Bridging Firewalls

BRIDGING FIREWALLS

Why a bridging firewall?
Hardware
Software
working
Putting it together
Conclusion
Links

Why a bridging firewall?
Excellent question.

Firstly, we needed a firewall. Having a network directly accessible by the world in general is suicide. Our network is filled with a diverse array of machines, of different eras, operating systems and versions. We can't keep up with the security patches on everything and while we try to, some things slip through the cracks. We get sucessfully hacked about once every six months which is a pretty poor record, plus there are countless attacks on the system. Sure, a firewall is not the be all and end all of security, but it would have stopped most of the attempts and on the attempts that were successful, it probably would have lessened the impact.

With firewalls, you have various options. If you are setting up a network from scratch, its easy, you can configure things around the firewall. However, our network is well established and has about six hundred machines sitting on it. None of us were keen on going around to every machine and reconfiguring it.

We do not handle our own gateways, they are handled by the University's Communication Services. While we can take over control of them if we need to, its much easier to leave that responsibility with UCS.

The solution was a nifty thing called a bridging firewall. The firewall itself is transparent on the network. It just sits in between two points on the network and does the firewalling. You don't need to change any network settings, don't need to reconfigure any machine and if something goes horribly wrong, you can pull the firewall out just by changing patch leads. This had a lot of appeal to me.

What hardware do I need?
Another big attraction of the bridging firewall is you don't need anything too special to run it on. Currently I've got three systems, two in production and one for testing. The testing machine is a Celeron 366Mhz, 64Mb RAM and a 10G disk. One of the production machines is a 400Mhz Pentium II, 128Mb RAM and a 4G HD; the other is a 1Ghz Celeron, 256Mb RAM and a 40G disk. Definately nothing out of the ordinary.

My production computers each have three network cards in it while my test system has two. I'm currently using Intel Pro 100 adaptors. When I started this, I tried the DEC Tulip cards, but I was running into problems them. The first one I tried was hardwired to 10Mb/s, half duplex, which is not good if you're after as much throughput as possible. The next card worked well, but the system locked up when the bridging code was loaded and I traced that back to the tulip module. It was easier to stop using the card rather than try to figure out where the problem was. Finally, I do have a 10Mb 3Com 3C590 NIC in one machine as a controller card, but more on that later.

And what software?
I'm using Linux. Redhat 7.1 on one machine and 7.3 on the other two. The firewalling code I'm using is IPTables, so if you want to use that, you'll need a kernel of at least 2.4 or later. My first production machine is still running 2.4.17 as that was the latest stable release at the time, but now I've moved up to version 2.4.18. On top of that, before you compile the kernel, you'll need to patch it with some code. But there is more on that later.

How do I get it working?
Ok, here is my little walk-through of installing the bridging firewall. It assumes you have a vague idea of linux, but you don't need an advanced understanding.

Get your hardware. You can run a bridge on one network card, but in my opinion that defeats the purpose. If you use two network cards you can have an input and output card on your bridge - this is ideal, but if you use three network cards you can have an input, an output and an interface card that you can connect to your machine remotely on - very handy, but may be a security risk if you don't watch it very carefully.

Install linux. These instructions were written for RedHat 7.1, kernel 2.4.2, because that is what I had at the time, but have been updated for 7.3 which is what I'm currently using.

When you install linux, go for a minimalistic install, you don't need all the fancy things. This is suppose to be a locked down machine.

Once linux is installed, disabled all the unnecessary stuff. In my case, I used ntsysv to disabled "APMD, gmp, kudzu, lpd, nfs, portmap, sendmail, xinetd". You may also get rid of "sshd" if you're not running an extra network card (You can't connect to the machine can you?) :}

Grab the latest kernel - I used 2.4.18 and uncompress it. I use /usr/src to store all my kernel code. I think thats the default place

# bzip2 -dc linux-2.4.18.tar.bz2 | tar -xvf -

Something to be aware of here. If you're using RedHat 7.3, that ships with Kernel 2.4.18. I have been told that compiling and installing the same version kernel as the running kernel can cause major headaches. To try and minimise this, I downgraded my kernel to 2.4.17, then compilied 2.4.18 from that. It may be an unnecessary step, but I prefer to be safe.

Create a symbolic link for the linux kernel, so you have things identified as the kernel version instead of just the generic name "linux"

# mv linux linux-2.4.18

# ln -s linux-2.4.18 linux

Next up you've got the fun task of patching things. There are four patches you need
- bridge-nf-0_0_7-against-2_4_18.diff - Essential netfilter bridge patch
- 00_dont_listen_for_nostp.diff
- 01_refix_port_state_handling.diff
All of these are available from the bridge sourceforge download page (
http://bridge.sourceforge.com). You'll notice I haven't linked in the files, this is because they are likely to change, so its better to get the most recent ones from the web page as well as check for any new releases
Patching the kernel is deceptively simple. I put the .diff files into /usr/src/linux, then type the following:
When you do this, you'll probably notice that one hunk of the bridge-nf patch failed, this is because that part has already been compilied into the kernel. Don't worry about it.

Now you've got the fun bit of making the kernel before you build it. For this, I use the following commands

# make mrproper

# make xconfig

A little window will appear and you get to make choose what you want to go into your kernel, this can be a little daunting at first. There are lots of options and it all seems confusing at first. Below I give a list of what options I chose, these may change in your situation.

[Processor Type]	Processor type	Set this to the correct processor
[General]	Support for hot pluggable devices	Disable
[Plug & Play]	Plug and play support ISA Plug and play	Module Module
[Networking]	Network packet filtering	Yes
[IP:Netfilter Configuration] (Submenu)	Everything as a module except "Full NAT" and "Packet Mangling"
[SCSI Support]	Set to modules
[Network device]	In the [10/100 ethernet] select your card(s) as modules
[File Systems]	DOS FAT Support Microsoft Juliet CDROM extenstions	Module Yes
[Network File Systems] (Submenu)	Put anything you don't think you'll need as a module (just in case you do need it)
[Sound]	Disabled
[USB]	Disabled
[Code Maturity Level options]	Prompt for development and/or incomplete drivers	Yes
[Networking]	802.1d Ethernet Bridging Netfilter (Firewall) support	Module Yes

Save and exit your changes.
I found it was easiest to revisit the network module with the development driver option turned on because that stopped me from accidently turning on one of the other experiemental changes on the other choices.
To compile the kernel and impliment the kernel I used the following commands
Edit you /etc/lilo.conf file so your new kernel is on the loader
Run lilo to ensure it knows about the new kernel
Reboot and test the new kernel

Putting it all together:
Lets assume your kernel works correctly and everything is hunky-dory. You now need to get your firewall working. This comes in three steps:

Step 1: Configure your network cards.
Step 2: Configure your bridge.
Step 3: Impliment your firewall rules.

Before we go any further, make sure you have the brctl tools compiled and installed on your system. They should be available from the http://bridge.sourceforge.com page. I like to put the compiled files in /usr/local/sbin/ so they're in my path. Lets assume you've got the file which is called bridge-utils-0_9_5_tar.gz to uncompress and compile it type the following:

# gzip -dc bridge-utils-0_9_5_tar.gz | tar -xvf -

# cd bridge-utils

# make all

# cp ./brctl/brctl /usr/local/sbin/

# cp ./brctl/brctld /usr/local/sbin/

# cp ./misc/bidi /usr/local/sbin/

Step 1: Configuring your Network cards:
This step is quite easy, you want to put your network cards into promiscuous mode, which means they listen to all the traffic on the network, not just what is explicity sent to them.
You can also set this using the promisc command, but I do it that way.
Step 2: Setting up your bridge:
In this step you need to create, configure and start your bridge:

Step 3: Configuring your firewall:

This is a highly site specific thing, so what I've got below probably won't be suitable for your setup, but it should give you an idea.


