Firewall Configuration - Firehol
I've spent a bit of time looking into the firewall options on debian, and after reviewing a few different solutions my favoriate is Firehol. I'm playing around with a config now, but would LOVE feedback from anyone who's done something similar.
In the following setup I have a linode that is,
running a web server (http/https),
potentially using smtp (to send mail through php scripts)
ssh access through custom port
#!/sbin/firehol
version 5
RS_TRUSTED_IPS="1.2.3.4" # my real IP isn't 1.2.3.4 :p
server_ssh_ports="tcp/2022"
client_ssh_ports="default"
interface eth0 server src not "${UNROUTABLE_IPS}"
# drop all traffic by default
policy drop
# protect against common attacks
protection strong
# outgoing
client "ntp dns smtp smtps" accept
# incoming
# server ident reject with tcp-reset
# server any nolog drop
# basic ping/pong stuff, keep for convenience, remove if security nut
server "icmp ping" accept
# most services
server "http https ICMP" accept
# ssh access for me only
server ssh accept src "$RS_TRUSTED_IPS"
I wasn't too sure about the ident rejecting and nolog features, and I assume I should at least try running strong protection to begin with.
When I ran the Firehol help it tried to configure two sets of eth0 interfaces (with differences in the src/dst) but I thought it might be a little unnecessary.
I'm currently putting this config through it's paces (and learning along the way) but if anyone has had some experience or would like to help me out with what they've done it would be much appreciated.
2 Replies
But if you don't need IPv6 at the moment, that's OK.
Some observations:
You will want to allow outgoing HTTP(s) connections, at least to some destinations. Most apt-get updates are done through HTTP. Your web apps might need to access remote APIs.
You can safely enable "server ident reject with tcp-reset" without affecting anything – unless you're running IRC clients. According to
WikipediaI can't tell exactly what "server any nolog drop" is supposed to accomplish, but it seems redundant because you're already dropping everything that isn't specifically allowed. I'd suggest that you keep it commented out.
Why both icmp and ICMP?
Update /etc/firehol/RESERVEDIPS with the
latest dataIf Firehol throws messages about loadable kernel modules when you start it, just add "FIREHOLLOADKERNEL_MODULES=0" (without quotes) at the beginning of your config file. This often happens in virtual machines.
I was thinking about http(s) last night for things like apt-get, thanks for pointing it out.
I couldn't figure out if there was a difference between icmp and ICMP when reading the Firehol services list but they do list them as two services, strange!