NDC Logical Firewall

Introduction

Whereas there is no substitute for secure and properly configured hosts, there are times when it is desirable to get additional protection by passing traffic to and from some hosts through an additional protective filtering layer (usually called a firewall).

The traditional (and most secure) firewall is physically inserted between the hosts to be protected and the rest of the world, however this physical break in the network may be impractical for various reasons. The logical firewall (LFW) may be an attractive alternative because it can physically exist anywhere on the subnet and protect hosts anywhere on the subnet without rewiring.

Protecting hosts with the logical firewall involves giving them new and unroutable IP addresses (by replacing the first octet of their public IP address with 10). The logical firewall box is configured (with a virtual interface) to respond to the original/public address of the protected host and to do routing and Network Address Translation (NAT) to and from the protected host for that traffic which is allowed by the firewall rules. The logical firewall needs only a single physical network interface. (See also NAT Intro and Firewall Limitations and Firewall Variations).

The logical firewall does not necessarily offer a solution for clients with dynamic IP addresses (such as those using DHCP). It is proposed mostly for servers (and clients with static IP addresses). DHCP clients may be best protected by "personal firewalls" (firewall rules which run on the client itself) or a physical firewall solution. However, if one is willing to configure a DHCP server to issue only private addresses (or to properly determine, for each client, whether to issue a public or private address), the logical firewall can be used successfully.

Current Offering

The firewall offered here is based on the iptables stateful packet filtering mechanism in the Linux 2.4 kernel. The firewall is tailored to work with a diskless Linux "live" distribution called Gibraltar which boots and runs from a CDROM and requires little to no Linux knowledge or system administration. On the other hand, if you are comfortable setting up and administering a Linux system, you should also be able to use the firewall rules we generate on a system of your choosing.

The Gibraltar system is being developed in Austria as a commercial firewall product. Because it is Debian-Linux-based, the author has chosen to make the underlying Linux distribution available for free over the Internet and will only be charging for the GUI (which isn't needed with the LFW). One of the nice things about Gibraltar is that it runs entirely off of CDROM storing only a small amount of configuration information on a floppy disk (or USB Flash Memory). Booting up a generic Gibraltar CDROM and reconfiguring it for use at the University of Washington takes only two or three minutes.

We measured unidirectional packet forwarding throughput of a Gibraltar system running on a 1GHz Pentium-3 with a single 100Mbit network interface at about 40,000 packets/sec with little variation due to protocol or packet size. (See also Choosing Hardware and Sample Usage Graph.)

For maximum flexibility, the NDC logical firewall is divided into two parts:

• A Web-based GUI (which runs on a central website) to create the firewall rules and NAT interfaces.
• A shell script and instructions for configuring Gibraltar (if you choose to use Gibraltar as your Linux of choice).

Note: It is safe to boot Gibraltar on a PC with a hard disk -- by default Gibraltar will ignore the hard disk.

See also: Using USB Flash Memory Instead of Floppies if that is of interest to you.

1. Download the ISO image of a Recommended Gibraltar Release from: http://www.gibraltar.at/, uncompress it and burn it onto a CDROM. (At the Gibraltar homepage, click "Get Gibraltar" then "Download Sites").
2. Obtain two blank standard DOS format 3.5 inch 1.4MB floppies. Onto one, copy the latest uw-setup shell script
3. Set the BIOS of the PC to boot first from CDROM (not floppy).
4. Boot the Gibraltar CDROM and at the first prompt, type: fastboot to skip waiting for the not-yet-created configuration floppy.
5. At the unix login prompt, login as user "root" (use password "gibraltar" if prompted).
6. Type: "loadkezs us" (to undo Austrian keyboard mapping where typing "z" gives you the "y" you want!)
7. Insert the uw-setup floppy you made and type: "mount /dev/fd0 /mnt"
8. Type: "/mnt/uw-setup" and answer the questions. (You can run uw-setup as often as you wish).
9. Insert a blank floppy and type either: "save-config" or "reboot" to save your configuration to floppy. (You should eventually reboot once after running uw-setup to incorporate additional ramdisk it configures.)

