Forums

Resolved
0 votes
I've been looking at the new way of generating firewall block rules for IPS/snortsam and I've also been looking at the Emerging Threats iptables block lists and I've come up with an idea to massively simplify the firewall rules generated by /etc/clearos/firewall.d/10-intrusion-prevention.

Looking at the current method it generates a source and destination rule for the FORWARD chain, a source rule for the INPUT chain and destination rule for the OUTPUT chain for each WAN interface. This means one IP generates 4 rules per WAN interface.

Thinking about it, if you just block the source IP there is no need to block the destination IP. No inbound traffic will pass and no outbound traffic will get a reply. This removes half the rules.

Now if you are just blocking by source IP you don't care if the interface is LAN or External. If it is a LAN interface you'll never get a match as the source IP will never be on your LAN. This removes all interface specific stuff so now we are down to 2 rules per IP.

Then if you use the method used from Emerging Threats and change /etc/clearos/firewall.d/10-intrusion-prevention to:
/sbin/iptables -N IPS
/sbin/iptables -I FORWARD -j IPS
/sbin/iptables -I INPUT -j IPS

IPS=`snortsam-state -qd, 2>/dev/null | awk -F, '$6+$7 > ENVIRON["UTC"] { print $2 }'`

for IP in $IPS; do
/sbin/iptables -I IPS -s $IP -j DROP
done
With this you get all your IPS rules in a single place and only a single rule per IP. It makes it much easier to work out where the rules have come from and makes any iptables listing much smaller..
Tuesday, February 04 2014, 08:43 PM
Share this post:
Responses (1)
  • Accepted Answer

    Tuesday, February 04 2014, 10:11 PM - #Permalink
    Resolved
    0 votes
    .........mmmm

    Might not be such good idea. New blocks still go to the original chains. Also I don't know how the unblocking mechanism would work.
    The reply is currently minimized Show
Your Reply