New firewall
On Saturday I finished reading Linux Firewalls, and promptly got to work writing version 2.0 of the new server firewall. The book was very good – while it didn’t teach me all that much totally new (I’ve been tinkering with iptables for years), it did present a lot of “best practices” and scenarios. My favorite thing about the book was how it condensed various protocols and scenarios into tight recipes, so I could just go, “hmm, I want to enable DHCP for my LAN, what’s the bare minimum I need to allow for that?”… and find a nice, concise answer. I guess the biggest boon I got from the book was tips on how to tighten up the firewall; it isn’t all that hard to write a simple firewall, but it gets tricky fast when you want to block and check all that you possibly can without impeding the server systems or users of the local LAN in any way. Good book, I can warmly recommend it to anyone who is interested in the subject.
Anyway, I spent a large part of Saturday building a new firewall. Took quite a bit of effort and required some mishaps (like me locking myself out of NFS for a while) before it was working and polished… but now I have a pretty nice and tight new firewall setup, with filtering on INPUT, OUTPUT and FORWARD chains. My previous firewalls have only had INPUT rules, the new one has OUTPUT added to check that the server communicates to only those services it’s supposed to (makes life harder for potential intruders). Also added some light FORWARD filtering, mainly anti-spoofing sanity checks and a block on SMTP traffic (to catch and stop possible spam robots in LAN). All it all, I’m pretty satisfied with the setup.
I also have logcheck and aide running on the system, along with various other boobytraps, intended to give me warning of any intrusion attempt (or even a successful one). I have no illusions about being able to stand up to a serious, targeted custom attack, but that’s not a very likely scenario in any case. The intention here is to armor the system against automated attacks and script kiddies, and make life as difficult as possible even for successful intrusions that haven’t elevated to root yet. On that latter note, I intend to look into the GRSecurity extension and PaX one of these days, ideally I would massively reduce the rights that high-risk user accounts (apache, mainly) have in the system. One thing at a time.
Security is always about layers and procedures, and it’s always a tradeoff between it and ease of use. There are limits to how far it’s reasonable to go in a home server setting in any case. But it’s fun to tinker.