At this point, your Gibraltar system is up, networked, secure (hopefully) and waiting for you to login over the network with ssh.

Generating Firewall Rules

To generate firewall rules, please visit the Firewall Rules Generator webpage from a computer with both a web browser and SSH software. The web form will help you generate the contents of the two remaining files you need to complete your firewall (and supports two ways of saving your work). See also Choosing Firewall Rules for some tips on deciding what to block and what to pass.

When you've filled in the web form:

1. Make sure your configuration floppy (or a blank one) is in the firewall's floppy drive.
2. Login to the Gibraltar system over the network with ssh root@host.
3. Type: "gui-paste" to Gibraltar and then Copy/Paste everything in the web form into gui-paste (type a newline followed by control-D to complete the paste if necessary). If you prefer doing things manually, this:
   • Updates /etc/network/interfaces and runs:  "/etc/init.d/networking restart"
   • Runs arp-push to make sure the gateway learns about any new clients of the firewall.
   • Updates and runs /usr/local/sbin/tables attempting to preserve any changes you may have made manually which don't conflict with changes subsequently made through the GUI.
     (The "-r" option to gui-paste will discard changes you made manually).
4. EITHER Type "reboot" to save everything and reboot OR Type: "save-config" to save your firewall to floppy. (You should eventually reboot once after running uw-setup to incorporate additional ramdisk it configures.)

Your firewall should now be up and running. When you're satisfied with it, you can make the floppy read-only and be even more protected from unwanted changes.

If your firewall is connected to the UW network, please see also Interaction With UW Network Operations to help protect your firewall from being disconnected if one of its clients misbehaves.

1. The most recommended Gibraltar version is now:

   Version	Status	Notes
   2.5	Stable	md5 hash of gibraltar-2.5.iso.bz2: 546fa6ff11b8ec745de603d8d80f6245 Most Recommended (with same caveat about ipsec tunnels as 2.4.1). Use with rule-generator 1.74 or higher and uw-setup 1.75 or higher. See also How to Upgrade and Why You Might Want to.

   Those running older versions can check here the current suitability of older Gibraltar releases.
   If you don't already have it, look here for software to uncompress bzip'd files.

2. Burning a CDROM from an ISO image file is easy with "cdrecord" on linux. Use something like:
   cdrecord -dao speed=# dev=#,#,# file.iso
   replacing # with appropriate numbers for your hardware (use cdrecord -scanbus to find the #s.)

   On Windows, not all software can burn CDs from a file but I'm told these can:

   • Adaptec's "Easy CD Creator"
   • "Nero" (ask to see all files if it doesn't offer the .iso file)
   • "Roxio Easy CD Creator 5 Platinum" (use the "Record CD from CD image" command).

3. Besides changing the IP address of your firewalled hosts to have a 10.x.y.z address, you'll need to give them a new default gateway address as well. Use the address created for that purpose in the "interfaces" file (probably your firewall's IP with 10 as the first octet).

4. With the addition of a second Network Interface Card and the appropriate rewiring, you can convert your Logical Firewall into a traditional physical firewall by setting TWO_NIC_FIREWALL=1 and ALTER_INTERFACES=1 in the "tables" file (on your firewall). If you did this, you could also run your own DHCP server behind the firewall and serve DHCP clients, although if you can physically divide your network this way, you may also prefer a different firewall or variation #4 or unsupported variation 1a. Similarly, if your subnet already has (or if you setup) a DHCP server which can be safely configured to serve 10.x.y.z addresses, you can use the logical firewall in the default (single-NIC) mode for DHCP clients.

5. If you use a pre-existing DHCP server (on your subnet) which has only a public/routable IP address to issue both routable and 10. addresses you will need to allow UDP port 68 inbound on your firewall and add a static route from your DHCP server to the Logical Firewall so DHCP renewal replies (which are unicast to the client's 10. address) can get from the DHCP server to the client. Dropped TCP connections on the client can be a symptom of DHCP renewal failure. If you run the DHCP server on the logical firewall itself, you don't need to take these additional steps.

   If you setup the DHCP server which comes with Gibraltar, asof Gibraltar 0.99.6, you can more easily put the "dhcpd.leases" file into persistant storage (so you won't lose your DHCP leases database if the firewall reboots). See the "lease-file-name" section of "man dhcpd.conf" (on your Gibraltar system). Also note that, contrary to "man dhcpd3", the "/etc/dhcpd.conf" file has moved to "/etc/dhcp3/dhcpd.conf".

6. 10.x.y.z hosts NOT specified to the firewall rule generator can also be protected by the firewall via a type of NAT called IP masquerading. These hosts can not accept inbound connections through the firewall but (firewall rules permitting) can initiate outbound connections which will will appear to the outside world to originate on the firewall itself (on a port chosen by the firewall). This can be prevented on your primary 10. network, if desired, by setting "MASQUERADING_NAT=0" in the "tables" file.

   The recommended way of connecting more computers than you have public addresses, is to use Variation #e10 to enable masquerading nat on an extra network of 10.0 addressess.

7. Here is information on at least three ways of configuring a PPTP VPN server. Alternatively, here is a short Tutorial on SSH Port Forwarding which can sometimes serve the same purpose more conveniently.

8. To cause "logcheck" to email you noteworthy firewall log messages (if any) every hour (or as per "/etc/cron.d/logcheck") replace "/dev/null" in "/etc/aliases" with your email address and run "newaliases".

9. The "accept only from these addrs" field in the Firewall Rules Generator defaults to everything on your subnet (if checked) however that field can accept multiple values separated by whitespace and those values can either be whole netblocks (like the default) or individual IP addresses. Unlike the version 1 rule generator, the current rule generator handles this efficiently.

10. The "state" script will dump the current iptables connection state information.

11. "rejfmt /var/log/syslog" will show what TCP and UDP packets were recently blocked (if you have "syslog all blocked packets" enabled). This can be useful to to determine what additional ports to allow through the firewall (if something doesn't work).

    As of uw-setup 1.67, "tail -f /var/log/syslog | rejfmt" will format rejected packets in real-time and "rejfmt -s" will show source ports too.

12. To help you determine and track the MAC and IP address of LFW clients, uw-setup version 1.47 or newer causes entries from your firewall's "arp cache" to be recorded in your "syslog" as they appear and additionally once per day.
    Type: "less /var/log/syslog* | grep arplog: | sort +6" to view them.
    See also: Interaction With UW Network Operations if your firewall is connected to the UW network.

13. Unlike most unix systems, it is safe to reset or power-off the Gibraltar system without shutting it down gracefully (assuming it isn't in the middle of writing the floppy and you don't want it to do so). If you shutdown the system gracefully (with "shutdown", "halt", or "reboot" ) it will try to save your configuration as it goes down. If you can't just push the reset button and you want to shutdown or reboot without saving your configuration, use "halt -f" or "reboot -f".

14. Booting a Gibraltar distribution without the configuration floppy causes it to generate new/unique/random ssh host keys as you would hope. Recent versions don't generate keys for old ssh version 1, however uw-setup version 1.56 and newer will offer to remedy this for you.

15. On some systems, "gnome-terminal" and "Konsole" have problems doing large pastes of rule generator output. On these systems, use "xterm" instead.

16. If you are configuring a firewall offline (such as when pre-configuring for an OS upgrade or if you can't use ssh for some reason) be aware that "gui-paste" can take input from a pipe or a file, so instead of copy/paste through ssh, in a pinch, you can convey rule-generator-output to your firewall on a floppy (as long as it is still a vanilla text file).

    On Unix/Linux, if you want to put the rule generator output into a file (to use as above), select it all and then, either paste it into "cat > file" followed by a newline and control-d, or better yet, run gvim and insert it directly into gvim's buffer by typing one of the following 3-key sequences (which begin with double quote): "*p or "+p (depending on your browser). You'd then type ":wq file" (without the quotes) to write and quit.

17. On some systems, the "Konqueror" web browser has copy/paste compatibility problems with "xterm". On these systems either...

    1. Use "Netscape" or "Mozilla" instead or

    2. Teach xterm to paste the CLIPBOARD with SHIFT-INSERT by putting these lines in your "~/.Xdefaults" file:
       xterm*VT100.Translations: #override \n\
  s<Key>Insert: insert-selection(CLIPBOARD) \n\
   <Key>Insert: insert-selection(PRIMARY,CUT_BUFFER0)
and then running "xrdb -merge ~/.Xdefaults", or

    3. Run "gvim" and type the following 9 keys to "gvim" between each COPY operation in "Konqueror" and subsequent PASTE into "xterm": ggdG"+pvG

18. On some browsers, including Internet Explorer and Mozilla, use control-click to select/unselect items which are not contiguous in scrolling lists.

19. Triple-clicking in the generated "tables" or "interfaces" data may make selection easier with Internet Explorer on Windows.

20. As Gibraltar runs, it caches files accessed from CDROM in memory so the CDROM will spin-up less and less as time goes on. If your Gibraltar host has enough RAM (for Gibraltar 0.98c, 256MB will do) you can pre-cache the entire CDROM filesystem in memory and the CDROM should then never spin up (or slow you down) again:
    find / -xdev -follow -type f -print 2>&- | xargs cat >/dev/null
    

21. The Firewall Rules Generator webpage provides two methods of saving your work: bookmarking and reloading of "tables" files. The URLs offered for bookmarking include each element you select in the web form and may exceed the capacity of your browser or may become stale over time, hence this method is no longer preferred. On the other hand, assuming you don't corrupt the state data at the end of the "tables" file, you should always be able to reload the "tables" file to restore the state of the web form to what it was when the "tables" file was generated.

22. As of Gibraltar 0.98c, LS-120 (high density floppies) aren't properly supported by gibraltar. In case you're proficient with linux, I'll mention that if you "modprobe ide-floppy" you can at least use them as "/dev/hdb" (or whatever device "listpci" shows for it).

23. Generating Usage Graphs is "a work in progress" but you're welcome to what there is.

24. If you login to Gibraltar from Windows using "Teraterm" (with ssh) here are two tips:

    • To get "ALT-key" sequences sent through to Gibraltar (not just interpreted locally by Teraterm) visit Teraterm's "Setup->Keyboard" dialog and select "Meta key". You can make this change permanent by setting "MetaKey=on" in the "Teraterm.ini" file on your Windows system.

    • To trick Gibraltar's default/windowsy editor, "fte", into using colors, type this command to Gibraltar after logging in:
      "export TERM=xterm"
      Or set "TermType=xterm" in the "Teraterm.ini" file on your Windows system (though that will change it for every host you connect to with Teraterm).

25. The size of Gibraltar's ramdisks is determined when Gibraltar boots (and every time "uw-setup" runs) by the variables: "VARDISK_SIZE", "ETCDISK_SIZE", and "TMPDISK_SIZE" in the configuration file: "/etc/gibraltar_config". If it is necessary to change ramdisk sizes without rerunning "uw-setup -n", the linux "remount" command can be used. For example:

          mount -n -o remount,size=32m -t tmpfs tmpfs /var
    

    will immediately set the size of the "/var" ramdisk to 32 megabytes. The "df" command will show how much space is used/free. (Note: use also "df -i" to see how many "inodes" are used/free--a filesystem can appear full if it runs out of either space or inodes though inodes are harder to add and less likely to run out (each file uses one inode)).

26. Beginning with gibraltar 0.99.8, large logfiles are rotated and compressed after they reach a certain size (instead of once/day). If you have enough space in "/var" and you want to keep more log data, you can increase "size 500k" in "/etc/logrotate.conf" as you see fit. (Asof uw-setup 1.67, this is now increased to a more suitable 5M).

27. Beginning with Gibraltar 0.99.8, the console message logging level is lowered to 2 (from the default of 6). This is done with klogd's "-c 2" option but can also be changed with the command "setterm -msglevel #". The lower value prevents rejected packet messages from printing directly on the console (which should both improve performance and make the console more usable during an attack).

28. Beginning with Gibraltar 0.99.7, a USB memory stick can be used for configuration storage instead of a floppy disk. See Using USB Flash Memory Instead of Floppy for details.

29. A serial cable (with a "null modem") and a terminal emulator (set to 9600 baud, 8-bit, No-parity, 1 stop-bit) can be used as the Gibraltar console in place of a monitor and keyboard. To enable this at boot, simply connect it and when prompted for boot options (fastboot, defaultconfig, etc.) add the word "serial" before any other boot options, for example: "serial" or "serial defaultconfig".

    Similarly, to allow logins on the serial port (without a special reboot) in case network access is unavailable:

    1. In "/etc/inittab", uncomment the line containing: "getty" and "ttyS0" (by removing the initial "#").
    2. In "/etc/securetty" add a line containing: "ttyS0" (without the quotes, of course).
    3. Run the command: "kill -1 1"

    Obviously, this will only be useful if you've enabled it before you need to use it, so a future version of "uw-setup" may incorporate this.

30. A new iptables feature, "TCP Window Checking", was introduced in the linux kernel beginning with Gibraltar version 2.2. This checks for "out-of-window" ACKs and closes the TCP connection if it finds any (presumably because they might be caused by an attempted man-in-the-middle attack). Unfortunately, out-of-window ACKs are routinely generated by some operating systems (Win2k, OS-X, probably others but notably not WinXP) possibly due to bugs in their rfc2018 SACK implementation). The problem shows up mostly on connections where out-of-order packets are common. To avoid causing communication problems with these hosts, beginning with LFW rule generator version 3.11, TCP window checking is disabled. It, it can be re-enabled by manually editing the tables file and setting TCP_WINDOW_CHECK from 0 to 1.

31. When one formats a floppy under DOS or Windows, two steps are performed: first the media is formatted at a low level and then an empty FAT filesystem is written to the disk. The same two steps can be accomplished under linux, such as under Gibraltar with: "fdformat /dev/fd0u1440 && mformat a:". (On some linux systems the letter before 1440 may be different).

32. In the United States, the transition dates to/from "Daylight Savings Time" (DST) change this year and Gibraltar versions through 2.4.1 will not transition on the new/correct days. You can view the transition times with the following command:

        zdump -v /etc/localtime | grep 2007
    

    Ignoring this will not impare functionality of the firewall however some system log messages may have timestamps one hour early or late for a few weeks. If you wish, you can fix this by simply copying "/etc/localtime" from an updated linux system. At UW, you can do this:

        scp -p YourID@homer.u.washington.edu:/etc/localtime /tmp/localtime
        mv /tmp/localtime /etc/localtime
        save-config
        uw-setup -n         # (or reboot if you prefer)
    

33. Beginning with Gibraltar 2.2, on firewalls with more than one NIC, it is possible to specify which one becomes eth0 by populating the "/etc/iftab" file with PCI bus address mappings. This file will normally be populated during the initial "defaultconfig" boot of Gibraltar. Changes to the file take effect at reboot or after running:

        /etc/init.d/networking stop
        ifrename -t
        /etc/init.d/networking start
    

    See the manpage for "ifrename" for more information.

34. To use "sshfs" to "mount" files from Gibraltar onto another computer which supports FUSE you must either have the "sftp subsystem" enabled on Gibraltar (in the "/etc/ssh/sshd_config" file) or else supply "-o sftp_server=/usr/lib/sftp-server" as a mount option to "sshfs"). Using "sshfs" with the LFW may sometimes be convenient but is never necessary.

1. SSH, HTTP, TELNET, RLOGIN, NFS (client and server) work fine. FTP clients will probably only work in "passive mode" for most people's firewall rules unless a rule for "state RELATED" is added (see the example here). RSH opens a connection back to the client for stderr on a port passed in the data stream. This may be a problem, depending on your firewall rules.

2. Software serving content via multiple IP addresses behind a LFW may also need to be told the new (10.) IP addresses if the content to serve depends upon which IP address receives the request. (IIS or Apache web servers with 2 IP addresses, for example.)

3. FTP servers behind a logical firewall probably need a NAT enhancement to work in passive mode. ProFTPD (it's free) has the NAT enhancement. (See Chapter 12 of their Userguide and their NAT-Mini-HOWTO). See also frox FTP proxy (only on gibraltar 0.99.3a and newer) for another possible solution.

4. Windows DNS servers behind a logical fireall may need to have their public IP address in a registry setting of type REG_SZ named: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\PublishAddresses".

5. Kerberos tickets generated on LFW clients will work if the client's config file ("krb5.conf" or "krb5.ini") says not to put the client's IP addresses in tickets: (in the libdefaults section add a line: "noaddresses = 1")

6. Windows domain login and file sharing (both client and server) works between Windows 2000 (or Windows XP) machines.

7. Domain login for LFW clients using the old Windows NT4 protocols (either the client or server is Windows 98 or NT4) requires assistance from a properly configured Windows 2000 server behind the LFW. If domain login fails (but you've given the correct username and password) file sharing still works (on Windows 98) if you "map drives" manually (or explicitly). Most everything else works including DCOM, InternetExplorer, OutlookExpress, VisualStudio FrontPage Extensions. FTP will need "passive mode" (for typical firewall configurations) and, if needed, there is an Internet Explorer preferences option to enable it.

8. Windows (NT and perhaps others) may, by default, try to use NetBIOS for some file and print sharing. NetBIOS will not work through the firewall because it can't NAT, however if you just disable NetBIOS, Windows will use IP instead (which does NAT).

9. Organizations with more than one subnet and a need to use protocols which don't NAT may be interested in tunneling between logical firewalls.

10. RealPlayer, MediaPlayer and QuickTime clients all work for LFW clients although both QuickTime and RealPlayer may need some UDP ports allowed inbound.

11. Beginning with Gibraltar 0.99.6a, inbound H.323 connections (netmeeting) can be accepted by allowing TCP port 1720 inbound and using state RELATED if the modules ip_conntrack_h323 and ip_nat_h323 are loaded (list them in "/etc/modules" to load them at boot).

12. If your LFW client already has some sort of "personal firewall" rules (ipchains/iptables rules, tcpwrappers, etc.) be sure those rules are still appropriate for your new IP address (i.e. allow traffic from 10.x.y.z addresses).

13. If your intended LFW client is learning its gateway's address automatically by running routed (or equivalent) you will need to disable that and explicitly set its gateway to be the firewall's 10.x.y.z address.

14. If (and only if) your server uses a very old version of "pubcookie" authentication, it will need to be issued a new "C_KEY" for its 10. address.

Complete List of LFW Pages

1. Top-Level LFW Documentation Page (this page)
2. NAT Intro and Firewall Limitations
3. Times When a Firewall is Useful
4. Choosing Hardware
5. The LFW under VMware
6. Using USB Flash Memory Instead of Floppy Disk
7. Choosing and Possibly Manually Editing Firewall Rules
8. Preserving Manual Tables File Edits
9. Generating Usage Graphs
10. Configuring a PPTP VPN Server
11. Configuring a DHCP Server
12. Tunneling Between Firewalls
13. How to Upgrade and Why You Might Want to
14. Suitability Today of Older Gibraltar Releases
15. Firewall Variations
16. Interaction With UW Network Operations (UW only)
17. The uw-setup script itself
18. NDC Logical Firewall Rule Generator and its Variations: 1a,  4,  nm29,  nm30,  e10,  172,  e10 with 172
19. Slides From a Talk About the NDC Logical Firewall
20. An SSH Port Forwarding Tutorial
21. The LFW as an Unauthenticated Email Relay

Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:26:06 PST 2008