#/bin/sh
### Load the modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

### Do some defining
### First some subnets
SUBNET1="192.168.2.0/255.255.255.0"
SUBNET2="192.168.3.0/255.255.255.0"
SUBNET3="192.168.7.0/255.255.255.0"
PRIVATE="192.168.0.0/255.255.0.0"
LOOPBACK="127.0.0.0/255.0.0.0"
ALL="0.0.0.0/255.255.255.255"

### These are individual machines IPs
FTP="192.168.2.21/255.255.255.255"
WWW="192.168.2.24/255.255.255.255"
DNSa="192.168.2.2/255.255.255.255"
DNSb="192.168.3.4/255.255.255.255"
MAIL="192.168.2.15/255.255.255.255"

### Now start with the firewalling stuff
### Clean up the tables from any old junk
iptables -F
iptables -X
iptables -Z

### Set the default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Let through stuff on the local loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### First off, allow through standard subnet-subnet traffic.  It doesn't need
## to be logged, so get it out of there
 
### Accept the traffic to and from the subnet subnets
iptables -A FORWARD -p all -s $SUBNET1 -d $SUBNET1 -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET1 -d $SUBNET2 -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET1 -d $SUBNET3 -j ACCEPT
 
iptables -A FORWARD -p all -s $SUBNET2 -d $SUBNET1 -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET2 -d $SUBNET2 -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET2 -d $SUBNET3 -j ACCEPT
 
iptables -A FORWARD -p all -s $SUBNET3 -d $SUBNET1 -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET3 -d $SUBNET2 -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET3 -d $SUBNET3 -j ACCEPT

### Now allow the traffic from "us" to the rest of the organisation
iptables -A FORWARD -p all -s $SUBNET1 -d $PRIVATE -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET2 -d $PRIVATE -j ACCEPT
iptables -A FORWARD -p all -s $SUBNET3 -d $PRIVATE -j ACCEPT
 

### That was the easy stuff, now start on the rules as such
## Put in a syn flood rule to stop people from a DOS attack
## Commented out while testing things
iptables -N syn-flood
iptables -A FORWARD -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

### Allow new connections out (And logged for interest sake)
iptables -A FORWARD -p tcp -s $SUBNET1 --syn -m state --state NEW -j LOG --log-prefix "New 
connection: "
iptables -A FORWARD -p tcp -s $SUBNET2 --syn -m state --state NEW -j LOG --log-prefix "New 
connection: "
iptables -A FORWARD -p tcp -s $SUBNET3 --syn -m state --state NEW -j LOG --log-prefix "New 
connection: "
iptables -A FORWARD -p tcp -s $SUBNET1 --syn -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -s $SUBNET2 --syn -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -s $SUBNET3 --syn -m state --state NEW -j ACCEPT

### And accept established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### Also don't allow fragments - they're bad
iptables -A FORWARD -f -j LOG --log-prefix "IP Fragment: "
iptables -A FORWARD -f -j DROP


### Allow ping out (but not in)
iptables -A FORWARD -p icmp -s $SUBNET1 -j ACCEPT
iptables -A FORWARD -p icmp -s $SUBNET2 -j ACCEPT  
iptables -A FORWARD -p icmp -s $SUBNET3 -j ACCEPT  

### And in this bit we'll put the things we do allow in
## Allow web requests to web server
iptables -A FORWARD -p tcp -d $WWW --dport 80 -j ACCEPT
## FTP connections to ftp server
iptables -A FORWARD -p tcp -d $FTP --dport 21 -j ACCEPT
## Allow incoming mail
iptables -A FORWARD -p tcp -d $MAIL --dport 25 -j ACCEPT

## DNS lookups to DNS
iptables -A FORWARD -p tcp -d $DNSa --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d $DNSa --dport 53 -j ACCEPT
## And DNS requests to Secondary DNS
iptables -A FORWARD -p tcp -d $DNSb --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d $DNSb --dport 53 -j ACCEPT

