requesting feedback on my CORPORATE firewall howto

[drokmed]

Okay folks,

MAJOR UPDATE:

I just posted the draft of the SQUEEZE updated version of this training doc:

http://www.abazaba.org

Squeeze will go stable soon, how soon? I don't know, but I'm thinking maybe another month or so. That doesn't give me much time to finish filling in some of the many details I've added to this document.

This training guide went from 30 pages to 74. Tons of useful information added. More to come.

I welcome feedback.

[codge]

Once again you've done a cracking job! I hope you continue to update this how to as debian progresses, as it sets the standards that people should follow when setting up a firewall. Very well written.

regards

[drokmed]

Thanks man, very kind of you

[steveeflypg]

Hi Drokmed
Only 1/2 way through the latest draft but excellent job!!
That´s clarity encapsulated in an easy read! Nice one.
Tidy visual layout too..
No healthy criticisms really - only saw a couple of typos, and a sentence/paragraph discontinuity so far (probably me - it was 1.30am..), nothing that an auto spell check and an English class with Stephen Fry wont fix! haha.. (you probably don´t know who he is eh? Dr House´s old Cambridge "chum" in real life)
Will get back to you on the rest soon.
I have also got a lot of varied Linux Admin and Network info up on my site now:
http://www.stevepedwards.com
including a lot of research and links from my Uni Project, originally based on your document, as you know, that is included in the Appendix that may help some people who wish for further reading.
One area you mentioned "in passing" that I would be interested in you expanding on and explaining further (yeah I know - what? you haven´t done enough already?! Jeez..), is server "hardening guidelines"..maybe a link there at least would be good? - to learn more on these principles, or maybe a check list approach?

1: Is server encased in kryptonite?
2: Is UPS nuclear powered?
3: Is site documentation chiselled in stone and proof read by Moses..etc, etc.. ?

take it easy
S

[drokmed]

Hi Steve,

Thanks for the critique. I look forward to hearing more of your input. I'm a big House fan, didn't know Stephen Fry though. I'm checking out your website, looks like you've added some things since I checked it last. Tons of stuff!

Thanks for the hardening suggestion, I do have notes to add hardening info at the end of the document, haven't typed up my notes yet. I'm still light on that part though, need more meat. I'm definitely open to your suggestions.

Cheers

[Absent Minded]

Drokmed my friend!! This is totally awesome and I thought that your other work was but this completely blows me away. Not to mention that even on my crappy home setup the formatting is splendid, clear and looks completely perfect to me. That said, I haven't even gotten very far. Things being what they are here I keep having to take care of this or that and not much time to myself to sit and read. Still, if the small bit I have read and seen is any indication of the rest of your work here, man it is really something. I kid you not.

I hope to have other input for you but so far I haven't seen anything I would change if I could.

Awesome Job. I even sent a copy to my brother to read as the network of schools he admins could really make use of this. Anyway, he has very little time but I know he is always looking for things to lessen his work load.. On salary and working 50+ of course a week.

[spilikin]

Hi,

First, you have a very well written howto. I've been a linux user for quite some time, but am now getting around to setting up a firewall for my home network. I'm running a fresh squeeze install with a DSL static IP address, dual nic and a local network 192.158.5.x behind it. I've followed the howto to the letter (except for replacing my .5. network for your .1.). Everything works flawlessly until I get to section 6.3.3.2 Test Squid Transparently.

In this step, I reset my browser so as not to use the proxy settings, and then edit shorewall rules and uncomment the REDIRECT line, check and restart shorewall. However, now when I go to a web page I get the error below (also, see the test for /var/log/squid/access.log). The one thing I have done to make it work is add the "transparent" option to the http_port 192.168.5.1:3128 line in /etc/squid/squid.conf so it reads http_port 192.168.5.1:3128 transparent. However, I am unsure if shorewall is intercepting the traffic and redirecting it to squid. I humbly request your opinion - am I configured for transparent squid access thru shorewall as intended in your howto?

