From 0222d53f28da05a187a64cfe10d3b81bfbaebcbe Mon Sep 17 00:00:00 2001 From: Thomas NOEL Date: Tue, 2 Dec 2014 14:14:36 +0100 Subject: [PATCH] add ferm.conf example/draft --- ferm/config.d/example | 4 + ferm/ferm.conf | 202 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 206 insertions(+) create mode 100644 ferm/config.d/example create mode 100644 ferm/ferm.conf diff --git a/ferm/config.d/example b/ferm/config.d/example new file mode 100644 index 0000000..4c3c9f1 --- /dev/null +++ b/ferm/config.d/example @@ -0,0 +1,4 @@ + +@def $NET_DMZ = 12.168.5.5/24; + + diff --git a/ferm/ferm.conf b/ferm/ferm.conf new file mode 100644 index 0000000..6b30039 --- /dev/null +++ b/ferm/ferm.conf @@ -0,0 +1,202 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +# host +@def $IP_WAN = 176.31.123.109; +@def $DEV_WAN = eth0; + +# guests : virtual machines +@def $NET_VMS = 178.33.6.208/28; +@def $DEV_VMS = vmbr1; +@def $NET_VMS_PRIVATE = 192.168.0.0/16; +@def $DEV_VMS_PRIVATE = venet0; + +# whitelisted services = IP and port knocking +@def $EO_WHITELIST_IPS = `bash -c '. /etc/firewall/default_eo ; echo ${WHITELIST_EO[@]}'`; +@def $WHITELIST_IPS = ($EO_WHITELIST_IPS); +@def $KNOCK1 = 100; +@def $KNOCK2 = 200; +@def $KNOCK3 = 301; + +# WAN services +@def $DNS_ON_WAN = 1; +@def $WEB_ON_WAN = (80 443); # HTTP, HTTPS +@def $MAIL_ON_WAN = (25 587 993 995 4190); # SMTP, submission, IMAPS, POPS, SIEVE +@def $WHITELIST_WAN = (ssh 8006 3128 5900:5999); # SSH + proxmox (8006=web, 3128=spice, 5900:5999=vnc) + +# global VMS services +@def $WEB_ON_VMS = (80 443); +@def $WHITELIST_VMS = (ssh); + +# supervision servers (munin, nagios) +@def $SUPERVISORS = (212.85.154.22 88.190.46.145); + +@include 'config.d/'; +@include 'pre.d/'; + +# $VMS = 1 if there are VMs with public IPs +@def $VMS = 0; +@if $NET_VMS @if $DEV_VMS @def $VMS = 1; +# $VMS = 1 if there are VMs with private IPs +@def $VMS_PRIVATE = 0; +@if $NET_VMS_PRIVATE @if $DEV_VMS_PRIVATE @def $VMS_PRIVATE = 1; + +# output some debug informations +@hook pre "# (c) entr'ouvert"; +@hook post "# VMS = $VMS"; +@hook post "# VMS_PRIVATE = $VMS_PRIVATE"; + +table filter { + chain INPUT { + policy DROP; + + # allow all local traffic + interface lo ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # accept ping request + proto icmp icmp-type echo-request ACCEPT; + + # local services + interface $DEV_WAN daddr $IP_WAN mod state state NEW { + # DNS requests + @if $DNS_ON_WAN proto (udp tcp) dport 53 + mod comment comment "DNS on WAN" + ACCEPT; + # Web + @if $WEB_ON_WAN proto tcp mod multiport destination-ports $WEB_ON_WAN + mod comment comment "Web on WAN" + ACCEPT; + # Mail + @if $MAIL_ON_WAN proto tcp mod multiport destination-ports $MAIL_ON_WAN + mod comment comment "Mail services on WAN" + ACCEPT; + # munin & nagios + @if $SUPERVISORS saddr $SUPERVISORS proto tcp mod multiport destination-ports (4949 5666) + mod comment comment "Munin&Nagios on WAN" + ACCEPT; + # allow connections (SSH, proxmox, etc.) from whitelisted IPs + proto tcp mod multiport destination-ports $WHITELIST_WAN + jump whitelist; + } + + # port knocking interception + interface $DEV_WAN daddr $IP_WAN protocol tcp jump knock; + } + + chain OUTPUT { + policy DROP; + + # allow all local traffic + interface lo ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + proto tcp mod multiport destination-ports (53 22 80 443) + mod state state NEW + ACCEPT; + proto udp dport 53 + mod state state NEW + ACCEPT; + proto icmp icmp-type echo-request ACCEPT; + } + + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # accept ping request + proto icmp icmp-type echo-request ACCEPT; + + # from VMS to Internet: ssh, web, dns, ping + outerface $DEV_WAN { + proto tcp mod multiport destination-ports (53 22 80 443) + mod state state NEW + ACCEPT; + proto udp dport 53 + mod state state NEW + ACCEPT; + proto icmp icmp-type echo-request ACCEPT; + } + + # Web on VMs + @if $WEB_ON_VMS + protocol tcp + mod comment comment "Web on VMs" + mod multiport destination-ports $WEB_ON_VMS + mod state state NEW { + @if $VMS daddr $NET_VMS outerface $DEV_VMS ACCEPT; + @if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE ACCEPT; + } + + # private VMs + @if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE { + # connections (SSH, etc.) from host + @if $WHITELIST_VMS interface $DEV_WAN protocol tcp + mod multiport destination-ports $WHITELIST_VMS + mod state state NEW + ACCEPT; + } + + # public VMs + @if $VMS daddr $NET_VMS outerface $DEV_VMS { + # nagios + @if $SUPERVISORS saddr $SUPERVISORS + protocol tcp + mod multiport destination-ports (4949 5666) + mod state state NEW + mod comment comment "Munin&Nagios on VMs" + ACCEPT; + # connections (SSH, etc.) from whitelisted IPs + # + port knocking + @if $WHITELIST_VMS protocol tcp { + mod multiport destination-ports $WHITELIST_VMS + mod state state NEW jump whitelist; + jump knock; + } + } + + } + + # accept from EO & port-knock source IP + chain whitelist { + saddr $WHITELIST_IPS ACCEPT; + mod recent rcheck name "knock3" seconds 15 ACCEPT; + } + + # port knocking (add IP in the whitelist for 15 seconds) + chain knock { + protocol tcp { + dport $KNOCK1 mod recent set name "knock1" NOP; + dport $KNOCK2 mod recent rcheck name "knock1" seconds 3 @subchain "knock2" { + mod recent name "knock1" remove NOP; + mod recent name "knock2" set NOP; + } + dport $KNOCK3 mod recent rcheck name "knock2" seconds 3 @subchain "knock3" { + mod recent name "knock2" remove NOP; + mod recent name "knock3" set NOP; + } + } + } + +} + +# SNAT for private VMs +@if $VMS_PRIVATE table nat chain POSTROUTING + saddr $NET_VMS_PRIVATE + outerface $DEV_WAN + SNAT to $IP_WAN; + +@include 'local.d/'; +@include 'post.d/'; +