WingNews logo WingNews
top | item 8261489

(no title)

vonskippy | 11 years ago

Rolling your own firewall is almost always a bad idea. Hardening a full blown distro is a terrible place to start, and no place for a novice to "guess" that they have it locked down "enough".

There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.

It's your edge device for security - not exactly a place you want to take risks with.

discuss

order

akerl_|11 years ago

Given that you get a stateful firewall as a facet of NAT, the main risk would be if your edge device was listening on the external interface with vulnerable services.

I appreciate the level of specific engineering that goes into purpose-built firewall distros, but "locking down" a device whose sole function is to perform NATing for a network is not terribly complicated.

jfindley|11 years ago

While I sympathise with the sentiment, there's a couple of things to point out here.

Firstly, none of the firewall distros I've seen have really prioritised security all that much - they tend to prioritise fancy interfaces and rolling lots (often far too many) features into one box. I'm not aware of a single one of the commonly used firewall distros that enables selinux, for example (although I've not looked at all of them - I could have missed one).

Secondly, this is clearly a home product - not a device that's likely to be the focus of a large amount of determined attacks. As long as you don't allow password-based logins, and regularly apply security patches the likelyhood of being compromised is very small. Modern mainstream linux distributions aren't as horrendously insecure by default as you imply - the job of locking them down isn't a massively complex black art.

VLM|11 years ago

"I'm not aware of a single one of the commonly used firewall distros that enables selinux"

commonly used "for" firewalls distro is Debian and selinux "works" on vanilla Debian. Its a labor hog making it less efficient to enable selinux than to look for / fix other problems, but it can be done if you insist and are willing to spend less time securing more important areas (pretty much everything, unfortunately)

On the other hand I am also unable to find a "firewall distro" solely for FW work that does selinux as of last time I looked. Hard to prove a negative but it is possible to prove that if it exists, its well hidden. The marketplace for FW distros is focused on ease of use, security theater, and authoritarianism and credentialism so actual security related features are going to be a pretty low priority in the market, which is humorous / ironic.

VLM|11 years ago

"continually crowd tested"

They are absolutely not. Not compared to general purpose distros.

Just look historically at semi-relevant security holes and how long it took Debian to patch openssl (hours? minutes?) vs "one dudes spare time project" maybe weeks, or worse, never.

"have the advantage of being authored by people well practiced"

You'd like to think so, but other than hopes there seems to be no evidence...

"locked down enough."

It has a stateful firewall probably as part of the NAT function? Good enough. The rest of it is mostly security theater.

atmosx|11 years ago

As far as I know, generally speaking doing things yourself, is what makes learn how to do them.

So if you don't play with firewall rules, block yourself a couple of times, do something stupid you'll never learn.

I could argue that doing copy-paste firewall rules from the internet might not be a good thing. Will give you the idea of security while there might be none.

peterwwillis|11 years ago

What risk? You don't need to harden your distro if you're only using it for NAT. There's basically nothing to attack, save maybe the netfilter conntrack module's state machine. Here's all you need for your edge NAT device:

  iptables -A INPUT -i ethwan -m conntrack --ctstate ESTABLISHED -j ACCEPT
  iptables -A INPUT -i ethwan -j DROP
  iptables -A OUTPUT -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -o ethwan -j DROP
  iptables -A FORWARD -i ethwan -o eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i ethwan -o eth0 -j DROP
  iptables -A FORWARD -i eth0 -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i eth0 -o ethwan -j DROP
  iptables -t nat -A POSTROUTING -o ethwan -j MASQUERADE

drdaeman|11 years ago

One (usually) don't roll their own firewall. One's provided with a robust solution and merely needs to configure it - that is, provide a description of their network. Because no matter how smart and well practiced software authors and distro builders are, they still don't know about your network and your needs. They only could provide tooling and examples to make some common concepts easily achievable.

And configuring your own firewall isn't rocket science that should be left to pros. Especially - as every sane guide out there suggests - if (for iptables) you start with DROP on INPUT and FORWARD chains and gradually open what's necessary.

nickpegg|11 years ago

I agree with this to an extent, a complete novice probably shouldn't take this sort of leap without understanding the configuration involved in securing down a Linux box. I wouldn't say it's out of the reach of most people familiar enough with Linux, though.

Regarding security programming, etc., I expose as little as possible to the world. Of the services that I do expose, I'm relying on pre-packaged software and the maintainers of Debian to keep it patched for me. I trust that those people mostly know what they're doing, and any code I write will mostly just be for internal automation.

blueking|11 years ago

Well if you really care about security you should run OpenBSD not linux. And it installs secure by default. Just grab the book of pf and write out your firewall rules.

drzaiusapelord|11 years ago

What's my other practical alternative? Some $80 box at Best Buy riddled with security holes? While I agree that using something like pfsense is probably superior, its also fair to say that if you understand basic linux administration, you can roll out a firewall that's a lot more secure than the never updated boxes everyone else uses, and enjoy features like ssh forwarding, openVPN, etc.

gonzo|11 years ago

If there was HN Gold, I'd send you some.

mariuolo|11 years ago

> There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.

That's what I did at first, but what if there is none that does everything you need? Hacking it would be even worse than rolling your own.

zenciadam|11 years ago

Back in the mid-to-late 90s there were no home routers as they exist today. Just threw Openbsd on a machine with multiple interfaces and it worked just fine.