nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BCP38 and Red Hat

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 15 Dec 2016 10:54:44 -0500
On Thu, Dec 15, 2016 at 9:48 AM, Stephen Satchell <list () satchell net> wrote:


https://bugzilla.redhat.com/show_bug.cgi?id=1370963

Just a reminder that I have a feature request outstanding with Red Hat
to add support for BCP38, as well as measures for certain protocol-based
amplification reflection attacks.  My intent for making the suggestion
is to stiffen firewalld(8) in Red Hat Enterprise and clones,
particularly when an RHEL-based box is used as an edge router or
firewall box.

I've looked at firewalld, and it would be easy to add *some* of BCP38
into it rather quickly...assuming that the developers step up to the
plate.  There are parts of BCP38 that won't be so easy to do, given the
architecture of the package.

In my spare time, by the way, I'm working on a BCP-compilant firewall
generator for IPTABLES.  Spare time?  Well, that *is* a bit of a laugh...



Given some quick time with definition making:
  https://github.com/google/capirca

does this pretty easily, for example:
def/NETWORK.net - content:
  MYNETS = 192.0.24.0/24
  MYWEB = 192.0.24.2/32
  STEPHEN_HOME = 198.16.0.23/32

def/SERVICES.svc - content:
  HTTP = tcp/80
  HTTPS = tcp/443
  SQUID = tcp/3128
  APACHE_PROXY = tcp/8080
  PROXY = SQUID APACHE_PROXY

office/pol/fw.pol - content
  header {
    comment:: "My firewall policy"
    target:: iptables OUTPUT DROP nostate
  }
  term permit-web-stephen {
    comment:: "Permit stephen to my web, really FROM my web to stephen"
    destination-address:: STEPHEN_HOME
    source-address:: MYWEB
    protocol:: tcp
    destination-port:: HTTP HTTPS PROXY
    action:: permit
  }
  term bcp-38-only {
    comment:: "Permit only mynets outbound"
    source-address:: MYNETS
    action:: accept
  }
  term default-deny {
    comment:: "All other traffic dies"
    action:: deny
  }


run the acl generation (aclgen.py) and ... out pops iptables to do what you
want.
a simple matter of script/software makes this even simple for iptables
operators across many flavors of topology.

-chris
(note: I am not just a user of this solution I'm also a contributor)
Previous By Date Next
Previous By Thread Next

Current thread: