[ previous ] [ next ] [ threads ]
 
 From:  Sven Brill <madde at gmx dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] API?
 Date:  Tue, 09 Jan 2007 10:16:24 -0500
Ryan Mullins wrote:
> Perfect!  I completely missed this one. :)  And I was originally playing with exec and 
> exec_raw to do something along these lines but wasn't sure what was going to work.
>
>   
More of a philosophical follow-up discussion:

You obviously want to keep the box that handles the on-the-fly changes 
very secure, as you are storing the m0n0wall password in clear text on 
it. This would entail keeping it away from the WAN (no WAN accessible 
services running on it), maybe even on its very own management interface 
for some extra security. Now, let's say, you have a box that is 
accessible from the WAN and runs a webserver (or sshd, or whatever), and 
in the logs you see hits from obscure hosts that are annoying, but 
usually harmless, if you trust your server software. You want the logs 
to not fill up with the ssh brute force attacks or with web requests 
against 5 year old IIS vulnerabilities on your apache host, so you want 
to throw a dynamic firewall rule to just block the offending host (a 
problem in itself as it would be very easy to DDoS such a home-made IPS 
by sending all kinds of junk with all kinds of source addresses, but I 
digress).

Now, let's say you went the safe route, the management box is on its own 
network. How do you have the WAN-accessible box notify the management 
server to throw up a new rule? if the server can contact the management 
box, it leaves a path for an attacker to get to it if the server is 
successfully compromised. This leaves a "pull method" - have the server 
maintain a simple text file with offending IPs and/or networks, and have 
the management server poll this list for changes at regular intervals. 
Is that feasible? Any thoughts? As I said, more of a philosophical 
discussion.

Sven