ERROR

The requested URL could not be retrieved

Invalid Request error was encountered while trying to process the request:

GET / HTTP/1.1
Host: www.google.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rememberme=true; PREF=ID=4ce1de8308ae2783:U=8398b580924194db:TM=1270682422:LM=1286237760:GM=1:S=xFkBmHxsgOb2Qcmj; HSID=AtWP4kSe2u56c5rKM; SS=DQAAALYAAAAUfJ7fKCmbNjxkpo_FpJqCMwMUYVzRY_ufFg4EytGrieSx1l4K-QOUWK2Y2kW0ogehbFIUjD7VJ-Od1sk9RXCgQdcoIIbD62v2eVzK-_lNjm_pWDLC4TctDFvNwWqlwfe6mc8Q2jBZOFvGEeR3mWD0H5XmZA38rh_-Xr7fhDWJjVWWcFIElI2AUEsvyoJOPFDPSW2MNz2e7QPuvMBJ9DzfwVouecAUzRO1F8rflJC-ZTVBEgwsnlQQbaHkLXdmPyU; NID=40=nC8uIVCCkvPPckaJYJLRDMVhMGJ__wLP15yD6C7wB1R--gTgVod9c5_YzxjZZv91oXAQLFSunyuNJGWq4fX2dIb7wk0wxC2EGZ8A1ZqXHVcrHr9HUP3gLNyW0cH5FUi1; SID=DQAAALQAAABbQZXk5sNY0bESCr-Su356tSis45szMEILRHej0GmsRCW6ac7vJ9FLK2IJyfPqy1vQKXgW9QI5ilfSJ2eFBUKkKWMPWKIAVdqFO2yomQz975qfVsdjgKvCcadhmGSIvd8WvdbyUE1eVqhdIFR4U7FfH-Zv-QlTojW3lv1F2tBWZgqEOvdOsNPhd99xRTIjpq7wwclS5n71L_-DJaZR22icMbviFxlfODqZsX-249akn7tStYmaQB2qYltzDFD6BL4

Some possible problems are:

Missing or unknown request method.

Missing URL.

Missing HTTP Identifier (HTTP/1.0).

Request is too large.

Content-Length missing for POST or PUT requests.

Illegal character in hostname; underscores are not allowed.

HTTP/1.1 Expect: feature is being asked from an HTTP/1.0 software.

Your cache administrator is linuxadmin.


Generated Wed, 27 Oct 2010 03:52:14 GMT by cartman.xxxx.xxx (squid/2.7.STABLE9)

root@cartman:/home/chad# tail /var/log/squid/access.log

1288151543.374 0 192.168.5.20 TCP_DENIED/400 2266 GET NONE:// - NONE/- text/html
1288151544.865 0 192.168.5.20 TCP_DENIED/400 4349 GET NONE:// - NONE/- text/html
1288151551.263 0 192.168.5.20 TCP_DENIED/400 2968 GET NONE:// - NONE/- text/html
1288151551.263 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151566.265 0 192.168.5.20 TCP_DENIED/400 2967 GET NONE:// - NONE/- text/html
1288151566.265 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151581.267 0 192.168.5.20 TCP_DENIED/400 2968 GET NONE:// - NONE/- text/html
1288151581.267 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151596.269 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151596.270 0 192.168.5.20 TCP_DENIED/400 2968 GET NONE:// - NONE/- text/html

[drokmed]

Hi,

First, you have a very well written howto. I've been a linux user for quite some time, but am now getting around to setting up a firewall for my home network. I'm running a fresh squeeze install with a DSL static IP address, dual nic and a local network 192.158.5.x behind it. I've followed the howto to the letter (except for replacing my .5. network for your .1.). Everything works flawlessly until I get to section 6.3.3.2 Test Squid Transparently.

Glad to hear somebody is trying this document Thanks for the feedback.

