update firewall blog

2019-12-24 10:23:10 +01:00 · 2019-12-24 10:23:10 +01:00 · 47cb942096
commit 47cb942096
parent e927035c9a
1 changed files with 105 additions and 23 deletions
--- a/blog/my-notebook-firewall-36c3.mdwn
+++ b/blog/my-notebook-firewall-36c3.mdwn
@ -19,27 +19,10 @@ This post should serve two purpose:

 I am using
 [nftables](https://ungleich.ch/en-us/cms/blog/2018/09/11/introduction-to-nftables/)
-on my notebook and the ruleset is shown below:
+on my notebook and the full ruleset is shown below.


 ```
-table ip filter {
-        chain input {
-                type filter hook input priority 0;
-                policy drop;
-
-                ct state established,related accept
-                tcp dport { 22 } accept
-        }
-        chain forward {
-                type filter hook forward priority 0;
-                policy drop;
-        }
-        chain output {
-                type filter hook output priority 0;
-                policy accept;
-        }
-}
 table ip6 filter {
        chain input {
                type filter hook input priority 0;
@ -50,22 +33,22 @@ table ip6 filter {
                ct state established,related accept
                tcp dport { 22, 80, 443 } accept

-                log
        }

        chain forward {
                type filter hook forward priority 0;
-                policy accept;
+                policy drop;

                ct state established,related accept

-                ip6 daddr 2a0a:e5c1:137:b00::/64 jump docker_container
+                ip6 daddr 2a0a:e5c1:137:b00::/64 jump  container
+                ip6 daddr 2a0a:e5c1:137:cafe::/64 jump container
        }

-        chain docker_container {
+        chain container {
        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept

-                tcp dport { 22, 443 } accept
+                tcp dport { 22, 80, 443 } accept
                drop

        }
@ -74,8 +57,107 @@ table ip6 filter {
                policy accept;
        }
 }
+
+table ip filter {
+        chain input {
+                type filter hook input priority 0;
+                policy drop;
+
+                ct state established,related accept
+                tcp dport { 22 } accept
+                tcp dport { 51820 } accept
+        }
+        chain forward {
+                type filter hook forward priority 0;
+                policy drop;
+        }
+        chain output {
+                type filter hook output priority 0;
+                policy accept;
+        }
+}
+
 ```

+## The firewall explained: IPv6
+
+Let's have a look at the IPv6 part first. In nftables we can freely
+define chains, what is important is is the **hook** that we use in it.
+
+```
+        chain input {
+                type filter hook input priority 0;
+                ...
+```
+
+The policy has the same meaning as in iptables and basically specifies
+what to do with unmatched packets.
+
+IPv6 uses quite some ICMP6 messages to control and also to establish
+communication in the first place, so the list for accepting is quite
+long.
+
+```
+                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+```
+
+As we are dealing with traffic that comes to my notebook ("hook
+input"), I want to allow any incoming packets that belong to one of
+the connections that I initiated:
+
+```
+                ct state established,related accept
+```
+
+And finally, I allow port 22, to be able to ssh into my notebook,
+port 80 to get letsencrypt certificates and port 443 for serving
+https. When I am online, my notebook is reachable at
+[nico.plays.ipv6.games](https://nico.plays.ipv6.games), so I need the
+web ports to be open.
+
+As I run quite some test on my notebook with docker and lxc, I created
+a /64 IPv6 network for each of them. When matching on those specific
+networks, I jump into a chain that allows specific configurations for
+containers:
+
+```
+                ip6 daddr 2a0a:e5c1:137:b00::/64 jump  container
+                ip6 daddr 2a0a:e5c1:137:cafe::/64 jump container
+```
+
+The **chain container** consists at the moment of the same rule set as
+the input chain, however this changes occasionally when testing
+applications in containers.
+
+And for the output chain, I trust that the traffic my notebook emits
+is what I wanted it to emit (but also allows malware to send out data,
+if I had some installed).
+
+## The firewall explained: IPv4
+
+In the IPv4 irea ("**table ip filter***) things are quite similar with
+some small differences:
+
+* I don't provides services on IPv4 besides ssh and wireguard (port 22
+  and 51820)
+* There is nothing to be forwarded for IPv4, all containers use IPv6
+* Same logic for the output as in IPv6
+
+## Safe or not safe?
+
+Whether this ruleset is safe or not depends a bit on your degree of
+paranoia. I allow access to port 443 on which an nginx runs which then
+again proxies to a self written flask application, which
+might-or-might-not be safe.
+
+Some people argue to limit outgoing traffic and while this is
+certainly possible (whitelist ports?), often this does is rendered
+useless, as any command and control server can be reached on port 80
+and you probably don't want to block outgoing port 80 traffic.
+
+If you have any comments about it, I'm interested in hearing your
+feedback on [the ungleich chat](http://chat.ungleich.ch),
+[twitter](https://twitter.com/NicoSchottelius) or IRC (telmich).


 [[!tag ccc firewall nftables ipv6]]