[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPChains (Lokkit / gfcc concerns and masquerading)

I've been looking at Lokkit with a view to creating a quick and
easy masquerading setup.

I have a few concerns / issues with Lokkit / gfcc.

1  Lokkit's secure config fails if you have a local DNS server acting
   as a DNS cache. It put in a rule that only accepts DNS requests from
   the server specified in /etc/resolv.conf - so any replies to request
   sent out by the local DNS server fail. 

   This is how I have my system setup - not certain if it's an issue
   with a standard Indy install? How does Indy setup DNS normally?

2  Lokkit doesn't appear to do anything regarding stopping spoofing
   of IP addresses - it's very easy to firewall out packets from
   obviously spoofed addresses - i.e. the reserved network addresses
   and the addresses of the local network. The local network is
   probably the most important since otherwise if someone who sent
   a packet to the machine, spoofing the source address as a 
   machine on your local network, the replies to that would get
   sent to the local machine. This is not very dangerous but it
   is fairly easy to prevent.

3  Lokkit assumes we trust the local network - as far as Indy is
   concerned this is probably a reasonable assumption. Just as long
   as everybody is aware of this.

4  Lokkit doesn't allow masquerading. This was the reason I started
   looking at this in the first place.

5  gfcc can read the current config from a running system, modify them,
   save as a ruleset to be applied and apply changes to a running system
   but there's seems to be no way of making those changes stick when
   the machine reboots.

What I propose to do

Modify Lokkit and/or replace with an Independence Liberator with similar
functionality (Where do I find information on creating a Liberator?)
to improve handling of DNS and spoofing. At the same time add in the
option to enable masquerading from local network to outside world.
Write configuration to a file.

Create a new firewall startup script to load configured firewall
rules at startup. If masquerading is configured then enable ip
forwarding (required for masquerade to work) and load all available
masquerading modules - eventually it would be nice to allow the
user to configure the masquerading modules to be loaded.

Either use the system.rule file created by gfcc as the config file
for the above script and create this file from Lokkit / the
liberator or patch gfcc so that it saves a configuration to
another file. Personally, I prefer the second option since I
believe the system firewall configuration file should be stored 
under /etc/sysconfig and gfcc stores it to whereever it's
GFCC_HOME is setup to - but it means our version of gfcc would
be Indy specific. Anyone have any problems with this?