Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread KatolaZ 
On Tue, Dec 06, 2016 at 04:40:58AM -0600, hal wrote:
> KatolaZ wrote on 12/05/2016 04:14 PM:
> > 
> > Hence, /var/lib/iptables/ seems indeed the perfect place to keep
> > (different possible sets of) iptables rules.
> > 
> 
> I would respectfully disagree here only because I've come to appreciate
> having the bulk of my configurable system knobs under /etc/.

And I would respectfully disagree with your disagreement, since the
"configuration" file for iptables are not configuration files at all,
rather "state" files, hence they should not be stored in /etc/ but in
/var/lib/iptables :) But we can continue discussing forever here, and
get nowhwere else :D

For what matters, put the default wherever you want, but please do not
write that in stone, and do not *force* people to either like it or
die. I have never been able to use ifupdown successfully, so whatever
you want to auto-do during ifup/ifdown will be useless on my machines,
where other scripts do what I need the way I need it to be done. 

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread hal 
KatolaZ wrote on 12/05/2016 04:14 PM:
> 
> Hence, /var/lib/iptables/ seems indeed the perfect place to keep
> (different possible sets of) iptables rules.
> 

I would respectfully disagree here only because I've come to appreciate
having the bulk of my configurable system knobs under /etc/.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread hal 
Lars Noodén wrote on 12/05/2016 02:09 PM:
> On 12/05/2016 09:59 PM, dev wrote:

> 
>> Perhaps /etc/iptables/rules.v4 and /etc/iptables/rules.v6 make
>> the most sense.
> 
> What do you see as the advantage?  I'm interested in hearing the
> rational for either /etc/iptables/ or /etc/network/ since iptables-apply
> and iptables-persistent are conflicting and unlikely to be resolved
> upstream in the immediate future.

I did not know about iptables-(apply|persistent) until yesterday but It makes
the most sense to me anyway that /etc/iptables would be the place to put all
things "iptables*". Putting them in /etc/network just seems odd if 
/etc/iptables/
already exists.

Also, iptables-apply is a shell script which could be changed easily by anyone
wishing to store it's configuration under /etc/iptables/ as well.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread Daniel Reurich 
On 06/12/16 21:55, Klaus Ethgen wrote:
> Hi folks,
> 
> Am Di den  6. Dez 2016 um  0:07 schrieb Daniel Reurich:
>> On 06/12/16 05:50, Lars Noodén wrote:
>>> Where should we be commending the storage of iptables rules in Devuan
>>> Jessie?
> 
>> There should not be a default location.  It should be left to each
>> firewall application to define.  This is particularly important as
>> iptables has a competitor in nftables and likely to be deprecated at
>> some point so we can't guarantee into the future that iptables will
>> always exist.
> 
> Well, I think, there should be an advice.
> 
> Historical I use /var/lib/iptables. But that is only great when using
> dynamic iptables. Present days I do them manually so /etc/something
> might be better.

Again the problem is that in order for this to work there has to a
service or a hook in /etc/network/if-*.d that consistently loads them
from that location and all firewall tools either must use that location
for placement and management of the iptables rules.  This is a clearly
application space and not a core OS requirement.  Regardless of the use
of the system,  Iptables rules are optional and not required for normal
operation and thus should be setup and managed by an application of the
users choice.  This is why I believe there should be no "default"
location for them.

Personally I use a subdirectory in /etc for rules, as they are
configuration data and not state data (the state being kept in the kernel).

FWIW all packages that manage iptables rules should set a Provides and
Replaces to "iptables-management" so that users can't install 2 at the
same time and installing one removes and replaces any other application
that does this.  This is same process by which mta's are managed using
the Provides and Replaces "mail-transport-agent" to ensure only one MTA
is installed at any given time.

> 
>> Generally a well setup Linux system has no network connectable services
>> running that aren't intended to be, in which case it's relatively
>> resistant to hacking attempts.  This means firewall in a well secured
>> network is generally not necessary or desirable.  The only instance I'd
>> consider a workstation firewall is a laptop connecting to untrusted
>> networks regularly.
> 
> Well, except avahi, cups, samba, ntp, rpcbind and some other bad
> designed tools that default listen on 0.0.0.0 and that are pulled in
> with a common linux desktop installation.

I'd expect in reality these listen to IP address(es) of the host and in
some cases the broadcast address(es).  That's expected and reasonable
behaviour for those daemons for service discovery and reasonable
discretion is used in handling the inbound traffic appropriately.

D

-- 
Daniel Reurich
Centurion Computer Technology (2005) Ltd.
021 797 722



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread Klaus Ethgen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi folks,

Am Di den  6. Dez 2016 um  0:07 schrieb Daniel Reurich:
> On 06/12/16 05:50, Lars Noodén wrote:
> > Where should we be commending the storage of iptables rules in Devuan
> > Jessie?
> 
> There should not be a default location.  It should be left to each
> firewall application to define.  This is particularly important as
> iptables has a competitor in nftables and likely to be deprecated at
> some point so we can't guarantee into the future that iptables will
> always exist.

Well, I think, there should be an advice.

Historical I use /var/lib/iptables. But that is only great when using
dynamic iptables. Present days I do them manually so /etc/something
might be better.

> Generally a well setup Linux system has no network connectable services
> running that aren't intended to be, in which case it's relatively
> resistant to hacking attempts.  This means firewall in a well secured
> network is generally not necessary or desirable.  The only instance I'd
> consider a workstation firewall is a laptop connecting to untrusted
> networks regularly.

Well, except avahi, cups, samba, ntp, rpcbind and some other bad
designed tools that default listen on 0.0.0.0 and that are pulled in
with a common linux desktop installation.

Regards
   Klaus
- -- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlhGfOIACgkQpnwKsYAZ
9qwjTAwAplGCDBgKXqCG6dBTDGQMvSq7njhWqfnjgzGVPXc6zrcVvF2HHpJd5D7Q
MnmMzoEHRa7dma9JAThaAU4qY/zJJH9/k9EOpNUE1Ktx/3wWuQ+BOjggD5ogmVcY
wjKPgiwkf9v55CWGVRPWas2IRZL6z+SqUcJMPDEId02EUiiAZMDGRc8K8RRKtkTY
onX7Cbe2YMM9l4ngmTEqmkkns10+dRlWe5aB1FfFtSKYE6js4fQLpI43nZjcol74
5Qz5Er96gsTgfTMwk6VCqBPLD/CMb30x2npbKwOQigVlHHxeBAsJ7Gu2MizL/JAV
tCuWRaCsj2CDPrhcwOQd8FifzJawUEMLzBNv04XSBUrthJEiutJ4W9VWOVWb/sd8
8Kp0WQBZI+gvuqDq9psl+n2dF8ifjBwioo07jWF1IniVNoI77/HOVQH6SDwY4OWR
P4LWH3irqseCdRHY87Q5qn6eevO2S4g74EGMA9zUJTwSnEDgg23/aw0YUqNFPOHZ
xA4uEeST
=+yMS
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread KatolaZ 
On Tue, Dec 06, 2016 at 12:07:25PM +1300, Daniel Reurich wrote:

[cut]

> 
> I'm probably getting a little of topic here, but IMHO,  MS Windows needs
> a firewall because it has so many leaky hidden services running on the
> host that should never be exposed to even local networks that make it
> extremely vulnerable, so it essentially needs a to be enclosed in a
> farraday cage with a few pinholes for the necessary inbound services.
> 
> Generally a well setup Linux system has no network connectable services
> running that aren't intended to be, in which case it's relatively
> resistant to hacking attempts.  This means firewall in a well secured
> network is generally not necessary or desirable.  The only instance I'd
> consider a workstation firewall is a laptop connecting to untrusted
> networks regularly.
>

Hi Dan,

I partially agree with your analysis, but you know better than me that
in many non-desktop environments (which are actually the large
majority of the use cases for Linux) iptables does much more than
filtering ports. I agree that if it was just for "firewalling" in the
Windows acception, then iptables would have been pretty useless in a
unix environment, but indeed iptables is the most high-level(!) packet
manager available to a sysadmin.

As a consequence, it might (but it also might not) be sensible for a
distribution to propose a default location for the *state* *files*
related to iptables (they are not configuration files, as I tried to
explain before). /var/lib/iptables respects the rule of least
surprise: since all the state files of daemons/services/utilities in
Debian-like systems are in /var/lib/*/, it would be sensible to keep
iptables' state files there as well.

My2Cents

KatolaZ


-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread Didier Kryn 

Le 06/12/2016 08:59, Lars Noodén a écrit :

On 12/06/2016 12:14 AM, KatolaZ wrote:

...
The old Debian standard used to be /var/lib/iptables/, and I
don't know when this behaviour changed (especially because I never
changed it, despite the choices made by DDs). ...

Thanks.  That seems to fit with hier(7) too.  So I will go with that.

The recent Debian documentation also contributed to the confusion.  e.g.
 https://wiki.debian.org/iptables
 https://wiki.debian.org/DebianFirewall

Along those lines, should we recommend that iptables rules be loaded via
init or via some script in /etc/network/if-pre-up.d/ connected to the
interface?  I realize /etc/ has to be on the same file system as / but
it seems awkward to have executables there anyway.



Sorry to go a little off-topic, but /etc is there for proper 
sorting of files, not by the necessity or possibility to mount it on a 
different filesystem, as opposed to /usr. If /etc was on a different 
filesystem, it should be mounted by the initramfs script, because it 
contains data essential to the system, first of all the init scripts. 
Therefore I think you can be assured /etc will never be a mountpoint.


Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread Lars Noodén 
On 12/06/2016 12:14 AM, KatolaZ wrote:
> ... 
> The old Debian standard used to be /var/lib/iptables/, and I
> don't know when this behaviour changed (especially because I never
> changed it, despite the choices made by DDs). ...

