Re: [DNG] Recommended location for iptables rules
On Tue, 6 Dec 2016 04:40:58 -0600 hal wrote: > KatolaZ wrote on 12/05/2016 04:14 PM: > > > > Hence, /var/lib/iptables/ seems indeed the perfect place to keep > > (different possible sets of) iptables rules. > > > > I would respectfully disagree here only because I've come to > appreciate having the bulk of my configurable system knobs > under /etc/. I agree with Roland that iptables rules should be somewhere in the /etc tree. If iptables writes out state files, those can be in /var, but not admin-configured rules. SteveT Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On Tue, Dec 06, 2016 at 04:40:58AM -0600, hal wrote: > KatolaZ wrote on 12/05/2016 04:14 PM: > > > > Hence, /var/lib/iptables/ seems indeed the perfect place to keep > > (different possible sets of) iptables rules. > > > > I would respectfully disagree here only because I've come to appreciate > having the bulk of my configurable system knobs under /etc/. And I would respectfully disagree with your disagreement, since the "configuration" file for iptables are not configuration files at all, rather "state" files, hence they should not be stored in /etc/ but in /var/lib/iptables :) But we can continue discussing forever here, and get nowhwere else :D For what matters, put the default wherever you want, but please do not write that in stone, and do not *force* people to either like it or die. I have never been able to use ifupdown successfully, so whatever you want to auto-do during ifup/ifdown will be useless on my machines, where other scripts do what I need the way I need it to be done. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On Tue, 6 Dec 2016 04:40:58 -0600 hal wrote: > KatolaZ wrote on 12/05/2016 04:14 PM: > > > > Hence, /var/lib/iptables/ seems indeed the perfect place to keep > > (different possible sets of) iptables rules. > > > > I would respectfully disagree here only because I've come to > appreciate having the bulk of my configurable system knobs > under /etc/. ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng How about symlinking one to the other ? Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
KatolaZ wrote on 12/05/2016 04:14 PM: > > Hence, /var/lib/iptables/ seems indeed the perfect place to keep > (different possible sets of) iptables rules. > I would respectfully disagree here only because I've come to appreciate having the bulk of my configurable system knobs under /etc/. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
Lars Noodén wrote on 12/05/2016 02:09 PM: > On 12/05/2016 09:59 PM, dev wrote: > >> Perhaps /etc/iptables/rules.v4 and /etc/iptables/rules.v6 make >> the most sense. > > What do you see as the advantage? I'm interested in hearing the > rational for either /etc/iptables/ or /etc/network/ since iptables-apply > and iptables-persistent are conflicting and unlikely to be resolved > upstream in the immediate future. I did not know about iptables-(apply|persistent) until yesterday but It makes the most sense to me anyway that /etc/iptables would be the place to put all things "iptables*". Putting them in /etc/network just seems odd if /etc/iptables/ already exists. Also, iptables-apply is a shell script which could be changed easily by anyone wishing to store it's configuration under /etc/iptables/ as well. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On 06/12/16 21:55, Klaus Ethgen wrote: > Hi folks, > > Am Di den 6. Dez 2016 um 0:07 schrieb Daniel Reurich: >> On 06/12/16 05:50, Lars Noodén wrote: >>> Where should we be commending the storage of iptables rules in Devuan >>> Jessie? > >> There should not be a default location. It should be left to each >> firewall application to define. This is particularly important as >> iptables has a competitor in nftables and likely to be deprecated at >> some point so we can't guarantee into the future that iptables will >> always exist. > > Well, I think, there should be an advice. > > Historical I use /var/lib/iptables. But that is only great when using > dynamic iptables. Present days I do them manually so /etc/something > might be better. Again the problem is that in order for this to work there has to a service or a hook in /etc/network/if-*.d that consistently loads them from that location and all firewall tools either must use that location for placement and management of the iptables rules. This is a clearly application space and not a core OS requirement. Regardless of the use of the system, Iptables rules are optional and not required for normal operation and thus should be setup and managed by an application of the users choice. This is why I believe there should be no "default" location for them. Personally I use a subdirectory in /etc for rules, as they are configuration data and not state data (the state