### Log and drop stuff
iptables -A FORWARD -p tcp -j LOG --log-prefix "Dropped TCP: "
iptables -A FORWARD -p tcp -j DROP

iptables -A FORWARD -p udp -j LOG --log-prefix "Dropped UDP: "
iptables -A FORWARD -p udp -j DROP

iptables -A FORWARD -p icmp -j LOG --log-prefix "Dropped ICMP: "
iptables -A FORWARD -p icmp -j DROP

### This is to really make sure things disappear

iptables -A FORWARD -j LOG --log-prefix "End Forward chain - Dropped: "
iptables -A FORWARD -j DROP

Hopefully the script is fairly easy to understand. It assumes we have three subnets (168.192.2.0; 168.192.3.0; 168.192.7.0) that we are resposible for and we fit into a larger organisation that is using more of the 168.192.0.0 range. We are also running our own FTP, web and mail server, as well as two DNS servers. They will be the only things we allow in. Instead of providing the port numbers, I could have provided the service name as detailed in /etc/services. ie, instead of mail on port 25, I could have just said port smtp.

Conclusion:
Well, that is how I set up my firewall. Actually, we have more rules because we allow more things through, but you don't want to say what you allow and deny in a public forum. You don't want to make it too easy for someone to break in.

An important thing to remember, having a firewall is no guarentee of protection, sometimes a badly configured firewall can be more damaging than no firewall at all. I would recommend having a firewall as a step in your network. Make it a high step, so not everything gets past it, but don't assume that just because you've got one, you are now invincable. You still need good security policies and a healthy does of paranoia.

Keep logs and review them regularly. Fine, you've got a firewall in place, congradulations. After you've been hacked, you may decide to look over the logs and discover a methodical scanning of your network by your hacker. If you had looked sooner, you may have been able to protect it.

Trust no-one. In the example above, I allow everyone to connect out, this assumes I am an extremely trustworth person. What I would like to do is only allow certain IP addresses to connect out or maybe only allow certain ports out. That way, if you are hacked, the hacker may be able to get in, but not out again.

Put the firewall in a physically secure place. Great, you've got a firewall, but having it sitting in the open where anyone can get to it is not having it secure.

Pay attention to security bulletins and patches. This come out for all the time, for all operating systems. Not only should you try to keep your firewall patched to the latest stable secure release, but if there is a known security bug associated with port 412 filter that port, why let through a potential risk? That assumes you have legitimate use of port 412. This goes with trojans and backdoor programs as well. There are numerious sites out there listing port numbers of suspicious programs. I log anything that scans those port (then drop the packet) just so I have an idea of who is poking around my network.

Have a plan in place. Chances are, one day you will get hacked. What will you do if you are? How do you know which machines have been compromised? Who do you notify? How do you check the integrity of the system? Establish the answers to questions like this before you have to answer them, not while tech support is running around panicking.

Sleep, drink and be merry. With all this doom and gloom I'm preaching, you probably need to lighten up a little :)

Cheers, Ryan.

Links:

Here are some of the links I've found useful in building my firewall.

http://www.iptables.org/	center> The iptables home page. Go here for the latest updates in the iptables source or any patches you should be aware of.
http://www.iana.org/assignments/port-numbers	The official IANA [Internet Assigned Numbers Authority] port name/number assignments (very large list; approx 460k text file)
http://bridge.sourceforge.net/	The Sourceforge Bridge page. This is where to go to get any patches or latest releases. I highly recommend going here and reading everything they have before starting. You will need to go here to download the patches you need.
iptables-tutorial	A iptables tutorial (web form) there are also other formats available. A good, comprehensive guide.
	Rusty's iptables how-to guide. Highly recommended reading.
http://www.bastille-linux.org/jay/	Jay's page on linux security in general
http://www.cs.princeton.edu/~jns/security/iptables/	A page similar to this one on firewalls. Why didn't I see this page before I started working on this one?
www.kernel.org	The linux kernel site. Go here to find the status of the latest kernel (but download it from a local mirror)
www.google.com	Google. A search engine, so you can look up anything you didn't understand

Back to Tech index
Back to main index