[Server-devel] firewalling/nocat

Wed Sep 30 11:08:07 EDT 2009

On Wed, 2009-09-30 at 11:22 +0200, Martin Langhoff wrote:
> On Tue, Sep 29, 2009 at 9:39 PM, Jerry Vonau <jvonau at shaw.ca> wrote:
> > I've worked up what I think the basic layout of what the firewall rules
> > need to look like that would be used with nocat's access.fw I've
> 
> Hey, that looks good! Haven't tested it either, but it reads logical
> and right to my eyes.
> 
> One thing to note is that (if I understand this correctly) the way you
> are working on it works by allowing/disallowing NAT. So far, so good.
> 
> If we enable an HTTP proxy, this will require a bit of additional
> trickery... options I can see
> 
> 1 - "local" HTTP traffic bypasses the proxy, and we use the 'NoCat'
> chains to allow/block access to the proxy. This way we can keep the
> proxy config simple and "unaware" of our access control.
> 
That is built-in, the redirect rules kick in when the web request falls
outside of the XS's private lan (172.18.0.0/16), so HTTP request to the
XS itself, are excluded from the proxy. What to feed access.fw or adding
that code in is left for further development at this point. The access
is based on the class membership given when calling access.fw:
"Owners" have full un-restricted access(mark 1) 
"Members" have HTTP access via the proxy and general web access except
for sending mail(mark 2) 
"Public" just have access to the proxy(mark 3)

If you don't fit into a class above, no net access(mark 4), but the
school server is reachable. This has me a bit worried, If you configure
a browser to use the proxy, that would presently be allowed, but is
fixable. For XO's I think we would want to use "Public", but there maybe
teacher/administrators that could make use of "Owner" or "Public".  

Could also force any name-server traffic to use the local XS
name-server, to enable filtering there also. 

> 2 - We involve the proxy in our access control. Pain ensues. Gangrene
> starts to set in, doctor recommends amputation...
> 

Of the brain? jk.. ;-)

> > I have not tested this yet... (I need sleep now..) Just looking for feed
> > back at this point. Just wondering since the hood is up, should we be
> > looking to lock down the services a bit?
> 
> Yes, that would be a good idea. From a "strictly XS" PoV, I'd say we want
> 
>  - eth0: ssh
>  - lanbond0 / meshbond[0-2]: 8080(registr), 80, ssh, jabber,
> 
Will add that in..

> but but... it would also be nice if the area of the rules defining the
> services allowed stands out clearly, so a local admin can see where to
> add a line to open a port, without having to grok our evil scheme.
> 
Yea, think I'll add the iptables-xs.in back in but more for user defined
rules, with the above rules as a guide.

> Anyway -- you probably have thought of this and more. Time to get out
> of your way...
> 
> 
> 
> m
Give me a bit, to see what I can cook up.

Jerry