Diskless and Firewall

Diskless and Firewall

[Khaled Hussein]

Dear All, 

I am running a machine with diskless boot, it is running CentOS, i have
problem with iptables, when i restart iptables i lost connection with
NFS server so i lost my hard disks and machine become unreachable, this
happened when i use DROP as default policy on INPUT and OUTPUT and
FORWARD chains, i tried to use mangle table with default ACCEPT on these
chains but the same, if i changed default policy to ACCEPT on above
chains, so is there any way to avoid this problem

Thanks to all 


Best Regards,
==========================
Khaled J. Hussein
Senior System Engineer
Bisan Systems Ltd.
Tel: +970-22985941
Fax: +970-22985942
Web: www.bisan.com
Email: khaled@bisan.com
========================== 




*************
This  message has been scanned for viruses and dangerous content by Bisan Systems Ltd  MailScanner, and is believed  to be clean. Bisan Systems Ltd  does  not  represent  that  any  attachment  is free from computer viruses or defects and the user assumes all responsibility  for any  loss, damage  or  consequence  resulting  directly  or  indirectly  from  the use of any attachment. The information  contained  in  any  email  does not necessarily  reflect the views of Bisan systems or any other related entities or persons.

Re: Diskless and Firewall

[/dev/rob0]

On Thu, Apr 01, 2010 at 01:25:47PM +0300, Khaled Hussein wrote:
> I am running a machine with diskless boot, it is running CentOS,
> i have problem with iptables, when i restart iptables i lost 
> connection with NFS server so i lost my hard disks and machine 
> become unreachable, this happened when i use DROP as default
> policy on INPUT and OUTPUT and FORWARD chains, i tried to use 
> mangle table with default ACCEPT on these chains but the same,
> if i changed default policy to ACCEPT on above chains, so is
> there any way to avoid this problem

1. Point gun away from foot (and other body parts)
2. [Optional] Pull trigger

rob0 rule of thumb: If you need to ask for help to make it work, you 
do not need OUTPUT filtering. Just say ACCEPT.

You cannot possibly secure a diskless boot system from possible 
attack by its rootfs NFS server. The idea of firewall limits between 
a system and its rootfs is ... silly. So also ACCEPT everything from 
the NFS server, in INPUT.

See "man iptables" and Netfilter packet flow diagrams (Wikipedia has 
one) to see why policies in the mangle table do not override your 
policies in the filter table.

> ==========================
> Khaled J. Hussein
> Senior System Engineer
> Bisan Systems Ltd.

Happy April Fools Day to you, too.

> Tel: +970-22985941
> Fax: +970-22985942
> Web: www.bisan.com
> Email: khaled@bisan.com
> ========================== 
> 
> 
> 
> 
> *************
> This message has been scanned for viruses and dangerous content by 
> Bisan Systems Ltd MailScanner, and is believed to be clean. Bisan 
> Systems Ltd does not represent that any attachment is free from 
> computer viruses or defects and the user assumes all responsibility 
> for any loss, damage or consequence resulting directly or 
> indirectly from the use of any attachment. The information 
> contained in any email does not necessarily reflect the views of 
> Bisan systems or any other related entities or persons.

And many thanks for that, as well. At least it doesn't have the 
offensively silly aspects of other email disclaimers.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Diskless and Firewall

[Jan Engelhardt]

On Thursday 2010-04-01 14:18, /dev/rob0 wrote:
>On Thu, Apr 01, 2010 at 01:25:47PM +0300, Khaled Hussein wrote:
>> it is running CentOS,

Problem #1 :)

>> when i restart iptables i lost connection with NFS server

Not using iptables-restore, eh?

>1. Point gun away from foot (and other body parts)

Recoil might still do harm.

>2. [Optional] Pull trigger
>
>rob0 rule of thumb: If you need to ask for help to make it work, you 
>do not need OUTPUT filtering. Just say ACCEPT.

"Just say no to dru.. DROP.", hm? :)

Re: Diskless and Firewall

[Roman Fiedler]

Khaled Hussein wrote:
> Dear All,
> 
> I am running a machine with diskless boot, it is running CentOS, i have problem with iptables, when i restart iptables i lost connection with NFS server so i lost my hard disks and machine become unreachable, this happened when i use DROP as default policy on INPUT and OUTPUT and FORWARD chains, i tried to use mangle table with default ACCEPT on these chains but the same, if i changed default policy to ACCEPT on above chains, so is there any way to avoid this problem

I had same problem with autosetup thingy recently. I think that the following fixed the problem for me (and not something else, that I overlooked while tuning the configs):

* Set conntrack liberal globally (via proc)

* Load minimal iptables set with accept on all chains (which is as secure as having no rules, like before, so nothing lost)

* Make sure to have traffic on all connections your want to keep alive, netfilter seems to create conntracks for them (you might use the conntrack tools for the same work also). In your case you might open a file, you haven't read yet to force NFS traffic.

