On Thu, Dec 15, 2016 at 9:48 AM, Stephen Satchell <[email protected]> wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1370963 > > Just a reminder that I have a feature request outstanding with Red Hat > to add support for BCP38, as well as measures for certain protocol-based > amplification reflection attacks. My intent for making the suggestion > is to stiffen firewalld(8) in Red Hat Enterprise and clones, > particularly when an RHEL-based box is used as an edge router or > firewall box. > > I've looked at firewalld, and it would be easy to add *some* of BCP38 > into it rather quickly...assuming that the developers step up to the > plate. There are parts of BCP38 that won't be so easy to do, given the > architecture of the package. > > In my spare time, by the way, I'm working on a BCP-compilant firewall > generator for IPTABLES. Spare time? Well, that *is* a bit of a laugh... > Given some quick time with definition making: https://github.com/google/capirca does this pretty easily, for example: def/NETWORK.net - content: MYNETS = 192.0.24.0/24 MYWEB = 192.0.24.2/32 STEPHEN_HOME = 198.16.0.23/32 def/SERVICES.svc - content: HTTP = tcp/80 HTTPS = tcp/443 SQUID = tcp/3128 APACHE_PROXY = tcp/8080 PROXY = SQUID APACHE_PROXY office/pol/fw.pol - content header { comment:: "My firewall policy" target:: iptables OUTPUT DROP nostate } term permit-web-stephen { comment:: "Permit stephen to my web, really FROM my web to stephen" destination-address:: STEPHEN_HOME source-address:: MYWEB protocol:: tcp destination-port:: HTTP HTTPS PROXY action:: permit } term bcp-38-only { comment:: "Permit only mynets outbound" source-address:: MYNETS action:: accept } term default-deny { comment:: "All other traffic dies" action:: deny } run the acl generation (aclgen.py) and ... out pops iptables to do what you want. a simple matter of script/software makes this even simple for iptables operators across many flavors of topology. -chris (note: I am not just a user of this solution I'm also a contributor)
