On 03/13/2017 08:58 PM, David Christensen wrote:
> With a "pull" arrangement (e.g. the server backs up all the
> workstations) -- if a workstation gets compromised, the backups should
> be safe (and might have clues about the intrusion).
On 03/17/2017 10:16 PM, David Christensen wrote:
> The backup server can be firewalled with no incoming ports and
> outgoing ports limited to SSH and other required ports.
I spent some time with my Debian 7.11 amd64 backup server and Firewall
Builder today.
I had previously created a firewall using the Firewall Builder wizard
and a template. Trying again today, I see a "Create New Firewall" icon
-> iptables, Linux 2.4/2.6, "Use preconfigured firewall templates", "Use
standard template objects" -> "host fw template 1" (workstation with
single interface, dynamic IP, incoming SSH allowed). The created policy
looks more sophisticated than what I obtained in the past.
Starting with my old, existing policy that gave me incoming firewalling,
I tried adding outgoing firewalling. After several edit/ compile/ test
cycles, this is what I ended up with:
Group 0
Source backup
Destination Any
Service Any
Interface LAN
Direction Inbound
Action Deny
Time Any
Options log
Comment anti spoofing rule
This policy denies incoming connections on the LAN interface that claim
to come from the host IP.
Group 1
Source backup
Destination Any
Service ICMP ping request, TCP ssh, UDP domain, UDP ntp
Interface LAN
Direction Outbound
Action Accept
Time Any
Options
Comment
This policy accepts outgoing ping, SSH, DNS, and NTP on the LAN
interface coming from the host IP.
Group 2
Source Any
Destination backup
Service ICMP ping request
Interface LAN
Direction Inbound
Action Accept
Time Any
Options
Comment
This policy accepts incoming ping on the LAN interface destined for the
host IP.
Group 3
Source Any
Destination Any
Service Any
Interface loopback
Direction Both
Action Accept
Time Any
Options
Comment
This policy accepts all connections on the loopback interface.
Group 4
Source Any
Destination Any
Service Any
Interface Any
Direction Both
Action Deny
Time Any
Options log
Comment
This policy denies anything that doesn't match any of the above.
My backup server can now find other hosts (DNS), ping them, and pull
backups via SSH/rsync. My LAN hosts can ping the backup server, but
nmap can find no open incoming ports:
2017-03-31 17:38:32 dpchrist@jesse ~
$ nmap -A -Pn backup
Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-31 17:38 PDT
Nmap scan report for backup (<redacted>)
Host is up.
rDNS record for <redacted>: backup.holgerdanske.com
All 1000 scanned ports on backup (<redacted>) are filtered
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.62 seconds
On 03/17/2017 10:16 PM, David Christensen wrote:
> I still need to figure out the "other required outgoing ports".
On 03/22/2017 03:35 AM, Dan Purgert wrote:
> Unfortunately, pretty much "all ephemeral ports", if the server is
> running things that initiate connections. Some programs allow you to
> specify what ports they're connecting from, but not all.
On 03/22/2017 03:45 AM, to...@tuxteam.de wrote:
> That's what ESTABLISHED is for, in firewall jargon (you accept packets
> belonging to an established TCP connection).
The key is "stateless" vs. "stateful" firewalls:
https://en.wikipedia.org/wiki/Stateful_firewall
Linux/ iptables implements a stateful firewall.
Firewall Builder provides a "stateless" option (among others) for each
policy.
Any suggestions or comments?
David
