[Cerowrt-users] firewalling suggestion

[Cerowrt-users] firewalling suggestion

[Marc MERLIN]

Howdy,

I like having my ssh port available on the internet side so that I can get
into my router from there if needed.

To do so, I had to edit /etc/xinetd.conf which prevents any connection from
outside to a bunch of services, including dropbear/ssh.

In turn, this enables a bunch of services to the internet, I'm not looking
at enabling, so I firewalled them with iptables.

But this brings the question: can the default config be fixed accordingly?
Firewalling with inetd and hosts.allow is so early 1990's :)

I changed the firewalling config as such:

config rule
        option src 'wan'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option name 'allow outside mgmt'
        option dest_port '22 81 443'

config rule
        option src 'wan'
        option proto 'tcp udp'
        option name 'blockconfig'
        option target 'DROP'
        option dest_port '1-65535'

config rule
        option src 'guest'
        option proto 'tcp udp'
        option dest_port '80 81 137 138 139 445'
        option name 'blockconfig2'
        option target 'DROP'

This isn't one size fits all, but changing the default to allow all from xinetd, 
block all from wan, except a few services, is probably a good idea, no?

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/  

Re: [Cerowrt-users] firewalling suggestion

[Dave Taht]

you can allow in ssh in the specific /etc/xinet.d/ssh file.

On Sun, Nov 25, 2012 at 9:31 PM, Marc MERLIN <marc@merlins.org> wrote:
> Howdy,
>
> I like having my ssh port available on the internet side so that I can get
> into my router from there if needed.
>
> To do so, I had to edit /etc/xinetd.conf which prevents any connection from
> outside to a bunch of services, including dropbear/ssh.
>
> In turn, this enables a bunch of services to the internet, I'm not looking
> at enabling, so I firewalled them with iptables.
>
> But this brings the question: can the default config be fixed accordingly?
> Firewalling with inetd and hosts.allow is so early 1990's :)
>
> I changed the firewalling config as such:
>
> config rule
>         option src 'wan'
>         option proto 'tcp udp'
>         option target 'ACCEPT'
>         option name 'allow outside mgmt'
>         option dest_port '22 81 443'
>
> config rule
>         option src 'wan'
>         option proto 'tcp udp'
>         option name 'blockconfig'
>         option target 'DROP'
>         option dest_port '1-65535'
>
> config rule
>         option src 'guest'
>         option proto 'tcp udp'
>         option dest_port '80 81 137 138 139 445'
>         option name 'blockconfig2'
>         option target 'DROP'
>
> This isn't one size fits all, but changing the default to allow all from xinetd,
> block all from wan, except a few services, is probably a good idea, no?
>
> Marc
> --
> "A mouse is a device used to point at the xterm you want to type in" - A.S.R.
> Microsoft is to operating systems ....
>                                       .... what McDonalds is to gourmet cooking
> Home page: http://marc.merlins.org/
> _______________________________________________
> Cerowrt-users mailing list
> Cerowrt-users@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-users



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

Re: [Cerowrt-users] firewalling suggestion

[Marc MERLIN]

On Sun, Nov 25, 2012 at 09:48:06PM +0100, Dave Taht wrote:
> you can allow in ssh in the specific /etc/xinet.d/ssh file.
 
Sure, I can do that.
But I don't get the point: why mix iptables firewalling and userspace IP
blocking in xinetd?

Marc

> On Sun, Nov 25, 2012 at 9:31 PM, Marc MERLIN <marc@merlins.org> wrote:
> > Howdy,
> >
> > I like having my ssh port available on the internet side so that I can get
> > into my router from there if needed.
> >
> > To do so, I had to edit /etc/xinetd.conf which prevents any connection from
> > outside to a bunch of services, including dropbear/ssh.
> >
> > In turn, this enables a bunch of services to the internet, I'm not looking
> > at enabling, so I firewalled them with iptables.
> >
> > But this brings the question: can the default config be fixed accordingly?
> > Firewalling with inetd and hosts.allow is so early 1990's :)
> >
> > I changed the firewalling config as such:
> >
> > config rule
> >         option src 'wan'
> >         option proto 'tcp udp'
> >         option target 'ACCEPT'
> >         option name 'allow outside mgmt'
> >         option dest_port '22 81 443'
> >
> > config rule
> >         option src 'wan'
> >         option proto 'tcp udp'
> >         option name 'blockconfig'
> >         option target 'DROP'
> >         option dest_port '1-65535'
> >
> > config rule
> >         option src 'guest'
> >         option proto 'tcp udp'
> >         option dest_port '80 81 137 138 139 445'
> >         option name 'blockconfig2'
> >         option target 'DROP'
> >
> > This isn't one size fits all, but changing the default to allow all from xinetd,
> > block all from wan, except a few services, is probably a good idea, no?
> >
> > Marc
> > --
> > "A mouse is a device used to point at the xterm you want to type in" - A.S.R.
> > Microsoft is to operating systems ....
> >                                       .... what McDonalds is to gourmet cooking
> > Home page: http://marc.merlins.org/
> > _______________________________________________
> > Cerowrt-users mailing list
> > Cerowrt-users@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-users
> 
> 
> 
> -- 
> Dave Täht
> 
> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
> 

-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/  

Re: [Cerowrt-users] firewalling suggestion

[Dave Taht]

In part, I agree with you that iptables is one layer, and more
effective in many cases.

The specific reasons for using xinetd (back in early cerowrt days) were:

1) I wanted sensors to actively "do something" when someone was up to
fishy stuff. So, for example, an attempt to telnet or ftp to the
router disables all xinetd run services, notably ssh. I'd like it if
instead of firewalling off port 53, attempts to use it as an amplifier
were logged and reported back to a home base. Similarly, email
attempts when no email server is configured, and participating in
rbls....

I'm aware (now) that there exist tools that will do a better job of inserting
appropo firewall rules on demand but haven't got around to evaluating them.

2) Save on memory. It was my hope to eventually fire off the local and
configuration web servers from xinetd (and by doing so, protect them
also
 from attacks from within and without the network) - but more importantly
not waste the ram they use.

3) While it is "so 90s", there are a multitude of other useful services that can
run on demand out of xinetd. For example, rsync, and leafnode and jabber.

4) I thought at one point I'd run dhcp out of this too, but dnsmasq
has proven small and robust enough (and secure enough) for me to trust
to do dhcp.

I'm ambivalent about this feature in present day cerowrt, both using
it in xinetd and iptables is unessessarily difficult, however I would
have approached your problem by adding in the allowed hosts into the
xinetd ssh file.


On Sun, Nov 25, 2012 at 9:49 PM, Marc MERLIN <marc@merlins.org> wrote:
> On Sun, Nov 25, 2012 at 09:48:06PM +0100, Dave Taht wrote:
>> you can allow in ssh in the specific /etc/xinet.d/ssh file.
>
> Sure, I can do that.
> But I don't get the point: why mix iptables firewalling and userspace IP
> blocking in xinetd?
>
> Marc
>
>> On Sun, Nov 25, 2012 at 9:31 PM, Marc MERLIN <marc@merlins.org> wrote:
>> > Howdy,
>> >
>> > I like having my ssh port available on the internet side so that I can get
>> > into my router from there if needed.
>> >
>> > To do so, I had to edit /etc/xinetd.conf which prevents any connection from
>> > outside to a bunch of services, including dropbear/ssh.
>> >
>> > In turn, this enables a bunch of services to the internet, I'm not looking
>> > at enabling, so I firewalled them with iptables.
>> >
>> > But this brings the question: can the default config be fixed accordingly?
>> > Firewalling with inetd and hosts.allow is so early 1990's :)
>> >
>> > I changed the firewalling config as such:
>> >
>> > config rule
>> >         option src 'wan'
>> >         option proto 'tcp udp'
>> >         option target 'ACCEPT'
>> >         option name 'allow outside mgmt'
>> >         option dest_port '22 81 443'
>> >
>> > config rule
>> >         option src 'wan'
>> >         option proto 'tcp udp'
>> >         option name 'blockconfig'
>> >         option target 'DROP'
>> >         option dest_port '1-65535'
>> >
>> > config rule
>> >         option src 'guest'
>> >         option proto 'tcp udp'
>> >         option dest_port '80 81 137 138 139 445'
>> >         option name 'blockconfig2'
>> >         option target 'DROP'
>> >
>> > This isn't one size fits all, but changing the default to allow all from xinetd,
>> > block all from wan, except a few services, is probably a good idea, no?
>> >
>> > Marc
>> > --
>> > "A mouse is a device used to point at the xterm you want to type in" - A.S.R.
>> > Microsoft is to operating systems ....
>> >                                       .... what McDonalds is to gourmet cooking
>> > Home page: http://marc.merlins.org/
>> > _______________________________________________
>> > Cerowrt-users mailing list
>> > Cerowrt-users@lists.bufferbloat.net
>> > https://lists.bufferbloat.net/listinfo/cerowrt-users
>>
>>
>>
>> --
>> Dave Täht
>>
>> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
>>
>
> --
> "A mouse is a device used to point at the xterm you want to type in" - A.S.R.
> Microsoft is to operating systems ....
>                                       .... what McDonalds is to gourmet cooking
> Home page: http://marc.merlins.org/



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

Re: [Cerowrt-users] firewalling suggestion

[Marc MERLIN]

On Sun, Nov 25, 2012 at 11:41:55PM +0100, Dave Taht wrote:
> 1) I wanted sensors to actively "do something" when someone was up to
> fishy stuff. So, for example, an attempt to telnet or ftp to the
> router disables all xinetd run services, notably ssh. I'd like it if
> instead of firewalling off port 53, attempts to use it as an amplifier
> were logged and reported back to a home base. Similarly, email
> attempts when no email server is configured, and participating in
> rbls....
 
I do that with iptables log parsing, although I'm not sure how you get
iptables deny logs on cerowrt, maybe readlog would get them?

> I'm aware (now) that there exist tools that will do a better job of inserting
> appropo firewall rules on demand but haven't got around to evaluating them.

Gotcha.

> 2) Save on memory. It was my hope to eventually fire off the local and
> configuration web servers from xinetd (and by doing so, protect them
> also
>  from attacks from within and without the network) - but more importantly
> not waste the ram they use.

I'm not against xinetd. I think on demand starting is a good idea, keep
that.

> 3) While it is "so 90s", there are a multitude of other useful services that can
> run on demand out of xinetd. For example, rsync, and leafnode and jabber.
 
Sorry I was unclear. xinetd is not "so 90s". Firewalling with it is :)

> I'm ambivalent about this feature in present day cerowrt, both using
> it in xinetd and iptables is unessessarily difficult, however I would
> have approached your problem by adding in the allowed hosts into the
> xinetd ssh file.

I could, as an admin I just don't like the multiple layers of incompatible
and independently configured firewalling.
I did keep xinetd and ssh run from there, it's a good idea like you said, I
just moved the firewalling to iptables where it belongs IMO.

Thanks for explaining, at least now I know I didn't miss something stupid :)

Cheers,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/