I asked about this at the meeting last week, but nobody present was familiar with ipfilter, so I thought I'd ask here in hopes of finding a Solaris and/or Mac guru familiar with firewall configuration on these platforms...
I've been using the Linux kernel's Netfilter/iptables configuration for some time now, to handle firewalling for each of our Internet-connected Linux hosts, and I'd like to do the same for our Solaris and Mac OS X hosts as well. I've found some reasonable tutorials and FAQ's online to help with the basic setup, but I'm stuck with a few issues surrounding connection tracking.
With iptables, you can load kernel modules to do connection tracking that is application-layer-specific. I use 3 such modules:
- ip_conntrack_amanda, to handle Amanda backup requests - ip_conntrack_ftp, to support FTP server data connections - ip_conntrack_netbios_ns, to support NetBIOS name services (e.g. in Samba)
I haven't found an equivalent mechanism in either ipfilter or ipfw to allow for this, and their state-table mechanisms aren't powerful enough. For example, for NetBIOS name services, the request goes out as a broadcast, but replies come back directly, so they don't match the state of the requests. (I can work around this by allowing all NMB replies from the local net, but this is uglier.)
Amanda backup support is even trickier, for two reasons: First of all, replies to requests can come back much later, after the state table entries will have expired (whereas with ip_conntrack_amanda, you can set a longer delay if needed), and secondly, there will be related, follow-up connections on other ports, which need to be tracked. (Again, I can work around this by allowing replies from the amanda port for hosts on the local net, using a separate rule, as well as opening up entire ranges of other ports for the local net. Again, this is uglier.)
Supporting an FTP server is even more problematic, particularly if I want to open it up to connections from outside of the local net, without opening up an entire port range to the outside world as well.
Any suggestions for clean, secure ways to implement firewall support for these services using ipfilter or ipfw?
Gilbert E. Detillieux wrote:
Any suggestions for clean, secure ways to implement firewall support for these services using ipfilter or ipfw?
For Mac OS X, using ipfw in combination with the Application Firewall may accomplish some of what you want: http://support.apple.com/kb/HT1810
There is also a GUI frontend for ipfw on Mac OS X, don't know if it's any good - http://www.hanynet.com/waterroof
For Solaris, I don't know, I'm afraid, I guess you found the FAQ? http://www.phildev.net/ipf/long.html
Peter
On 2009-01-20 19:15, Peter O'Gorman wrote:
Gilbert E. Detillieux wrote:
Any suggestions for clean, secure ways to implement firewall support for these services using ipfilter or ipfw?
For Mac OS X, using ipfw in combination with the Application Firewall may accomplish some of what you want: http://support.apple.com/kb/HT1810
I'm working on Mac OS X Server, which doesn't have the Application Firewall (under System Preferences/Security), but instead has a rather nice Firewall GUI front-end to ipfw, under the Server Admin app.
However, this does not provide the functionality I'm looking for. It did make the basic ipfw setup much easier, though. (Only needed a couple manual-override rules that I couldn't set up through the GUI.)
There is also a GUI frontend for ipfw on Mac OS X, don't know if it's any good - http://www.hanynet.com/waterroof
I had heard of this, but I haven't tried it. It looks like an alternative to what's provided in Server Admin. (Perhaps it would be more useful under the non-Server versions of Mac OS X.)
For Solaris, I don't know, I'm afraid, I guess you found the FAQ? http://www.phildev.net/ipf/long.html
Looked through that FAQ already, as well as the IPF Howto it references. Their solution to the passive FTP server problem is to open up a port range in the firewall, and configure the FTP server to use that port range for passive data transfers.
I was hoping for a better solution, including one that would work for Amanda backups as well, using connection tracking. However, it looks like the open port range solution is the best I can hope for right now.
Anyway, thanks for your reply.
Gilbert E. Detillieux wrote:
I had heard of this, but I haven't tried it. It looks like an alternative to what's provided in Server Admin. (Perhaps it would be more useful under the non-Server versions of Mac OS X.)
You could try asking on Apple's macos-x-server list, but I think you may be out of luck.
http://lists.apple.com/mailman/listinfo/macos-x-server
Peter
On 2009-01-21 13:36, Peter O'Gorman wrote:
Gilbert E. Detillieux wrote:
I had heard of this, but I haven't tried it. It looks like an alternative to what's provided in Server Admin. (Perhaps it would be more useful under the non-Server versions of Mac OS X.)
You could try asking on Apple's macos-x-server list, but I think you may be out of luck.
I didn't bother to subscribe to the list and ask, but I did search the online archive. I found lots of discussion (many of it repetitive and sometime degenerating toward infantile) about the passive FTP problem, but the only practical solution with ipfw seems to be to open up a range of ports.
There was no discussion about the similar problem with Amanda backups, but I'm assuming a similar solution would be the best I could hope for.
-
Gilbert E. Detillieux -
Peter O'Gorman