In this step, I reset my browser so as not to use the proxy settings, and then edit shorewall rules and uncomment the REDIRECT line, check and restart shorewall. However, now when I go to a web page I get the error below (also, see the test for /var/log/squid/access.log). The one thing I have done to make it work is add the "transparent" option to the http_port 192.168.5.1:3128 line in /etc/squid/squid.conf so it reads http_port 192.168.5.1:3128 transparent.

Thanks, I forgot to add the "transparent" to that section, will do.

However, I am unsure if shorewall is intercepting the traffic and redirecting it to squid. I humbly request your opinion - am I configured for transparent squid access thru shorewall as intended in your howto?

I can see from what you posted that shorewall is working perfectly. If the problem was shorewall, nothing would show up in the squid log. Shorewall is forwarding it, but squid is rejecting it. By the way, thanks for posting the squid log, that provides the answer.

Squid is rejecting it. That web page you get is generated from the squid service running on your firewall:

Your cache administrator is linuxadmin.
Generated Wed, 27 Oct 2010 03:52:14 GMT by xxxxx.xxxx.xxx (squid/2.7.STABLE9)

Squid is rejecting it, because it doesn't like the IP address:

1288151543.374 0 192.168.5.20 TCP_DENIED/400 2266 GET NONE:// - NONE/- text/html

We need to tell squid to allow requests from 192.168.5.20 (and any other pc's on the local lan).

Your squid acl's need to allow pc's from the local lan to talk to it directly.

In your /etc/squid/squid.conf file, make sure you have both the define and allow "localnet" enabled, put it before the "deny all" line, your acl's need this:

Code: Select all

acl localnet src 192.168.5.0/24
http_access allow localnet
http_access deny all

That should do it. Restart squid.

Keep in mind, later, when you enable dansguardian, you will have to take out the "transparent" option in squid (I'll add that to the guide). You will have to take out the 5.1 ip too, since dansguardian runs on 127.0.0.1.

You have nearly caught up to me in the how-to. I enjoyed some vacation time, and haven't gotten back to finishing this draft document. I guess it's time to dive back in.

Thank you for posting this issue. You have helped me identify an omission from the guide that I probably wouldn't have noticed.

Cheers

[JohnDeere630]

Finally got time to check out your how-to & I have only one thing to say: Awesome! I thought, after reading the beginning of it, it would be mostly over my head. Not so, either I am smarter than I look (unlikely) or you have done a superlative job of explaining things. I have read through it twice & will be starting to build it this week. This is just a practice firewall for my home network, but I can see a real use for this for some of my clients. When I get it finished, I'll let you know how it went. I am no network guru, so I look forward to a real learning experience, akin to building my first MythTV server.

[Xylock]

Hey dude,

Just checking out your build again, since you've updated it ^^ Just spent like 2 days scouring the internet for the fix re:transparent squid mentioned above >< Wish I'd checked here first!

Hope you're well. Good job!

Neil.

[michaelhillier]

I'd like to thank you for your continued efforts on this project. I was first introduced to Debian\Dansguardian\squid a few years back and actually built a filtering system on an old Dell gx150 for my home. I recently found your writings dated June 26, 2008 \ HOWTO: Debian Etch Security Appliance Firewall and have read through it several times as I am preparing to venture into another build project. As I started to research Debian again I found that they recently locked in Squeeze. Thus I was thrusted into more researching which put back my projects. I came across your recent writing dated October 07, 2010 and I am currently reading through it. I hope to start my build within a week or so depending on work\family scheduling.... With that said its 3:15am and I gotta get in bed.....

All that just to say thanks for your writings......

[Ahtiga Saraz]

Hullo drokmed, chevy62, ...

