Skill: Intermediate Complexity: Moderate EstTimeToComplete: 1.25 hours RelatedMod: RoamingProfilesWithNetworkManager
As part of your comprehensive security planning it is essential to enable and configure a firewall for your system. This is especially true for a roaming laptop. Firewalls manage network access. A firewall policy enforced on a laptop system helps deter network attacks and allows you, good sysdamin, full working knowledge of what ports applications are allowed to communicate on.
While Ubuntu is quite good at limiting the number of default network services and keeping unnecessary network services turned off it is still good security practice to limit the network access. That is, "Deny everything in AND out, unless it is expressly allowed". However, as there is always a compromise between ultimate security, convenience and manageability we are going to allow the laptop system to initiate any outbound network connection and highly restrict the types of external services that may initiate an inbound connection to the laptop.
WARNING! Please evaluate your security needs and adjust the policy to suite your goals. This example policy demonstration may not be restrictive enough for your system security policy and procedures. Do not implement this in a production or live environment until you understand the security implications of the policy rules.
Roaming Laptop Network Security
One of the pleasures with Ubuntu Feisty Fawn 7.04 is the NetworkManager. If you allow it to manage the network interfaces with DHCP you can move with relative ease between different networks.
Unfortunately, NetworkManager doesn't seem to work well just yet with static ip or profiles. Nor, does it trigger any scripting to allow for re-jiggering any firewalls to adjust for new interface address assignments.
Consequently, it can be painful to tailor your laptop for site specific services. e.g., default laser printers at work, default ink-jet printers at home. Or custom firewall policies based on location. e.g., more permissive firewall rules while at work, very restrictive rules while roaming.
What follows is a setup for a roaming laptop using iptables for the firewall policy enforcement and laptop-net for profile/location management. With laptop-net you'll be able to set static ip addresses for your interfaces, assign default printers, re-configure the firewall and anything else you may want to distinguish between profiles.
The Linux kernel supplied with Ubuntu provides a powerful and dizzyingly configurable stateful firewall service managed through iptables.
Iptables INIT Script
To assist with enabling/disabling the iptables firewall you may wish to install this init.d script. When called with /etc/init.d/iptables start the script will pull the previous firewall policy and run with that configuration. When called with /etc/init.d/iptables stop the script will flush any currently configured rules and open the INPUT,FORWARD and OUTPUT chains to ACCEPT all connections. When called with /etc/init.d/iptables save the currently running policy will be saved for future restarts.
Save this script initd_iptables.txt to /etc/init.d/iptables.
Make the script executable.
chmod 755 /etc/init.d/iptables
I use the incredible and competent fwbuilder to configure and manage firewall settings. Creating rules with iptables syntax is very tedious and complicated. Beyond single host management it is also adept at managing multiple hosts firewall configuration policies. Firewall Builder also includes a built in revision control system for easy reversions back to previously working policies. (This requires RCS.)
apt-get install fwbuilder
*It is assumed that you have a working GUI available as fwbuilder requires one
For detailed documentation and User Guides visit: http://www.fwbuilder.org/
Build Firewall Policy
With fwbuilder we will build a base policy based on the principle of "Deny everything in AND out, unless it is expressly allowed." However, as there is always a compromise between ultimate security, convenience and manageability we are going to allow the laptop system to initiate any outbound network connection and highly restrict the types of external services that may initiate an inbound connection to the laptop.
Open/Create New Policy File
Start fwbuilder with Alt-F2.
Select Create new project file and then name and save in the location of your choosing.
Unless you have RCS installed or care to default to the named file on application start pass on selecting any options for the new file.
New Firewall Object
Right-Click on User:Firewalls folder and select New Firewall. Enter the name of the new object. e.g., Your hostname or some other unique identifier.
Choose iptables as the firewall software.
Choose Linux 2.4/2.6 as the OS the firewall runs on.
Select Use preconfigured template firewall objects to ease the policy creation. This is optional if you have more advanced requirements.
This documentation assumes a roaming laptop with wired and wireless interfaces with dynamically assigned addresses.
Choose host fw template 1.
You should have something similar to the following:
ADD WiFi Interface
On my laptop the WiFi interface is dependent on restricted modules. That being said you must have networking working correctly before adding interfaces to the firewall policy. If you define a new interface that doesn't exist the installation of the rules will fail.
The host fw template 1 already created the outside eth0 interface. If your wired interface is identified differently you'll need to change the name.
In the User::Firewalls::<YourFWHostName> menu heirarchy you should see loopback and outside interfaces. The outside interface should already be defined dyn ext.
Right-Click on the outside interface and Duplicate...:place here.
Right-Click on the new outside interface and Edit.
Rename the interface name to the Name: of your WiFi interface. This will be completely dependent on your system setup and WiFi hardware. In my case it is ath0. You may be able to identify the WiFi interface from the output of ip addr.
Rename the Label: for the WiFi interface to something identifiable. e.g., outside-wifi.
Assure that Address is assigned dynamically is selected.
Assure that This interface is external(insecure) is checked.
Click Apply Changes.
You'll note that a new policy tab outside-wifi (or whatever label you assigned for the interface) is created. This is an automatic default anti-spoofing rule.
