Hardware Firewall for Home

[coppolino97]

Hi all,
I would improve security of my home network and I would install and hardware firewall.
I have experience with Fortinet Firewall at work, but I would use an open source firewall for home.

Through the firewall I would like to create policies that use both hostname and TCP and UDP ports.

For example, my NAS only needs to reach the QNAP cloud to download firmware updates.
This problem I can easily solve by using the domains inside my firewall policy.
Unfortunately I have read that IPTables does not support hostnames within firewall policies.

For the rest of the LAN I would like to allow only HTTP, HTTPS, DNS, NTP, SMTP outbound traffic. This I can easily solve with IPtables.

After that I have thought to use OpenWRT on a router to manage firewall too. Can I use hostname if I use OpenWRT firewall?

In your opinion, what is your best solution?

[p.H]

What do you mean exactly by "use hostnames" ?

[reinob]

What do you mean exactly by "use hostnames" ?

I guess he means "as opposed to IP addresses".

If the OP implements the firewall together with the DHCP server (e.g. using OpenWRT) then he can have it all..

[coppolino97]

Hi,
thanks for your reply!

What do you mean exactly by "use hostnames" ?

In my policy I use not IP address ad "destination" but "domain". It is very common use this function in Commercial Firewall as Fortinet or PaloAlto

For example

Code: Select all

source-port: LAN
destination-port: WAN
source: 10.0.0.0/24
destination: www.website.com
action: deny
port: HTTP

I hope to be clear!

If the OP implements the firewall together with the DHCP server (e.g. using OpenWRT) then he can have it all..

Sorry.. What is it OP?

Thanks!

[p.H]

OP = Original Poster (you) or Original Post.

iptables is a packet filter. If operates mostly on packet headers of the link, network (i.e. IP) and transport (TCP, UDP...) layers. There is no hostname in these packet headers. Hostnames appear only in upper layer protocols such as DNS, HTTP...

A hostname can be used instead of an IP address when creating an iptables rule, but it is immediately resolved and converted into the associated IP addresses, with the following drawbacks :
- the rule must be updated if the IP address associated with the hostname changes ; this won't happen automatically
- the rule matches any other hostname associated with the same IP address (e.g. shared hosting).

Hostname filtering may be done by matching arbitrary strings in packet payload with the "string" match, but it is not very reliable ; it may cause false negatives (if the searched string is encoded, or fragmented among two packets) or false positives (if the string appears in regular data). It is best done with a proxy.

[coppolino97]

Thanks so much for your reply.
In fact FortiGate or PaloAlto are Firewall that works with all 7 layers (application firwall)

Is there a way to "join" iptables firewall with proxy?
For example I would that host 192.168.1.10 can reach only http://www.linux.com
Is it possible with firewall and proxy?

I can do it with layer 7 firewall, not layer 3 firewall as iptables. Right?

Is there any similar solution in Linux?
Thanks so much!

[reinob]

Thanks so much for your reply.
In fact FortiGate or PaloAlto are Firewall that works with all 7 layers (application firwall)

Is there a way to "join" iptables firewall with proxy?
For example I would that host 192.168.1.10 can reach only http://www.linux.com
Is it possible with firewall and proxy?

I can do it with layer 7 firewall, not layer 3 firewall as iptables. Right?

Is there any similar solution in Linux?
Thanks so much!
:D

If you want to filter based on the URL given by the user/browser, then you need a proxy (layer 7).

Otherwise, by the time the request has reached the firewall, the domain/URL will already have been resolved, by the client (browser), to an IP address, so that's all your firewall will ever see (OK, SNI too, but then you need to inspect the contents of the packets and I don't know if you want to go that far..)

So your "level 7 firewall" is in fact a proxy server, and for linux there are dozens, squid being a very well known option.

(at the beginning I thought you wanted the firewall (not proxy) to filter based on the hostname of the incoming packets, i.e. the name of your computers in your local network, which would require using DNS and/or handling DHCP yourself, e.g. using dnsmasq).

[p.H]

Is there a way to "join" iptables firewall with proxy?

If the client supports it, you can configure it to use a filtering proxy and block direct traffic.

iptables and squid (maybe others) can also be combined to make a transparent HTTP filtering proxy. But it does not work with HTTPS unless the client accepts the proxy's certificate for any destination (man in the middle).

You can also filter hostnames at the DNS resolution level by using a DNS proxy. But it won't work if the client does not use DNS resolution, e.g. if it uses hardcoded IP addresses.

[coppolino97]

iptables and squid (maybe others) can also be combined to make a transparent HTTP filtering proxy. But it does not work with HTTPS unless the client accepts the proxy's certificate for any destination (man in the middle).

Very good idea, but for home use, at the moment is too expensive in my opinion.

DNS resolution is a good idea. Are you talking to use dnsmasq using blacklist?

Thanks!

[p.H]

I am not talking about any specific implementation. I don't know about dnsmasq blacklist.

Note that DNS filtering can be by-passed if the client uses some encrypted variant of DNS (DNS over HTTPS, DNS over TLS, DNSCrypt, DNSCurve...) to query directly an external DNS server.

[coppolino97]

Hi,

Note that DNS filtering can be by-passed if the client uses some encrypted variant of DNS (DNS over HTTPS, DNS over TLS, DNSCrypt, DNSCurve...) to query directly an external DNS server.

Thanks for this suggestions.

I would just improve security of my Home Network so I am not searching very complex solution at the moment.
I will start using IPTables and DNS filtering at the moment.

Thanks so much!
Federico