I am pretty sure I want to try to build and use a dedicated firewall, despite

• intended use for tiny home LAN (basically, one PC plus the dedicated firewall machine)
• no experience installing servers
• no experience using Debian netinst CD
• many unanswered questions about installing Debian whilst evading possible MITM attacks on software as being downloaded from the repos, which as I understand it could be a particular concern wrt netinst
• apparent inability to even install Squeeze desktop system
• no knowledge of TCP/IP protocols, layers, NAT, DNAT, port forwarding
• no experience upgrading BIOS
• no registered domain name
• no PC outside my LAN but owned/operated by me, for testing the firewall from the outside

On the bright side,

• my problems installing Squeeze seem to involve X server/KDM problems, so not an issue for abazaba
• I have used Lenny for two years
• I have been using iftop, netstat, wireshark, nmap and some of the other mentioned tools on a personal firewall since creation for monitoring two PCs on my LAN
• I have used Gibson's firewall testing utility for external tests of my existing personal firewall
• willing to learn/read/study/experiment (ah yes... Wikipedia, the source of all (mis?)-(dis?)-information about security-critical matters...)

I already bought the NIC and am about to buy a second UPS. Then for a used PC.

I have downloaded and studied the pdf documents at the abazaba.com website. I have a few questions:

• is is possible to build abazaba by installing directly Debian stable (Squeeze), rather than starting with Etch and upgrading to Lenny, then Squeeze?
• it seems that the sections requiring knowledge of transport layers, NAT, &c have not yet been written?
• shouldn't there be a diagram sketching the general network topology? (which device connects to which)
  • commercial stand-alone firewalls have multiple ports where one plugs in ethernet cables leading to PCs on a small home LAN, but an abazaba firewall built on a dedicated budget PC will have only one ethernet port, agreed?
  • as I understand it, in abazaba, PCs on the LAN must have all browsers configured to connect through the firewall rather than venturing onto the web, correct? A sort of "soft" version of plugging the PCs directly into ethernet ports on a commercial stand-alone firewall? Isn't that a security vulnerability?
  • shouldn't the firewall be installed on an encrypted hard disk? (logs on hard disk, high crime neighborhood...you get the idea)

My immediate concern, ironically enough, is that I want to install Squeeze on a 2nd PC while monitoring packets entering/exiting the LAN. I have concerns about the security of the system while it is being installed, since apparently I need to allow the installer to try to grab debs from (I hope!) debian servers before I have taken the initial tripwire snapshot.

How hard/dangerous would it be for me to use my existing Lenny system on 1st PC to try to monitor the LAN while I am trying to install Squeeze on 2nd PC? By installing 2nd NIC on 1st PC and finding/figuring out how to put it in promiscuous mode and use wireshark on 1st PC (maybe while running Backtrack live CD?) to monitor all traffic on the LAN? Since I don't know what I am doing, is it possible that by trying to install the 2nd NIC I could destroy my one working (but not entirely trusted) desktop system?

Since I don't know what I am doing, it might seem that purchasing a commercial stand-alone firewalls would make sense. But these seem to be very linux unfriendly, and information about how they do things (and how secure they really are!) is hard to come by. Someone recommended to me the Cisco RVS-4000, but I have been unable to find out

• how that device does authentication (if password, how does it hash the passwords?)
• how configurable is their proprietary firewall?
• was my informant correct in asserting that a Linux user can use network monitoring software out of the box on the RVS 4000 without needing to purchase anything additional?
• is that monitoring software comparable in performance to iftop/wireshark?

[Ahtiga Saraz]

@michaelhillier:

Did it work? I too have had a bit of a struggle upgrading from Lenny (oldstable) to Squeeze (the new stable).

@drokmed:

Forgot to add my voice to the chorus of praise for your tutorial! I've learned quite a bit simply from reading it, and am sure I will learn much more from building it. Let's not let this project/thread die!

Forgot to ask: it abazaba secure against the recently disclosed "TCP split handshake" attack?

From the story by Ellen Messmer at Network World:

Some of the most commonly-used firewalls are subject to a hacker exploit that le
ts an attacker trick a firewall and get into an internal network as a trusted IP
connection.

NSS Labs recently tested half a dozen network firewalls to evaluate security weaknesses, and all but one of them was found to be vulnerable to a type of attack called the "TCP Split Handshake Attack" that lets a hacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall.

[Ahtiga Saraz]

What appears to be a substantially complete version of the Abazaba Squeeze tutorial has appeared at abazaba.org. Thanks, drokmed!

