| 0 comments ]

Description of the default IBM firewall rules

The IBM firewall rule policy is delivered to the Open Client via the ibm-firewall package today. This package installs a collection of text files that outlines the firewall rules that iptables

loads at boot time. Below are the descriptions and functions of each rule policy included in the Open Client.

Read more about how iptables works.

Filter rules

The filter rules are located in /etc/iptables.d/filter/. Subdirectories include FORWARD, INPUT, and OUTPUT.

FORWARD

This rule category is not used with the Open Client. The FORWARD chain is used when iptables is utilized as a boundary firewall or bastion host. That is, a standalone server that is passing traffic between 2 (or more) network segments. This function, called ip forwarding, is prohibited by ITCS300.

default

01    DROP [0:0]
  • Line 1 is the default FORWARD chain that blocks any communication attempts to forward traffic among Open Client workstation interfaces. For example traffic may not pass from eth0 to wlan0 (a bridged connection).

INPUT

The INPUT chain is the group of rules that inspects and filters communications destined for the Open Client workstation (e.g., incoming network traffic).

25-c4eb-allow.rule

01    -A INPUT -i lo -j ACCEPT
02 -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
03 -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
04 -A INPUT -i ipsec+ -p 254 -j ACCEPT
05 -A INPUT -p esp -j ACCEPT
06 -A INPUT -p ah -j ACCEPT
07
08 -A INPUT -p udp -m udp --dport 500 -j ACCEPT
09 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
10 -A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT
11 -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
12 -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
13 -A INPUT -p tcp -m tcp --dport 12080 -j ACCEPT
14 -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
  • Line 1 allows all traffic initiated from lo, the local loopback interface. This interface is commonly used by intrasystem communications that stay contained within the local workstation.
  • Lines 2-3 allow already established network communications and related traffic to pass.
  • Lines 4-8 allow IPsec communications, which facilitate the AT\&T Global Network client and other VPN connections.
  • Lines 9-13 allow various standard client management functions such as SSH, TSM, etc.
  • Line 14 rejects the ident and auth protocols, which may be used for malicious intent (e.g., system discovery by malware or scripts)

28-c4eb-allow-st-file-transfer.rule

01    # Sametime File Transfers use ports 443 and 5656
02 -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
03 -A INPUT -p tcp -m tcp --dport 5656 -j ACCEPT
  • Lines 2-3 allow the ports used for Sametime file transfers.

30-c4eb-allow-voicejam.rule

01    #VoiceJam Rules
02 -A INPUT -p udp -m udp --dport 20830 -j ACCEPT
03 -A INPUT -p tcp -m tcp --dport 20830 -j ACCEPT
04 -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
05 -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
  • Lines 2-5 allow the ports required for the embedded Sametime IP telephony client called VoiceJam

40-c4eb-allow-dcd.rule

01    # CDS Peering #60050
02 -A INPUT -p tcp -m tcp --dport 21100 -j ACCEPT
  • Line 2 allows the IBM Content Delivery System grid network flow to communicate to the Open Client workstation for file and update delivery across the network.

41-c4eb-allow-myhelp.rule

01    # My Help SSL P2P migration
02 -A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
  • Line 2 allows port 2001, which is used for Secure Sockets Layer communications for My Help.

45-c4eb-allow-pptp.rule

01    # PPTP support
02 -A INPUT -p 47 -j ACCEPT
  • Line 2 allows protocol 47 (not port 47) inbound for point-to-point tunneling protocol. This is a VPN technology used by the AT\&T Net Client and other VPN client applications.

50-c4eb-allow-icmp.rule

01    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
02 -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
03 -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
04 -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
05 -A INPUT -p icmp -m icmp --icmp-type 9 -j ACCEPT
06 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
07 -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
  • Lines 1-7 allow for various ICMP types to communicate from remote systems to the Open Client. These flows allow for systems to be "pinged", for example.
    Remark: The rule for ICMP Redirects, "-A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT", was removed (see 115830) since we don't want to send data packets on an alternative route given by a remote host.

75-c4eb-drop.rule

01    -A INPUT -p tcp -m tcp --dport 67:68 -j DROP
02 -A INPUT -p udp -m udp --dport 67:68 -j DROP
03 -A INPUT -p tcp -m tcp --dport 137 -j DROP
04 -A INPUT -p udp -m udp --dport 137 -j DROP
05 -A INPUT -p tcp -m tcp --dport 138 -j DROP
06 -A INPUT -p udp -m udp --dport 138 -j DROP
07 -A INPUT -p tcp -m tcp --dport 139 -j DROP
08 -A INPUT -p udp -m udp --dport 139 -j DROP
09 -A INPUT -p tcp -m tcp --dport 1:20 -j DROP
10 -A INPUT -p tcp -m tcp --dport 111 -j DROP
11 -A INPUT -p tcp -m tcp --dport 161:162 -j DROP
12 -A INPUT -p tcp -m tcp --dport 520 -j DROP
13 -A INPUT -p tcp -m tcp --dport 6348:6349 -j DROP
14 -A INPUT -p tcp -m tcp --dport 6345:6347 -j DROP
  • Lines 1-2 block ports 66 through 68, which are inbound bootstrap communications (e.g., booting remotely from a network interface).
  • Lines 3-8 block the ports used for incoming NetBIOS over TCP\/IP. These should not be needed for Windows file sharing.
  • Line 9 blocks ports 1-20, which are rarely used, but sometimes abused.
  • Line 10 block port 111, which is the Sun RPC portmapper service.
  • Line 11 blocks the ports used by SNMP, which should be filtered to limit information gathering.
  • Line 12 blocks port 520 (RIP), which can be used between routing hosts to advertise route tables. RIP can be used in denial of service attacks against workstations and networks.
  • Lines 13-14 block commonly used ports for peer-to-peer (P2P) applications which are prohibited.

90-c4eb-logging.rule

01    -A INPUT -p tcp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
02 -A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
  • Lines 1-2 configures the logging parameters for the iptables firewall. The rules above limit the logging to no more than 3 instances per minute. The logs, by default, are sent to syslog and stored in /var/log/messages and are prepended with "FIREWALL: " at the beginning of each line. Finally, log level 6 indicates the informational logging level.
  • Line 2 is simply the udp version of line 1.

Example of firewall events from syslog:


99-catch.rule

01    -A INPUT -j DROP
  • Line 1 is the "catch-all rule", and it is used to block everything incoming that isn't previously allowed by a preceding rule in the chain.

default

01    DROP [0:0]

Line 1 is the default INPUT chain that blocks any communication attempt not previously defined. Unlike the aforementioned 99-catch.rule, this rule is not logged. Logging is why the seemingly duplicate 99-catch.rule exists.

OUTPUT

At this time, no OUTPUT chains are defined. Technically, any traffic originated by the Open Client workstation may leave it and traverse the network.

Note: IIOSB ticket #116962 is in progress to enhance this rule chain.

NAT rules

The filter rules are located in /etc/iptables.d/nat/. Subdirectories include OUTPUT, POSTROUTING, and PREROUTING.

OUTPUT

Because network address translation rules are not typically required for client workstation communications, these chains are currently undefined.

POSTROUTING

Because network address translation rules are not typically required for client workstation communications, these chains are currently undefined.

PREROUTING

Because network address translation rules are not typically required for client workstation communications, these chains are currently undefined.

0 comments

Post a Comment