[ previous ] [ next ] [ threads ]
 From:  "Daniele Guazzoni" <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Thu, 7 Feb 2008 16:47:57 +0100 (CET)
Tonix (Antonio Nati) wrote:
>> Let assume this scenario:
>> - you want to allow LAN and DMZ to freely access the WAN except SMTP.
>> - you therefore apply an outbound filter:
>>     - deny any --> SMTP --> any
>>     - permit any --> any
>> - without other inbound rules on LAN and DMZ those two interfaces will
>> be unfiltered.
> Where is the problem?
> The default for any interface is: nothing can pass unless explicitely
> admitted.
> So, except any (but not SMTP) from (LAN + DMZ) to WAN, nothing else will
> be allowed to pass.
And where is the saving/advantage compared to the inbound filter ?
The saving by applying general rules outbound will be eliminated by the
need of explicit rules on the inbound interfaces to filter the LAN <-->
DMZ traffic.

>> Another issue is the mix of outbound and inbound rules on the same
>> interface.
>> Doing this will make the statefull feature pretty complex or useless
>> as one filter will be forced to put "bypass" to the other to permit
>> statefull replies to go through.
>> In which case you want that ? Implicit ? Only if not explicit denied ?
> I think that "stateful" handling means full handling of directions.
> A connection started as incoming has nothing to do with a a connection
> started as outgoing.
> ipfilter handles states both for outgoing and incoming, so I hope this
> is not a problem.
>> I'm working since many years as security engineer and although some
>> firewall allows to create outbound rules I don't suggest to use it.
> There is no problem when some outbound rules are really for all. For
> example, when you enable a port inside a DMZ interface, that port will
> be usually available for all interfaces, so I don't see particular
> security risks applying an "outbound" rule over the DMZ interface.
> If some particular address is excluded from accessing that service, put
> an explicit deny before in the rules list.

I'm not talking about risks but more about behavior.
Of course ipfilter handles statefull in both directions but the question
is how it handles the interaction of dynamic statefull and static filter.
What has priority statefull or filter ?

However, you can swap the logic from inbound to outbound filtering but in
my opinion you will not get a real advantage out of it.
You simplify on one side but you burden up on the other side...

And beside all discussions, inbound filtering will also protect the
firewall itself (webinterface, services, ...)

This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.