*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -F INPUT -F OUTPUT ## ## input chains ## -N dh-whitelist-in -N dh-portblock-in -N dh-invalid-packets -N dh-explicit-drop ## ## output chains ## -N dh-whitelist-out ## ## this is used to handle drops and accepts via dh/bin/firewall.pl ## so no rules are defined for these chain, but we can build it here ## to have a note of where its placed in the INPUT chain ## -N dh-ephemeral-in -N dh-ephemeral-out ################### ## ingress rules ## ################### ## ## negative security model without connection tracking ## note that we only handle traffic on eth1 because private traffic (on eth0) is trusted ## -A INPUT -i eth1 -j dh-whitelist-in -A INPUT -i eth1 -j dh-portblock-in -A INPUT -i eth1 -j dh-ephemeral-in -A INPUT -i eth1 -j dh-explicit-drop -A INPUT -i eth1 -j dh-invalid-packets ## ## dh-portblock-in. block ports after dh-whitelist-in and before dh-explicit-drop ## ## ## services that the world doesn't need to talk to ## we include NRPE here because the dh-whitelist-in chain already picked up the nag hosts ## -A dh-explicit-drop -p tcp --dport 111 -j DROP -A dh-explicit-drop -p udp --dport 111 -j DROP -A dh-explicit-drop -p tcp --dport 1030 -j DROP -A dh-explicit-drop -p udp --dport 1030 -j DROP -A dh-explicit-drop -p tcp --dport 5666 -j DROP ## ## mitigation rules for vulnerabilities and compliance ## ## Mitigation for CVE-2019-11477 tcp_sack kernel crash. -A dh-explicit-drop -p tcp -m tcpmss --mss 1:500 -j DROP ## PCI fails on timestamp request/response ## ## invalid packets ## -A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,FIN -j DROP -A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,RST -j DROP ################## ## egress rules ## ################## ## ## since we allow arbitrary outbound connections we need to take a negative model with this chain ## -A OUTPUT -o eth1 -j dh-whitelist-out -A OUTPUT -o eth1 -j dh-ephemeral-out ## ## DH-wide whitelists ## inbound whitelists on public interface are necessary largely to handle Machine->Rsync calls ## (our current implementation uses rsync in daemon mode listening on a random high port, on the public interface) ## -A dh-whitelist-out -d ::1/128 -j ACCEPT -A dh-whitelist-out -d 2607:F298::0/32 -j ACCEPT -A dh-whitelist-out -d fc00::/7 -j ACCEPT -A dh-whitelist-in -s ::1/128 -j ACCEPT -A dh-whitelist-in -s 2607:F298::0/32 -j ACCEPT -A dh-whitelist-in -s fc00::/7 -j ACCEPT