Your firewall policy will now look similar to the following:
Understanding Firewall Builder Policy Rules
Firewall Builder (fwbuilder) follows a rule based paradigm. Each rule attempts to match the source, destination and service to decide what action to perform. It is a top-down priority. The source, destination and service begins from the top of the policy at Rule0 and flows through each successive rule until matched or the rules are exhausted.
If the source, destination and service request matches a rule set successive rule matching is terminated. Consequently, you encounter a shadow rule. (Don't worry fwbuilder attempts to alert for this condition.) A shadowing example: Say you have a web server running on your laptop that you let the world visit. Creating these simple rules produces a shadow.
While you intend to let external sources connect to your running web service, this policy first matches the request at Rule0 and stops processing. Rule1 is never matched and external users never get to your web server.
Rule - Source - Destination - Service - Action 0 - Any - <YourLaptop> - Any - Deny 1 - Any - <YourLaptop> - HTTP - Allow
To achieve your intention of allowing external sources to only access the HTTP service the correct rule set would look something like the following.
Rule - Source - Destination - Service - Action 0 - Any - <YourLaptop> - HTTP - Allow 1 - Any - <YourLaptop> - Any - Deny
Understanding the Template Policy
In English, the host fw template 1 for all inbound/outbound network communications the policy reads: Begin with Rule1 and allow any external host to connect to the laptop for icmp, ping and ssh services. If not matched then apply Rule1 and allow the laptop to connect to any external host for any service. If not matched then apply Rule2 and deny the connection request for any host to any destination for any service and log it. (The 'default' rule.)
The anti-spoofing rule which is a rule for the outside interface(s) reads: Deny all network connection request inbound to the interface from the outside for any destination and any service, when the source is the laptop ip address and log it. It would make no sense for your laptop ip to be inbound to itself from the outside. It means someone has assumed your assigned address and is attempting to 'spoof' you.
The loopback rule simply allows all traffic in any direction on the loopback (127.0.0.1)
There is no necessity for NAT rules in this configuration.
With a roaming laptop the chances are good that you'll have no need to ssh into your system from another remote host. Therefore, remove the service from Policy::Rule0. (If you wanted to go stealth, you could also remove Useful_ICMP and 'ping request'.)
Warning! As mentioned before the ideal situation is to also restrict outbound network connection requests from your laptop to a small set of known services. This may mitigate rogue applications from making spurious port connections. But, in the interest of manageability and convenience we are more concerned about the outside world getting in then we are about the laptop getting out. So, we'll leave Policy::Rule1 alone. Adjust as you see fit.
You should always have a Default Rule which is always last and almost universally any-any-any-deny-log. It is the catch all rule that is the last word on what to do with network connection requests.
For my tastes I run the Ekiga open source VoIP and video conferencing application for GNOME. Ekiga uses both the H.323 and SIP protocols. So, I created the 5060 UDP SIP object and added the already existing 1720 TCP H323 object into Policy::Rule0.
When all is said and done you will have something like the following.
Once satisfied with your firewall security policy compile it for potential errors and then we'll install it.
Click on Rules:Compile. If there are any errors edit the policy and re-compile until successful.
Unless you modified where the policy install script is saved it will be in the same working directory as your created/saved fwbuilder policy. The compiled installation script will have the .fw extension.
Unfortunately you'll need to install the firewall policy from the command line. Open a terminal and sudo -i to root. Then run the script.
root@pokey:~#<pathToPolicy>/<policyFileName>.fw Activating firewall script generated Mon Jul 9 15:50:35 2007 by userName Rule 0 (eth0) Rule 0 (lo) Rule 0 (global) Rule 1 (global) Rule 2 (global)
Curious? The .fw installation file is a plain text shell script file that you may open to see how the rules are applied with iptables.
Run iptables -L to see the running iptables firewall ruleset you just applied.
root@pokey:~# iptables -L ... Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere state NEW RULE_2 0 -- anywhere anywhere Chain Cid46928FE0.0 (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-transit ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-reassembly ACCEPT icmp -- anywhere anywhere icmp type 0 code 0 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp type 8 code 0 ...
If something should go wrong you can disable the new rules and try again.
If the firewall rules are running to your satisfaction save the current configuration.
Firewall Policy Reloads
Now that you have a working firewall policy we need a mechanism to reload the policy installation script each time the address changes for either the wired or wireless interfaces.
Without reloading the firewall configuration when network interface ip address assignments change, the current and running firewall policy would continue with previously set ip addresses. While your interface associated with an updated ip address the firewall, as configured from this guide, will prevent any network activity. It will appear as though the network is broken.
You could simply call the fwbuilder firewall generated *.fw script whenever you change locations. Or add a panel icon to call the script. e.g.,
sudo -i /etc/myfirewall.fw
However, either way requires a manual intervention and becomes unwieldy if you have diverse firewall policies for the different network associations. A better, automated and highly flexible way to reset the firewall for your dynamic interfaces is with Roaming Profiles through NetworkManager.
Network Roaming Profiles
Follow the guide RoamingProfilesWithNetworkManager to install and configure a basic roaming profile with NetworkManager.
Creative Commons License
Author: James B. Crocker
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.