« Headphones Going on My List | Main | 15 tons in an Hour »

June 12, 2003

Creating New Set of Firewall Rules

I'm going through the process of creating a new set of firewall rules for our machines. The first reason is because we've got a new machine and it needs the firewall configured, the second reason is because on existing machines we've been experiencing traffic bottleneck at the firewall. Seems like a good time to start from scratch and make a new set of rules (the previous set had been created before I got here).

Been studying strategies in O'Reilly's Building Internet Firewalls and scouring documentation on best practices. In general, the firewall config is simple, each machine can accept and send out traffic on certain ports, depending on the services running on that machine. We have two private networks (one for MySQL data and the other for network jumpstart), which don't pose a huge risk.

I have fiddled with ipchains a bit on Linux, but never gotten as deep as I've gotten into ipf, which I think offers a really nice set of functionality. My approach is default deny (is there any other sane approach?), listing any acceptable traffic followed by a statement to log and drop other packets.

ipfstat was very helpful, even critical. Allowed me to analyze the filtering on a live machine and order by priority so that I could pull rules which were matched more often to the top, speeding up the packet approval process.

To find stats on rule matching:
outbound traffic matches: sudo ipfstat -oh
inbound traffic rules: sudo ipfstat -ih

Will see over the next few weeks if the priority I set on the rules matches usage. Will be watching the logs to make sure I haven't shut down some unsuspecting packet, the machine isn't live for another week so have some time to tweak.

I'm not allowing icmp packets (ping, traceroute), still deliberating on that. Read several docs indicating to turn it off, but many of the examples I've seen have it on. Ping is nice, so is traceroute, but is it important to allow those packets considering how little use and benefit comes from them?

Posted by mike at June 12, 2003 5:29 PM