being kept in the kernel). FWIW all packages that manage iptables rules should set a Provides and Replaces to "iptables-management" so that users can't install 2 at the same time and installing one removes and replaces any other application that does this. This is same process by which mta's are managed using the Provides and Replaces "mail-transport-agent" to ensure only one MTA is installed at any given time. > >> Generally a well setup Linux system has no network connectable services >> running that aren't intended to be, in which case it's relatively >> resistant to hacking attempts. This means firewall in a well secured >> network is generally not necessary or desirable. The only instance I'd >> consider a workstation firewall is a laptop connecting to untrusted >> networks regularly. > > Well, except avahi, cups, samba, ntp, rpcbind and some other bad > designed tools that default listen on 0.0.0.0 and that are pulled in > with a common linux desktop installation. I'd expect in reality these listen to IP address(es) of the host and in some cases the broadcast address(es). That's expected and reasonable behaviour for those daemons for service discovery and reasonable discretion is used in handling the inbound traffic appropriately. D -- Daniel Reurich Centurion Computer Technology (2005) Ltd. 021 797 722 signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi folks, Am Di den 6. Dez 2016 um 0:07 schrieb Daniel Reurich: > On 06/12/16 05:50, Lars Noodén wrote: > > Where should we be commending the storage of iptables rules in Devuan > > Jessie? > > There should not be a default location. It should be left to each > firewall application to define. This is particularly important as > iptables has a competitor in nftables and likely to be deprecated at > some point so we can't guarantee into the future that iptables will > always exist. Well, I think, there should be an advice. Historical I use /var/lib/iptables. But that is only great when using dynamic iptables. Present days I do them manually so /etc/something might be better. > Generally a well setup Linux system has no network connectable services > running that aren't intended to be, in which case it's relatively > resistant to hacking attempts. This means firewall in a well secured > network is generally not necessary or desirable. The only instance I'd > consider a workstation firewall is a laptop connecting to untrusted > networks regularly. Well, except avahi, cups, samba, ntp, rpcbind and some other bad designed tools that default listen on 0.0.0.0 and that are pulled in with a common linux desktop installation. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -BEGIN PGP SIGNATURE- Comment: Charset: ISO-8859-1 iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlhGfOIACgkQpnwKsYAZ 9qwjTAwAplGCDBgKXqCG6dBTDGQMvSq7njhWqfnjgzGVPXc6zrcVvF2HHpJd5D7Q MnmMzoEHRa7dma9JAThaAU4qY/zJJH9/k9EOpNUE1Ktx/3wWuQ+BOjggD5ogmVcY wjKPgiwkf9v55CWGVRPWas2IRZL6z+SqUcJMPDEId02EUiiAZMDGRc8K8RRKtkTY onX7Cbe2YMM9l4ngmTEqmkkns10+dRlWe5aB1FfFtSKYE6js4fQLpI43nZjcol74 5Qz5Er96gsTgfTMwk6VCqBPLD/CMb30x2npbKwOQigVlHHxeBAsJ7Gu2MizL/JAV tCuWRaCsj2CDPrhcwOQd8FifzJawUEMLzBNv04XSBUrthJEiutJ4W9VWOVWb/sd8 8Kp0WQBZI+gvuqDq9psl+n2dF8ifjBwioo07jWF1IniVNoI77/HOVQH6SDwY4OWR P4LWH3irqseCdRHY87Q5qn6eevO2S4g74EGMA9zUJTwSnEDgg23/aw0YUqNFPOHZ xA4uEeST =+yMS -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On Tue, Dec 06, 2016 at 12:07:25PM +1300, Daniel Reurich wrote: [cut] > > I'm probably getting a little of topic here, but IMHO, MS Windows needs > a firewall because it has so many leaky hidden services running on the > host that should never be exposed to even local networks that make it > extremely vulnerable, so it essentially needs a to be enclosed in a > farraday cage with a few pinholes for the necessary inbound services. > > Generally a well setup Linux system has no network connectable services > running that aren't intended to be, in which case it's relatively > resistant to hacking attempts. This means firewall in a well secured > network is generally not necessary or desirable. The only instance I'd > consider a workstation firewall is a laptop connecting to untrusted > networks regularly. > Hi Dan, I partially agree with your analysis, but you know better than me that in many non-desktop environments (which are actually the large majority of the use cases for Linux) iptables does much more than filtering ports. I agree that if it was just for "firewalling" in the Windows acception, then iptables would have been pretty useless in a unix environment, but indeed iptables is the most high-level(!) packet manager available to a sysadmin. As a consequence, it might (but it also might not) be sensible for a distribution to propose a default location for the *state* *files* related to iptables (they are not configuration files, as I tried to explain before). /var/lib/iptables respects the rule of least surprise: since all the state files of daemons/services/utilities in Debian-like systems are in /var/lib/*/, it would be sensible to keep iptables' state files there as well. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
Le 06/12/2016 08:59, Lars Noodén a écrit : On 12/06/2016 12:14 AM, KatolaZ wrote: ... The old Debian standard used to be /var/lib/iptables/, and I don't know when this behaviour changed (especially because I never changed it, despite the choices made by DDs). ... Thanks. That seems to fit with hier(7) too. So I will go with that. The recent Debian documentation also contributed to the confusion. e.g. https://wiki.debian.org/iptables https://wiki.debian.org/DebianFirewall Along those lines, should we recommend that iptables rules be loaded via init or via some script in /etc/network/if-pre-up.d/ connected to the interface? I realize /etc/ has to be on the same file system as / but it seems awkward to have executables there anyway. Sorry to go a little off-topic, but /etc is there for proper sorting of files, not by the necessity or possibility to mount it on a different filesystem, as opposed to /usr. If /etc was on a different filesystem, it should be mounted by the initramfs script, because it contains data essential to the system, first of all the init scripts. Therefore I think you can be assured /etc will never be a mountpoint. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On 12/06/2016 12:14 AM, KatolaZ wrote: > ... > The old Debian standard used to be /var/lib/iptables/, and I > don't know when this behaviour changed (especially because I never > changed it, despite the choices made by DDs). ... Thanks. That seems to fit with hier(7) too. So I will go with that. The recent Debian documentation also contributed to the confusion. e.g. https://wiki.debian.org/iptables https://wiki.debian.org/DebianFirewall Along those lines, should we recommend that iptables rules be loaded via init or via some script in /etc/network/if-pre-up.d/ connected to the interface? I realize /etc/ has to be on the same file system as / but it seems awkward to have executables there anyway. Regards Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On 12/06/2016 01:07 AM, Daniel Reurich wrote: > ... > There is a processing cost to iptables and to be honest whilst > iptables is fantastic at border gateway for filtering out malicious > traffic, it may not be either necessary or desirable on hosts inside > the network. > ... I agree. Though for many reasons, real or perceived, especially those you pointed out, we'll need to have the official guide mention "firewalls". Regards Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On 06/12/16 05:50, Lars Noodén wrote: > Where should we be commending the storage of iptables rules in Devuan > Jessie? There should not be a default location. It should be left to each firewall application to define. This is particularly important as iptables has a competitor in nftables and likely to be deprecated at some point so we can't guarantee into the future that iptables will always exist. There is a processing cost to iptables and to be honest whilst iptables is fantastic at border gateway for filtering out malicious traffic, it may not be either necessary or desirable on hosts inside the network. I'm probably getting a little of topic here, but IMHO, MS Windows needs a firewall because it has so many leaky hidden services running on the host that should never be exposed to even local networks that make it extremely vulnerable, so it essentially needs a to be enclosed in a farraday cage with a few pinholes for the necessary inbound services. Generally a well setup Linux system has no network connectable services running that aren't intended to be, in which case it's relatively resistant to hacking attempts. This means firewall in a well secured network is generally not necessary or desirable. The only instance I'd consider a workstation firewall is a laptop connecting to untrusted networks regularly. Of course some Linux distrobutions push firewalling with the same fervor as Microsoft and their "security suite" leaches. This is because the added complexity creates more need for hand holding and thus the opportunity to derive revenue and also to hide the fact that their sloppy installers install and run poorly configured services by default on systems that don't need them. -- Daniel Reurich Centurion Computer Technology (2005) Ltd. 021 797 722 signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On Mon, Dec 05, 2016 at 10:09:38PM +0200, Lars Noodén wrote: [cut] > > What do you see as the advantage? I'm interested in hearing the > rational for either /etc/iptables/ or /etc/network/ since iptables-apply > and iptables-persistent are conflicting and unlikely to be resolved > upstream in the immediate future. > The old Debian standard used to be /var/lib/iptables/, and I don't know when this behaviour changed (especially because I never changed it, despite the choices made by DDs). It might look somehow weird, but it actually made a lot of sense: iptables rules define the current state of iptables, and most of the directories in /var/lib/* are indeed containing state information of daemons, services, and simple utilities (think for instance to /var/lib/urandom/random-seed). I know that in many situations firewall rules can be considered as a "static" set of parameters, but if you also consider that: - in large-scale environments iptables rules can be (and normally are) changed dynamically, e.g. by an intrusion detection system which can reset the DROP policy to specific classes of addresses, or by an external load-balancing daemon which can decide to re-route traffic to other working nodes according to some external rules; - the normal routine in firewall testing is to load/dump different configurations until everything works as you want; - usually the same server can (or should, or must) have several possible alternative sets of rules; then you would agree that there is nothing written in stone when it comes to firewall rules (read: nothing to be necessarily kept in /etc/*/). Hence, /var/lib/iptables/ seems indeed the perfect place to keep (different possible sets of) iptables rules. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On 12/05/2016 09:59 PM, dev wrote: > > > On 12/05/2016 10:50 AM, Lars Noodén wrote: >> Because iptables-apply is there by default, I'm leaning a bit >> towards recommending /etc/network/iptables.up.rules as the >> location over /etc/iptables/rules.v4 > > > Do you still need to consider some users may need ip6tables rules > also? Yes. However, it seems to be established practice that IPv6 rules more or less mirror the IPv4 rules. So it seems to be less pressing than where to put the iptables rules in general. > Perhaps /etc/iptables/rules.v4 and /etc/iptables/rules.v6 make > the most sense. What do you see as the advantage? I'm interested in hearing the rational for either /etc/iptables/ or /etc/network/ since iptables-apply and iptables-persistent are conflicting and unlikely to be resolved upstream in the immediate future. Regards, Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On 12/05/2016 10:50 AM, Lars Noodén wrote: Because iptables-apply is there by default, I'm leaning a bit towards recommending /etc/network/iptables.up.rules as the location over /etc/iptables/rules.v4 Do you still need to consider some users may need ip6tables rules also? Perhaps /etc/iptables/rules.v4 and /etc/iptables/rules.v6 make the most sense. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Recommended location for iptables rules
On Mon, Dec 05, 2016 at 06:50:15PM +0200, Lars Noodén wrote: > Where should we be commending the storage of iptables rules in Devuan > Jessie? While this doesn't exactly answer your question, I simply have a script in /usr/local/etc called firewall.sh which runs all the iptables rules that I want to run. I invoke that script from /etc/rc.local, which runs it after the interfaces come up, but that doesn't bother me. I could also have run it from /etc/init.d which I have done in the past, or from /etc/network/if-*.d, or from the iface definition itself. I find this easier than iptables save/restore/list. While this might not be the recommended way to do things, it works for me, and does what I want/need it to do. Greg -- web site: http://www.gregn.net gpg public key: http://www.gregn.net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) If we haven't been in touch before, e-mail me before adding me to your contacts. -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Recommended location for iptables rules
Where should we be commending the storage of iptables rules in Devuan Jessie? I notice that iptables-apply looks for rules in /etc/network/iptables.up.rules while iptables-persist looks for rules in /etc/iptables/rules.v4 instead. The former utility is installed by default as part of the iptables package itself, the latter is not. Neither file exists on a plain vanilla installation. If one installs iptables-persistent, then iptables-apply has to be manually pointed at the right file every time it is used. If iptables-persistent is not used, then a simple script has to be manually added to /etc/network/if-pre-up.d/ in order to enable iptables on start up. Because iptables-apply is there by default, I'm leaning a bit towards recommending /etc/network/iptables.up.rules as the location over /etc/iptables/rules.v4 Thoughts? Regards, Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng