[Firewall] Firewall with Root-over-NFS: problem

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Nov 13 05:07:33 MST 2007


The purpose of this line is setting the default policy to DROP. The 
reason it exists is that during the process of the firewall rules, most 
people don't want any packets *just* accepted. In your case this doesn't 
work because of the NFS mounts. You could simply comment out the -P DROP 
line, but this gives attackers a small window during firewall start, in 
which they can access all ports on your machine. The impact is obviously 
minimal. I think I will implement an option for this behaviour in 
version 1.9

a.

Roman Mamedov wrote:
> Hello.
> 
> I am setting up a dedicated firewall/gateway machine, using 
> arno-iptables-firewall script. The special thing about this setup, is 
> that the firewall is completely diskless - it mounts the root file 
> system over LAN, using NFS.
> 
> The problem is, the computer hangs halfway in executing 
> */etc/init.d/arno-iptables-firewall restart*, with continuous messages 
> about "NFS server not responding."
> 
> Apparently, the process of setting up firewall rules causes the firewall 
> machine to lose network connectivity for a short moment. But with 
> diskless setup, this is completely unacceptable, as everything this 
> computer has (including the iptables binary, and the swap file!) resides 
> on an NFS share on another server.
> 
> I have located the place in the sourcecode of the setup script, which 
> causes the lock-up. It is the following line:
> 
>       echo "Setting default (secure) policies"
>       # Set standard policies for the built-in tables (drop = very secure)
>       ####################################################################
>       *$IPTABLES -P INPUT DROP
> 
>     *
> 
> When I comment it out, the script restart applies all other rules 
> successfully, without causing lock-up.
> 
> So, the questions are:
> 
>     * Is this line really needed for security?
>     * Can some alternative be implemented, so that security is not
>       compromised, and network access is never lost (even for a moment)
>       during firewall rules setup?
>     * Does firewall function properly with that line commented out (i.e.
>       can I already place it online, or should wait for a more proper
>       fix)? I see there's a lot of DROP rules, including *-A INPUT -j
>       DROP* in "iptables-save | grep DROP" - are these not enough? Maybe
>       *-P INPUT DROP* is just a cautious safeguard, and is not crucial
>       for proper firewalling?
> 
> Thank you in advance.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list