summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas NOEL <tnoel@entrouvert.com>2014-12-02 13:14:36 (GMT)
committerThomas NOEL <tnoel@entrouvert.com>2014-12-02 13:14:36 (GMT)
commit0222d53f28da05a187a64cfe10d3b81bfbaebcbe (patch)
treefbce59955a4e3972dce983beea584e79f93696b2
parent3cf8765d977dbc0f1c0eb7b12b43d4b013cdc89f (diff)
downloadeofirewall-0222d53f28da05a187a64cfe10d3b81bfbaebcbe.zip
eofirewall-0222d53f28da05a187a64cfe10d3b81bfbaebcbe.tar.gz
eofirewall-0222d53f28da05a187a64cfe10d3b81bfbaebcbe.tar.bz2
add ferm.conf example/draft
-rw-r--r--ferm/config.d/example4
-rw-r--r--ferm/ferm.conf202
2 files changed, 206 insertions, 0 deletions
diff --git a/ferm/config.d/example b/ferm/config.d/example
new file mode 100644
index 0000000..4c3c9f1
--- /dev/null
+++ b/ferm/config.d/example
@@ -0,0 +1,4 @@
+
+@def $NET_DMZ = 12.168.5.5/24;
+
+
diff --git a/ferm/ferm.conf b/ferm/ferm.conf
new file mode 100644
index 0000000..6b30039
--- /dev/null
+++ b/ferm/ferm.conf
@@ -0,0 +1,202 @@
+# -*- shell-script -*-
+#
+# Configuration file for ferm(1).
+#
+
+# host
+@def $IP_WAN = 176.31.123.109;
+@def $DEV_WAN = eth0;
+
+# guests : virtual machines
+@def $NET_VMS = 178.33.6.208/28;
+@def $DEV_VMS = vmbr1;
+@def $NET_VMS_PRIVATE = 192.168.0.0/16;
+@def $DEV_VMS_PRIVATE = venet0;
+
+# whitelisted services = IP and port knocking
+@def $EO_WHITELIST_IPS = `bash -c '. /etc/firewall/default_eo ; echo ${WHITELIST_EO[@]}'`;
+@def $WHITELIST_IPS = ($EO_WHITELIST_IPS);
+@def $KNOCK1 = 100;
+@def $KNOCK2 = 200;
+@def $KNOCK3 = 301;
+
+# WAN services
+@def $DNS_ON_WAN = 1;
+@def $WEB_ON_WAN = (80 443); # HTTP, HTTPS
+@def $MAIL_ON_WAN = (25 587 993 995 4190); # SMTP, submission, IMAPS, POPS, SIEVE
+@def $WHITELIST_WAN = (ssh 8006 3128 5900:5999); # SSH + proxmox (8006=web, 3128=spice, 5900:5999=vnc)
+
+# global VMS services
+@def $WEB_ON_VMS = (80 443);
+@def $WHITELIST_VMS = (ssh);
+
+# supervision servers (munin, nagios)
+@def $SUPERVISORS = (212.85.154.22 88.190.46.145);
+
+@include 'config.d/';
+@include 'pre.d/';
+
+# $VMS = 1 if there are VMs with public IPs
+@def $VMS = 0;
+@if $NET_VMS @if $DEV_VMS @def $VMS = 1;
+# $VMS = 1 if there are VMs with private IPs
+@def $VMS_PRIVATE = 0;
+@if $NET_VMS_PRIVATE @if $DEV_VMS_PRIVATE @def $VMS_PRIVATE = 1;
+
+# output some debug informations
+@hook pre "# (c) entr'ouvert";
+@hook post "# VMS = $VMS";
+@hook post "# VMS_PRIVATE = $VMS_PRIVATE";
+
+table filter {
+ chain INPUT {
+ policy DROP;
+
+ # allow all local traffic
+ interface lo ACCEPT;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # accept ping request
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # local services
+ interface $DEV_WAN daddr $IP_WAN mod state state NEW {
+ # DNS requests
+ @if $DNS_ON_WAN proto (udp tcp) dport 53
+ mod comment comment "DNS on WAN"
+ ACCEPT;
+ # Web
+ @if $WEB_ON_WAN proto tcp mod multiport destination-ports $WEB_ON_WAN
+ mod comment comment "Web on WAN"
+ ACCEPT;
+ # Mail
+ @if $MAIL_ON_WAN proto tcp mod multiport destination-ports $MAIL_ON_WAN
