Skip to content

A better Firewall setup

Zen Fu requested to merge sysadmin-17950-better-firewalling into master

Related: sysadmin#17950 (closed)

Note: this MR has the following companion branches not hosted on GitLab:

  • puppet-lizard-hiera-node.git @ sysadmin-17950-firewall
  • puppet-code.git @ sysadmin-17950-firewall

Assumptions

  • All nodes can reach the Puppet Server (via previously setup local VM subnet, MACsec or VPN connections).
  • We trust our internal DNS resolution to the point of using names on firewall rules.
  • The MACsec subnet will be: 192.168.127.0/29
  • This iteration does not handle:
    • Filtering of VPN's public entry port (i.e. Lizard's public port 655). (Reason: maybe some of our nodes do not have a fixed IP)
    • Changes in internal DNS (i.e. review the fact that tails.boum.org internally resolves to 192.168.122.1 in some nodes). (Reason: changing anything in the current naming resolution scheme has high impact in some services, for example Jenkins but I think there are others.)
    • Network segmentation. (Reason: would make this move much more complex and it's something that can build on the current changes in the future.)
    • Libvirt networking config (even though it will handle firewall rules for Libvirt subnets). (Reason: a bit of Libvirt refactoring is currently needed and touching this part would add complexity to the MR that is better to avoid now).
    • Network config. (Reason: it's independent of Firewall and would make this change more complex.)

Goals

  • Get rid of Shorewall.
  • Move away from Libvirt's firewalling.
  • Move as much config as possible to profiles and hiera.
  • Review/cleanup all firewall rules.

Design choices

  • Manually maintain a list of trusted subnets (VPN, MACsec, Libvirt): 
    tails::profile::firewall::trusted_subnets:
  - 192.168.122.0/24 # Lizard's VM subnet
  - 192.168.123.0/24 # Sib's VM subnet
  - 192.168.124.0/24 # Ant01's VM subnet
  - 192.168.126.0/24 # Iguana's VM subnet
  - 192.168.XXX.0/24 # Dragon's VM subnet
  - 10.13.12.0/24    # SEACCP's MACsec subnet
  - 10.10.0.0/24     # VPN subnet
    (Low maintenance overhead, high impact in design.)
  • Manually maintain a mapping from domains to public services entrypoints: 
    tails::profile::firewall::public_gateways:
  lizard:
    destination: 204.13.164.63/32,192.168.122.1/32
    tag: lizard.tails.boum.org
    (Low maintenance overhead, high impact in design.)
  • An internal service will accept all connections from the trusted subnets whenever it satisfies one of the following:
    • It has authentication and encryption in place. (Examples: Puppet, Icinga2, SSH)
    • It is "read only" and only serves public data. (Examples: public DNS, public Git, public Website)
  • Other internal services should work with exported resources whenever possible.
  • Some firewall rules only make sense for our infra and shouldn't belong on service profiles.
  • Nodes can export firewall rules to one another if this results in more clear and maintainable code.
  • Libvirt hosts are responsible for routing to/from their subnets but not for filtering.
  • Each node is responsible for filtering incoming traffic.
  • Use puppetlabs-firewall

Solved questions

  • Confirm with @intrigeri re. private subnets and IPs for Sib and Ant01. → Confirmed.
  • Does puppet-git.lizard:9418 (Git) really need to be open to the Internet? → Non issue, for now, can be treated in the future when/if rethinking usage of Gitolite3.
  • Should we whitelist any of ant01/sib subnets as trusted? Which? → Only their VM subnets, hosts themselves will go through the VPN.
  • Do ant01 and/or sib have public IP addresses? (Relevant for filtering input VPN traffic) → No. → Lizard's 655 needs to be kept open for now.

Deployment

The following changes will happen if this MR is deployed as is:

  • For nodes that include tails::profile::firewall:
    • All firewall rules not defined in Puppet will be removed.
    • All firewall rules defined in Puppet will be enforced.
    • All incoming packets unrelated to existing outgoing connections will be dropped. More generally, all chains in all default tables will have their policy set according to the config of the puppet-tirewall module.
  • Some services will declare rules for accepting from all trusted subnets (Puppet, Icinga2, SSHD, APT Proxy).
  • Some services will declare public services (BitTorrent, Tor, DNS, Rsync, Gitolite).
  • VPN nodes will export and import (except stone) announced routes, if any.
Edited by Zen Fu

Merge request reports