* Switch to your final ruleset, that has a --state ESTABLISHED -j ACCEPT at the beginning of each chain (I loaded with iptables-restore to avoid glitches that might kill a connection)

* Disable conntrack liberal

The final rules were strict, with output filtering and stateful connection tracking.

Hope this is helpful,

-- 
Roman Fiedler
Safety & Security Department
Information Management & eHealth

AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1  |  8020 Graz  |  Austria
T +43(0) 316 586570-63  |  M +43(0) 664 8251194  |  F +43(0) 316 586570-12
roman.fiedler@ait.ac.at <mailto:roman.fiedler@ait.ac.at> | http://www.ait.ac.at <http://www.ait.ac.at/>
http://www.ait.ac.at/eHealth/ <http://www.ait.ac.at/eHealth/>

FN: 115980 i HG Wien  |  UID: ATU14703506
This email and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient, please notify the sender by return e-mail or by telephone and delete this message from your system and any printout thereof. Any unauthorized use, reproduction, or dissemination of this message is strictly prohibited. Please note that e-mails are susceptible to change. AIT Austrian Institute of Technology GmbH shall not be liable for the improper or incomplete transmission of the information contained in this communication, nor shall it be liable for any delay in its receipt.

Re: Diskless and Firewall

[Khaled Hussein]

Dear Roman, 

how can i set conntrack liberal globally (via proc)? 


Best Regards,
==========================
Khaled J. Hussein
Senior System Engineer
Bisan Systems Ltd.
Tel: +970-22985941
Fax: +970-22985942
Web: www.bisan.com
Email: khaled@bisan.com
========================== 


On Thu, 2010-04-01 at 16:20 +0200, Roman Fiedler wrote: 
> Khaled Hussein wrote:
> > Dear All,
> > 
> > I am running a machine with diskless boot, it is running CentOS, i have problem with iptables, when i restart iptables i lost connection with NFS server so i lost my hard disks and machine become unreachable, this happened when i use DROP as default policy on INPUT and OUTPUT and FORWARD chains, i tried to use mangle table with default ACCEPT on these chains but the same, if i changed default policy to ACCEPT on above chains, so is there any way to avoid this problem
> 
> I had same problem with autosetup thingy recently. I think that the following fixed the problem for me (and not something else, that I overlooked while tuning the configs):
> 
> * Set conntrack liberal globally (via proc)
> 
> * Load minimal iptables set with accept on all chains (which is as secure as having no rules, like before, so nothing lost)
> 
> * Make sure to have traffic on all connections your want to keep alive, netfilter seems to create conntracks for them (you might use the conntrack tools for the same work also). In your case you might open a file, you haven't read yet to force NFS traffic.
> 
> * Switch to your final ruleset, that has a --state ESTABLISHED -j ACCEPT at the beginning of each chain (I loaded with iptables-restore to avoid glitches that might kill a connection)
> 
> * Disable conntrack liberal
> 
> The final rules were strict, with output filtering and stateful connection tracking.
> 
> Hope this is helpful,
> 


*************
This  message has been scanned for viruses and dangerous content by Bisan Systems Ltd  MailScanner, and is believed  to be clean. Bisan Systems Ltd  does  not  represent  that  any  attachment  is free from computer viruses or defects and the user assumes all responsibility  for any  loss, damage  or  consequence  resulting  directly  or  indirectly  from  the use of any attachment. The information  contained  in  any  email  does not necessarily  reflect the views of Bisan systems or any other related entities or persons.

Re: Diskless and Firewall

[Roman Fiedler]

Khaled Hussein wrote:
> Dear Roman, 
> 
> how can i set conntrack liberal globally (via proc)?

You can do it using:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal

I only use these settings for a short moment, so I don't know
exactly what the difference between both controls is. I set
them back to 0 as soon as possible.

Best Regards,
Roman

> Best Regards,
> ==========================
> Khaled J. Hussein
> Senior System Engineer
> Bisan Systems Ltd.
> Tel: +970-22985941
> Fax: +970-22985942
> Web: www.bisan.com
> Email: khaled@bisan.com
> ==========================