+ mod comment comment "Mail services on WAN"
+ ACCEPT;
+ # munin & nagios
+ @if $SUPERVISORS saddr $SUPERVISORS proto tcp mod multiport destination-ports (4949 5666)
+ mod comment comment "Munin&Nagios on WAN"
+ ACCEPT;
+ # allow connections (SSH, proxmox, etc.) from whitelisted IPs
+ proto tcp mod multiport destination-ports $WHITELIST_WAN
+ jump whitelist;
+ }
+
+ # port knocking interception
+ interface $DEV_WAN daddr $IP_WAN protocol tcp jump knock;
+ }
+
+ chain OUTPUT {
+ policy DROP;
+
+ # allow all local traffic
+ interface lo ACCEPT;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ proto tcp mod multiport destination-ports (53 22 80 443)
+ mod state state NEW
+ ACCEPT;
+ proto udp dport 53
+ mod state state NEW
+ ACCEPT;
+ proto icmp icmp-type echo-request ACCEPT;
+ }
+
+ chain FORWARD {
+ policy DROP;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # accept ping request
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # from VMS to Internet: ssh, web, dns, ping
+ outerface $DEV_WAN {
+ proto tcp mod multiport destination-ports (53 22 80 443)
+ mod state state NEW
+ ACCEPT;
+ proto udp dport 53
+ mod state state NEW
+ ACCEPT;
+ proto icmp icmp-type echo-request ACCEPT;
+ }
+
+ # Web on VMs
+ @if $WEB_ON_VMS
+ protocol tcp
+ mod comment comment "Web on VMs"
+ mod multiport destination-ports $WEB_ON_VMS
+ mod state state NEW {
+ @if $VMS daddr $NET_VMS outerface $DEV_VMS ACCEPT;
+ @if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE ACCEPT;
+ }
+
+ # private VMs
+ @if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE {
+ # connections (SSH, etc.) from host
+ @if $WHITELIST_VMS interface $DEV_WAN protocol tcp
+ mod multiport destination-ports $WHITELIST_VMS
+ mod state state NEW
+ ACCEPT;
+ }
+
+ # public VMs
+ @if $VMS daddr $NET_VMS outerface $DEV_VMS {
+ # nagios
+ @if $SUPERVISORS saddr $SUPERVISORS
+ protocol tcp
+ mod multiport destination-ports (4949 5666)
+ mod state state NEW
+ mod comment comment "Munin&Nagios on VMs"
+ ACCEPT;
+ # connections (SSH, etc.) from whitelisted IPs
+ # + port knocking
+ @if $WHITELIST_VMS protocol tcp {
+ mod multiport destination-ports $WHITELIST_VMS
+ mod state state NEW jump whitelist;
+ jump knock;
+ }
+ }
+
+ }
+
+ # accept from EO & port-knock source IP
+ chain whitelist {
+ saddr $WHITELIST_IPS ACCEPT;
+ mod recent rcheck name "knock3" seconds 15 ACCEPT;
+ }
+
+ # port knocking (add IP in the whitelist for 15 seconds)
+ chain knock {
+ protocol tcp {
+ dport $KNOCK1 mod recent set name "knock1" NOP;
+ dport $KNOCK2 mod recent rcheck name "knock1" seconds 3 @subchain "knock2" {
+ mod recent name "knock1" remove NOP;
+ mod recent name "knock2" set NOP;
+ }
+ dport $KNOCK3 mod recent rcheck name "knock2" seconds 3 @subchain "knock3" {
+ mod recent name "knock2" remove NOP;
+ mod recent name "knock3" set NOP;
+ }
+ }
+ }
+
+}
+
+# SNAT for private VMs
+@if $VMS_PRIVATE table nat chain POSTROUTING
+ saddr $NET_VMS_PRIVATE
+ outerface $DEV_WAN
+ SNAT to $IP_WAN;
+
+@include 'local.d/';
+@include 'post.d/';
+