I was looking at old/incomplete versions previously. Now I understand why everyone was so impressed by drokmed's tutorial! Also, to answer one of my one questions above, yes, you need a PC for the gateway/firewall (and a second NIC on hand but not initially installed), a bridge, and a a desktop PC or laptop to connect to your LAN. So I need to purchase a bridge.

As a gateway newbie, one point which worried me is that an old PC will probably have only one ethernet port. But a fairly standard setup would be, I think

Code: Select all

internet <--> dsl modem <--> commercial gateway <--> commercial switch <--> PC on the LAN

So I guessed the abazaba setup (using an old PC for the gateway) would be more like this:

Code: Select all

internet <--> dsl modem <--> switch <---> { gateway
                                          { PC on the LAN

With configuration of each PC on the LAN to ensure (we hope) that everything goes through the gateway? But maybe the second NIC fixes this? So that the correct topology is something like this?

Code: Select all

internet <--> dsl modem <--> abazaba gateway <--> commercial switch <--> PC on the LAN

Drokmed, if you are reading this, IMO a helpful addition would be diagrams of typical network topologies for small LANs using an abazaba gateway/firewall, to put in the introduction. Plus clarification of hardware you will need. As I currently understand it, the simplest options would require: old PC, a second NIC on hand, a bridge, and at least one laptop or desktop PC (with windowing e.g. KDE or gnome).

[Ahtiga Saraz]

I am trying to build the abazaba firewall, and I have some suggestions/questions regarding the latest (?) edition of the tutorial, so I hope this thread is not died!

I am studying all the documentation I can find on TCP/IP model, arp, route, but it would be very helpful if I could get some basic questions answered before I proceed further. I am at the stage where I should start configuring the firewall just before installing the second NIC.

I would like to do some things a bit differently from a corporate firewall if possible. I have a dynamic IP from my ISP, and I use a dslmodem/router/firewall to connect to my ISPs gateway, and I use DHCP clients (and I guess a DHCP server somewhere, I hope on the router device, not my ISP) to configure my small LAN.

I want to have a small home LAN with three physical devices

• the commercial dsl modem/router/firewall (with the junky firewall disabled)
• abazaba stand-alone firewall/LAN-monitoring PC
• desktop PC

plus a few peripherals. I understand that when everything is set up, I should have a DHCP server running on the firewall, and a DHCP client running on the desktop PC. I have the impression that it would be a good idea to persaude the DHCP server to assign specific local IP addresses to each device. The commercial dslmodem/router/firewall wants 192.168.0.1, so path of least resistance might be to aim for configuring (using the DHCP server) 192.160.0.1/24 as my LAN--- does that sound right?

It seems that this dslmodem/router/firewall also wants to assign a particular dnsdomainname--- should I use that for the domain name of my LAN, or should I make up something distinctive? Or does it matter?

In some places drokmed mentions a bridge or hub. Do I need one, or can I use the built-in hub (I think) in the dslmodem/router/firewall device (with firewall disabled)?

I do not plan to offer any public services like a webserver, so I don't see why I should need to pursue dyndns.org. Is this too radical a departure from drokmed's tutorial for a networking beginner?

I understand that if I mess up, packets intended for the local LAN could get onto the WAN, which would be terrible. Is this project too risky for a beginner?

What I really want most is to monitor traffice on my LAN. If I have to give up on building the firewall (drokmed, where are you?!), can I install the second NIC and try to use the 2nd PC as a stand-alone LAN monitor (with one NIC in promiscuous mode)? Or is that a bad idea?

It seems that drokmed may not have visited Debian User Forums since November 2010... I hope that doesn't mean he has lost interest in the abazaba project! Can anyone else here offer any advice?

[drokmed]

Thanks for the PM, I didn't get any email notices there have been posts to this thread.

Wow Ahtiga, lot's of stuff you posted, where do I begin?

First, sorry I've been away. Having life difficulties, the company I was working for went under, so i'm unemployed atm. I don't have time to work on the howto. As soon as my life stabilizes, i'll try to pick up this project again.