Thanks.  That seems to fit with hier(7) too.  So I will go with that.

The recent Debian documentation also contributed to the confusion.  e.g.
https://wiki.debian.org/iptables
https://wiki.debian.org/DebianFirewall

Along those lines, should we recommend that iptables rules be loaded via
init or via some script in /etc/network/if-pre-up.d/ connected to the
interface?  I realize /etc/ has to be on the same file system as / but
it seems awkward to have executables there anyway.

Regards
Lars
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-06 Thread Lars Noodén 
On 12/06/2016 01:07 AM, Daniel Reurich wrote:
> ...
> There is a processing cost to iptables and to be honest whilst
> iptables is fantastic at border gateway for filtering out malicious
> traffic, it may not be either necessary or desirable on hosts inside
> the network.
> ...

I agree.  Though for many reasons, real or perceived, especially those
you pointed out, we'll need to have the official guide mention
"firewalls".

Regards
Lars

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-05 Thread Daniel Reurich 
On 06/12/16 05:50, Lars Noodén wrote:
> Where should we be commending the storage of iptables rules in Devuan
> Jessie?

There should not be a default location.  It should be left to each
firewall application to define.  This is particularly important as
iptables has a competitor in nftables and likely to be deprecated at
some point so we can't guarantee into the future that iptables will
always exist.

There is a processing cost to iptables and to be honest whilst iptables
is fantastic at border gateway for filtering out malicious traffic, it
may not be either necessary or desirable on hosts inside the network.

I'm probably getting a little of topic here, but IMHO,  MS Windows needs
a firewall because it has so many leaky hidden services running on the
host that should never be exposed to even local networks that make it
extremely vulnerable, so it essentially needs a to be enclosed in a
farraday cage with a few pinholes for the necessary inbound services.

Generally a well setup Linux system has no network connectable services
running that aren't intended to be, in which case it's relatively
resistant to hacking attempts.  This means firewall in a well secured
network is generally not necessary or desirable.  The only instance I'd
consider a workstation firewall is a laptop connecting to untrusted
networks regularly.

Of course some Linux distrobutions push firewalling with the same fervor
as Microsoft and their "security suite" leaches.  This is because the
added complexity creates more need for hand holding and thus the
opportunity to derive revenue and also to hide the fact that their
sloppy installers install and run poorly configured services by default
on systems that don't need them.


-- 
Daniel Reurich
Centurion Computer Technology (2005) Ltd.
021 797 722



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-05 Thread KatolaZ 
On Mon, Dec 05, 2016 at 10:09:38PM +0200, Lars Noodén wrote:

[cut]

> 
> What do you see as the advantage?  I'm interested in hearing the
> rational for either /etc/iptables/ or /etc/network/ since iptables-apply
> and iptables-persistent are conflicting and unlikely to be resolved
> upstream in the immediate future.
> 

The old Debian standard used to be /var/lib/iptables/, and I don't
know when this behaviour changed (especially because I never changed
it, despite the choices made by DDs). It might look somehow weird, but
it actually made a lot of sense: iptables rules define the current
state of iptables, and most of the directories in /var/lib/* are
indeed containing state information of daemons, services, and simple
utilities (think for instance to /var/lib/urandom/random-seed).

I know that in many situations firewall rules can be considered as a
"static" set of parameters, but if you also consider that:

  - in large-scale environments iptables rules can be (and normally
  are) changed dynamically, e.g. by an intrusion detection system
  which can reset the DROP policy to specific classes of addresses, or
  by an external load-balancing daemon which can decide to re-route
  traffic to other working nodes according to some external rules;

  - the normal routine in firewall testing is to load/dump different
  configurations until everything works as you want;

  - usually the same server can (or should, or must) have several
  possible alternative sets of rules;

then you would agree that there is nothing written in stone when it
comes to firewall rules (read: nothing to be necessarily kept in
/etc/*/).

Hence, /var/lib/iptables/ seems indeed the perfect place to keep
(different possible sets of) iptables rules.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Recommended location for iptables rules

2016-12-05 Thread Lars Noodén 
On 12/05/2016 09:59 PM, dev wrote:
> 
> 
> On 12/05/2016 10:50 AM, Lars Noodén wrote:
>> Because iptables-apply is there by default, I'm leaning a bit
>> towards recommending  /etc/network/iptables.up.rules as the
>> location over /etc/iptables/rules.v4
> 
> 
> Do you still need to consider some users may need ip6tables rules
> also? 

Yes.  However, it seems to be established practice that IPv6 rules more
or less mirror the IPv4 rules.  So it seems to be less pressing than
where to put the iptables rules in general.

> Perhaps /etc/iptables/rules.v4 and /etc/iptables/rules.v6 make
> the most sense.

What do you see as the advantage?  I'm interested in hearing the
rational for either /etc/iptables/ or /etc/network/ since iptables-apply
and iptables-persistent are conflicting and unlikely to be resolved
upstream in the immediate future.

Regards,
Lars


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng