Bytemark Firewall
The Bytemark Virtual Hosting system contains a simple firewall package which is designed to allow you to restrict the incoming and outgoing connections your system may receive or initiate. Our firewall package is meant to be simple to configure, whilst still allowing a lot of flexibility, but if you prefer to use another firewall solution it may be disabled very easily.
The firewall also contains a system for blacklisting IP addresses which make repeated connection attempts to your system. This is achieved by having the script firewall-blacklist run every five minutes and temporarily blacklist attacking IPs.
Firewall Configuration
The configuration of the firewall makes use of a number of directories:
- /etc/firewall/blacklist.d/
- /etc/firewall/incoming.d/
- /etc/firewall/local.d/
- /etc/firewall/outgoing.d/
- /etc/firewall/patterns.d/
These incoming.d and outgoing.d directories contain files which specify which incoming and outgoing connections may be made.
The blacklist.d directory is used to specify hosts from which you wish no connections of any kind to be accepted from. The blacklist component of the firewall will automatically create entries here.
The patterns.d directory contains a number of files which are designed to match login failures, and will result in the source IP being blacklisted.
Finally the local.d directory allows you to execute local scripts, or add new firewall rules, which be executed after the firewall has been configured.
By default you'll have something like this installed:
/etc/firewall
|-- blacklist.d
|-- incoming.d
| |-- 00-ssh
| |-- 10-http
| |-- 20-ftp
| |-- 30-imap
| |-- 40-imaps
| |-- 50-pop3
| |-- 60-pop3s
| |-- 70-smtp
| |-- 80-smtps
| |-- 85-submission
| `-- 99-drop
`-- outgoing.d
|-- 00-established
`-- 50-www-data
The filenames present in each directory specify which set of connections are allowed in the intuitive fashion.
For example the file /etc/firewall/incoming.d/00-ssh means that incoming SSH connections are permitted.
You'll notice that each filename is comprised of both a number and a name, separated by a "-". The number is only used to define ordering, it is not significant. The names of the files are more important, in our previous example the presence of the file "00-ssh" means that our system will insert rules relevant to the openssh service. It does this by looking for the master rule called "ssh" beneath the /usr/share/firewall directory.
Each service known to our system will be processed in the order listed - and filenames which do not have corresponding rules beneath /usr/share/firewall will cause a warnign to be generated.
Firewalling A Service
If you wish to prevent insecure protocols, which involve the use of plaintext passwords being sent over the internet, you may do so by preventing incoming connections via this firewall.
For example we might want to disable the POP3 service, leaving the secure replacement POP3S in place.
To do this run:
rm /etc/firewall/incoming.d/50-pop3 /usr/bin/firewall
Now your system will refuse incoming connections on the standard POP3 port - even though the service itself is still running.
Access Control Lists
By default our firewall will open, or close, a port globally as this is usually what you'd expect. For example if you run a webserver you'd want incoming connections to reach your machine.
However there are services which you might prefer to lock-down such that they only accept connections from particular source machines. To handle this our system will differentiate between:
- The presence of a file which is empty
- The presence of a file which is not empty
An empty file will allow all incoming, or outgoing, access. A non-empty file will be assumed to contain a list of IP addresses or hostnames which should be allowed.
For example the following will allow all incoming ssh connections:
rm /etc/firewall/incoming.d/00-ssh touch /etc/firewall/incoming.d/00-ssh firewall
This next example will only allow incoming connections from the listed IP address:
rm /etc/firewall/incoming.d/00-ssh echo "1.2.3.4" >> /etc/firewall/incoming.d/00-ssh echo "4.5.6.7" >> /etc/firewall/incoming.d/00-ssh firewall
Problems Making Outgoing Connections?
By default our firewall contains the rule:
/etc/firewall/outgoing.d/50-www-data
This rule is designed to prevent your webserver from making outgoing HTTP connections - if you have a PHP application which needs to make outgoing HTTP connections you will need to remove this file and rerun the firewall before it will work:
rm /etc/firewall/outgoing.d/50-www-data firewall
There is nothing inherently bad about allowing a webserver to initiate outgoing HTTP connections, but denying them by default will prevent the mass compromise of many outdated applications.
Making Local Additions
Every script contained in /etc/firewall/local.d, if it exists, will be executed in turn once the firewall rules have been created. If you want to make local changes that is placing shell scripts in that location is the perfect way to make your own custom changes.
Since every executable is run via run-parts you can do more than just add/delete/modify firewall rules...
Disabling Our Firewall Completely
If you do not wish to use the provided firewall, either because you believe you don't need it, or because you have a preferred firewall system already in place you may disable ours by running:
# touch /etc/firewall/disabled # touch /etc/firewall/disabled.blacklist # firewall --flush
