I've been looking at the new way of generating firewall block rules for IPS/snortsam and I've also been looking at the Emerging Threats iptables block lists and I've come up with an idea to massively simplify the firewall rules generated by /etc/clearos/firewall.d/10-intrusion-prevention.
Looking at the current method it generates a source and destination rule for the FORWARD chain, a source rule for the INPUT chain and destination rule for the OUTPUT chain for each WAN interface. This means one IP generates 4 rules per WAN interface.
Thinking about it, if you just block the source IP there is no need to block the destination IP. No inbound traffic will pass and no outbound traffic will get a reply. This removes half the rules.
Now if you are just blocking by source IP you don't care if the interface is LAN or External. If it is a LAN interface you'll never get a match as the source IP will never be on your LAN. This removes all interface specific stuff so now we are down to 2 rules per IP.
Then if you use the method used from Emerging Threats and change /etc/clearos/firewall.d/10-intrusion-prevention to:
Looking at the current method it generates a source and destination rule for the FORWARD chain, a source rule for the INPUT chain and destination rule for the OUTPUT chain for each WAN interface. This means one IP generates 4 rules per WAN interface.
Thinking about it, if you just block the source IP there is no need to block the destination IP. No inbound traffic will pass and no outbound traffic will get a reply. This removes half the rules.
Now if you are just blocking by source IP you don't care if the interface is LAN or External. If it is a LAN interface you'll never get a match as the source IP will never be on your LAN. This removes all interface specific stuff so now we are down to 2 rules per IP.
Then if you use the method used from Emerging Threats and change /etc/clearos/firewall.d/10-intrusion-prevention to:
/sbin/iptables -N IPS
/sbin/iptables -I FORWARD -j IPS
/sbin/iptables -I INPUT -j IPS
IPS=`snortsam-state -qd, 2>/dev/null | awk -F, '$6+$7 > ENVIRON["UTC"] { print $2 }'`
for IP in $IPS; do
/sbin/iptables -I IPS -s $IP -j DROP
done
With this you get all your IPS rules in a single place and only a single rule per IP. It makes it much easier to work out where the rules have come from and makes any iptables listing much smaller..
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »