[clue-tech] port access protocol restriction?
David Anselmi
anselmi at anselmi.us
Wed May 11 22:02:30 MDT 2005
This turned out to be a bit of a rant, sorry. The useful bit is at the end.
Jim Ockers wrote:
> Does anyone know how, using Linux of course, to restrict traffic
> that passes through a Linux NAT router/firewall by protocol?
You mean filter at layer 7, or application protocol (as opposed to IP
protocol number, for example). If you really need that this might be a
good place to start:
http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter
> Suppose I have the following rule in place because I want to
> allow the IMAP2 protocol and nothing else, and I specifically
> want to deny web access.
>
> iptables -t filter -A FORWARD -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
You didn't say but I infer that you mean you want to block traffic from
your network out to the Internet, except for specific approved ports.
What's your security policy (and why)? I ask because without a "these
users can't be allowed to do this because..." type statement, security
like this gets stupid really quickly. Seriously. I use an app that
requires me to use 5 passwords to get to, and I run citrix to run citrix
to run citrix to run the app. I'm allowed access to anything I need on
all the networks involved, but bad policy says that I can only go one
hop at a time. Hmm... I should probably rattle my cup on the bars over
that.
Anyway, I used to support state governments that had "block all
outgoing" type policies. We had a license server their users needed.
It didn't run on port 80 or any of the standard ports so it wasn't
allowed by default. Whenever we moved the server to a different IP, we
had to give warning plenty in advance and spend a few weeks after
getting the admins to adjust their rules so their users could use our
licenses.
I'm thinking those admins should have had something better to do than
update outgoing firewall rules. I was tempted to change our server IPs
frequently to give them a headache (the name never changed, which is all
the users should have needed). Sure, I can imagine cases where strict
egress filtering might be warranted. But there's a big cost (not only
to admins, but to sophisticated users who have to give up useful tools
or find workarounds, or even just fill out the forms to get their ports
opened).
[...]
> How can I make sure that only valid IMAP traffic passes through
> port 143, and that there is no HTTP or HTTPS traffic? (And there
> should not be any SSL traffic at all since that's not the IMAPS
> port.)
You deny access to the Internet entirely. Only allow internal users to
connect to internal application proxies. The proxies enforce your
policies (only valid traffic for that app, only to approved servers,
etc.) It isn't a iptables problem, it's a squid problem.
'Course maybe you have to write your own IMAP proxy. Oh, of course not:
http://www.imapproxy.org/
But maybe you have to add support for your policies. (And if you're
trying to use it as a security app when it wasn't designed that way,
better audit the code.)
Dave
More information about the clue-tech
mailing list