[193032] in North American Network Operators' Group
Re: BCP38 and Red Hat
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Dec 15 10:54:48 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <bacb1ae1-ee3c-20bb-ba51-9464579bf75a@satchell.net>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Thu, 15 Dec 2016 10:54:44 -0500
To: list@satchell.net
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, Dec 15, 2016 at 9:48 AM, Stephen Satchell <list@satchell.net> wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1370963
>
> Just a reminder that I have a feature request outstanding with Red Hat
> to add support for BCP38, as well as measures for certain protocol-based
> amplification reflection attacks. My intent for making the suggestion
> is to stiffen firewalld(8) in Red Hat Enterprise and clones,
> particularly when an RHEL-based box is used as an edge router or
> firewall box.
>
> I've looked at firewalld, and it would be easy to add *some* of BCP38
> into it rather quickly...assuming that the developers step up to the
> plate. There are parts of BCP38 that won't be so easy to do, given the
> architecture of the package.
>
> In my spare time, by the way, I'm working on a BCP-compilant firewall
> generator for IPTABLES. Spare time? Well, that *is* a bit of a laugh...
>
Given some quick time with definition making:
https://github.com/google/capirca
does this pretty easily, for example:
def/NETWORK.net - content:
MYNETS = 192.0.24.0/24
MYWEB = 192.0.24.2/32
STEPHEN_HOME = 198.16.0.23/32
def/SERVICES.svc - content:
HTTP = tcp/80
HTTPS = tcp/443
SQUID = tcp/3128
APACHE_PROXY = tcp/8080
PROXY = SQUID APACHE_PROXY
office/pol/fw.pol - content
header {
comment:: "My firewall policy"
target:: iptables OUTPUT DROP nostate
}
term permit-web-stephen {
comment:: "Permit stephen to my web, really FROM my web to stephen"
destination-address:: STEPHEN_HOME
source-address:: MYWEB
protocol:: tcp
destination-port:: HTTP HTTPS PROXY
action:: permit
}
term bcp-38-only {
comment:: "Permit only mynets outbound"
source-address:: MYNETS
action:: accept
}
term default-deny {
comment:: "All other traffic dies"
action:: deny
}
run the acl generation (aclgen.py) and ... out pops iptables to do what you
want.
a simple matter of script/software makes this even simple for iptables
operators across many flavors of topology.
-chris
(note: I am not just a user of this solution I'm also a contributor)
