port for ssh 2222). So how you add them. You have to define every single service on the begining of the conf file. I will use my fawourite rtorrent as an example.

#new service definition
#rtorrent
server_rtorrent_ports=”tcp/6998:6999″
client_rtorrent_ports=”any”

Adding service is very straight-forward as you can see above – just defina name,protocol, server port range and client ports. If you need this  explained in detail have a look at this FireHOL page.

The last thing that can be bit confusing is the server/client explanation. Server stands for any service running and accepting connections on certain ports (e.g. http:80). Whereas client is a term for connections started from the box itself therefore using “any” is definitely a good idea unless you have defined all source ports for any service you would like to use.

There is one more security tweak I found somewhere on the internet

policy drop
protection strong 10/sec 10

This 10/sec 10 option is not explained anywhere I loked but my guess is that this is some sort of packet/timer ratio. Anyway it has amazing results.

So after finishing the config just issue “firehol try” and if everything seems to work (especially ssh) just type in “commit” and basic securing of the server is done.

And what will be the result? Beneath is nMap scan of a server that is not running firehol and under that the same server running it.

Without FireHOL (nMap – no parameters)

Not shown: 1695 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
179/tcp filtered bgp
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
993/tcp open imaps
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
1935/tcp open rtmp
8080/tcp open http-proxy
8443/tcp open https-alt
9999/tcp open abyss

And with FireHOL (nMap -A -v)

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd
993/tcp open ssl/imap Dovecot imapd

S you can see the results most of the services are hidden to common scan. Hope this will help to secure your stations.
TNK