If you know how to make a cross-over cable (wires 1 & 2 to 3 & 6), you don't have to have an ethernet switch. At home, my dsl box plugs straight into my abazaba firewall pc using a cross-over cable, then a regular cable to a switch, then my LAN pc's also into the switch.

Since you have only one LAN pc at home, you could do:

[dsl modem] <---xover cable---> [abazaba firewall] <-- xover cable---> [lan pc]

That's as basic as it can get for this solution.

As for all of your other inputs, i'm afraid I can't get into all of that right now. You do need to learn more about tcp/ip ports, to better understand the logs, when you monitor your traffic.

Thanks for the kind words! I'm glad my howto is still useful. Now that squeeze has gone stable, I need to get my rear in gear, and finish the draft.

Cheers

edit: yes, install squeeze directly. No GUI. NAT/transport comes into play when you start playing with the redirect filters in the shorewall rules file. You need a minimum of 2 nic's for this firewall. Purchasing a commercial firewall will require you to learn just as much, if not more, so wouldn't help. I agree diagrams would be nice, it's on my list of things to do dyndns is option, only needed if you will offer services on the internet, but does make it easier for you to remote to your firewall from over the Internet, if you even allow that option. Assigning specific ip's via dhcp is purely optional.

netinst cd is optional, if you are comfortable with it, and have a high speed link. Otherwise, download the full install.

[Ahtiga Saraz]

Hi drokmed,

Very glad to hear you are still interested in completing your tutorial (and updating for Squeeze)! Sorry to hear about your job. I understand that your priorities will lie elsewhere until your life stabilizes but hope you can find some time here and there to help.

Sorry for not replying earlier; I became distracted and when I returned a few days later, encountered difficulty organizing my thoughts.

I think we are talking somewhat at cross purposes because we are focused on different aspects of abazaba, so if we take this up, I should begin by

• summarizing my goals as I currently understand them
• summaring my progress so far as I perceive it

The most basic point here is that I am trying to build a standalone firewall for a very modest home LAN, as much to monitor traffic on the LAN as to provide firewall protection for the machines on the LAN. (I have always had quite restrictive personal firewall on my "workstation" PC, and have only a few other devices connected directly to that PC.)

Due in part to some haphazard experimentation, and in part to lack of understanding of basic networking, I know that my current LAN is badly misconfigured. I can explain some indications of that. Things sort of work right now, but they are not working properly, and I need to fix this.

I some very basic questions which I think could then be answered fairly easily by you, which would enable me to complete building and configuring the firewall itself plus the most essential services (DHCP, NTP) and network configuration.

I agree that interpreting logs, monitoring, etc. is essential but I think it is more important for me right now to simply get the firewall working. One point is that the thing I most desire is to run (on the stand-alone-firewall) iftop -pN to monitor all traffic on my LAN, and I think I am ready to do that as soon as I can complete the construction of the firewall as per the previous paragraph. There is a specific and somewhat urgent reason why I need to do that, but explaining this reason is not really germane to this thread. (I have a second NIC for the stand-alone-firewall, but have not yet installed it because I am stuck at an earlier stage of the tutorial.)

I also have some architectural suggestions about the latest draft of the firewall, and numerous specific questions about some comments/suggestions you make in it. Alternatively, I can try to write my own tutorial ("Building Abazaba for a home LAN") with your advice and assistance.

[bse5150]

Is there another place to download this pdf from? The url posted doesn't work.

[lbm]

Is there another place to download this pdf from? The url posted doesn't work.

+1,

I have written an PM to him, lets see if he answers.

[drokmed]

My apologies, my former site will be down for a while. The company I was working for went out of business. I have moved from St Petersburg, Florida to Los Angeles, California.

For now, the pdf is available here:

http://www.4shared.com/document/nWMRt60 ... ewall.html

I have redirected abazaba.org to point to the above link. When I get back on my feet, I'll create a new host site, and bring everything back up.

Thanks