Post AV9dpbFqKt1nnofU0G by adam@hax0rbana.social
(DIR) More posts by adam@hax0rbana.social
(DIR) Post #AV9dpbFqKt1nnofU0G by adam@hax0rbana.social
2023-04-29T19:56:32Z
0 likes, 0 repeats
Is there really no #Linux #firewall that can allow or block FQDNs or domains?iptables doesn't do it, and #ufw is just a frontend for #iptables. What else is out there for #Debian based machines?For context: I've been around Linux since the days of ipchains. I know the #OSI model and run my own #DNS servers (primary, secondary, and resolving/caching) so there's no need to explain why this feature is non-trivial to implementMost other OSes have this feature and it's pretty reasonable to want
(DIR) Post #AV9fg1iVIL5It0dXZQ by frehi@fosstodon.org
2023-04-29T20:17:10Z
0 likes, 0 repeats
@adamIt's possible to use hostnames with #shorewall. However resolving only happens at firewall initialization time, so if DNS changes later on, it will not take this into account, which also makes it unusable for services which are distributed on cloud services. And if DNS resolving does not work because at initialization time, the firewall will fail to load. So in practice it's not really usable.
(DIR) Post #AV9g8hGIQOyfqP77S4 by jtk@infosec.exchange
2023-04-29T20:22:23Z
0 likes, 0 repeats
@adam If it is outbound traffic from the system to a domain you want to block, you might take a look at running a full resolver on the system and utilizing RPZ. Inbound I'm not sure what if anything people do, but I can imagine it being fraught with problems to implement safely and effectively. In either case, beware of shared fate between passing traffic and DNS availability. https://www.dnsrpz.info/
(DIR) Post #AV9h2wRt9BAHA8M78a by AMS@infosec.exchange
2023-04-29T20:32:34Z
0 likes, 0 repeats
@adam I did it with shorewall and a cronjob to keep the dns-IP mappings up to date.
(DIR) Post #AV9u8eUS822obebm8O by adam@hax0rbana.social
2023-04-29T22:59:17Z
0 likes, 0 repeats
@frehi That's at least closer.I was wondering if `pf` could handle an allow list of a single FQDN and it turns out it can, but it does it in the same way shorewall does: by looking up the IP address(es) at the time the rule is added.That worked reasonably well in the 1900s, but less so nowadays, sadly.
(DIR) Post #AV9uakcUvpXtj3lnWa by adam@hax0rbana.social
2023-04-29T23:04:23Z
0 likes, 0 repeats
@jtk If doing a block list for outbound, I could just use `/etc/hosts` to send it to 127.1.2.3 or something.I'd want to do an allow list, which I could do at the DNS layer, if the firewall isn't involved too, then it'll miss outbound requests directly to IP addresses.It'd be possible to set up something to dynamically add firewall rules to IPs in DNS replies that are only valid for the TTL, but at that point I'm writing new software. Seems like someone should have beat me to doing that! 😛
(DIR) Post #AV9umI72kNosmqYmu0 by adam@hax0rbana.social
2023-04-29T23:06:28Z
0 likes, 0 repeats
@AMSIt's cool that shorewall does the resolution and grabs adds all of the IP addresses that are returned. It's not sufficient for my use case, but maybe slightly better than what I'm doing now.
(DIR) Post #AV9wwfC3zGyBAvyvrM by jtk@infosec.exchange
2023-04-29T23:30:42Z
0 likes, 0 repeats
@adam I might not be interpreting your response correctly, but in case it wasn't obvious from the link I included, RPZ will be able to act on the responses.
(DIR) Post #AV9zpOhlC3Sbs72DC4 by mmezo@fosstodon.org
2023-04-30T00:03:00Z
0 likes, 0 repeats
@adamYou can use ipsets in firewall rules. These are dynamic and you could use scrits to update them regularly. I have never used them, but apparently there are quite a few scripts for automating this. A quick search found firehol for example.
(DIR) Post #AVAZV85qqEC8uVwDFA by pmevzek@framapiaf.org
2023-04-30T06:42:43Z
0 likes, 0 repeats
@adam This sounds like bind (or other nameservers) RPZ feature, aka a DNS firewall. Which of course is useless in case of clients configuring DoH/DoT towards other endpoints, but if that is so, no OS firewall would be able to block any of that traffic either, besides trivial destination IPs filtering.
(DIR) Post #AVBV6g3RETf2LBr0VM by adam@hax0rbana.social
2023-04-30T17:28:14Z
0 likes, 0 repeats
@jtkWhen you say "act on the responses" do you mean just manipulate DNS traffic, or can it actually cause an iptables rule to be added or removed?I read section 6.9 of https://bind9.readthedocs.io/en/v9.18.13/chapter6.html and it looks like it's the former unless I am missing something.I am also struggling to see how one could use this to make an allow list. It looks like everything is for blocking specific hostnames or domains (hostnames with wildcards).
(DIR) Post #AVBVeHhAJ27YdbSe7U by jtk@infosec.exchange
2023-04-30T17:34:18Z
0 likes, 0 repeats
@adam RPZ won't natively interface with iptables. It is a "DNS firewall", not a packet filter. You can however configure RPZ to react based on something about a query name or in the response to a query (e.g., IP address in the rdata of the answer).
(DIR) Post #AVBVjruF6OAWOMEyXY by adam@hax0rbana.social
2023-04-30T17:35:20Z
0 likes, 0 repeats
@pmevzekI saw a huge financial institution's solution for this. They blocked basically everything with an IP firewall and then would only open up IPs that were in a DNS response that were on an approved list (IIRC they also used DNSSEC).It blocked (and even alerted on) traffic going directly to IP addresses and caught DoH based on this same mechanism.I didn't see the implementation, but it was described to me and I was tasked with trying to bypass it. It was actually really solid.
(DIR) Post #AVBW6ej6GnpsAytWqW by adam@hax0rbana.social
2023-04-30T17:39:26Z
0 likes, 0 repeats
@pmevzekThere were some loopholes for allowing the use of captive portals, which are likely fixed now by the means of "well then they'll just be offline if there's a captive portal!" Very impressive response, and it came from the very top of the organization.But I also know that they have a huge security budget and put together a lot of that themselves.I'd give them credit by name for a job well done if I was legally allowed to do so. I feel they deserve recognition for a job well done.
(DIR) Post #AVBZBbKecJo8xXVfuK by adam@hax0rbana.social
2023-04-30T18:13:55Z
0 likes, 0 repeats
@jtkIf only it could just react my running a shell script, it'd be perfect.Even as it is, as long as you only want to block a list of specific destinations, it's better than nothing.
(DIR) Post #AVBacJhWNS6S3AVb8q by adam@hax0rbana.social
2023-04-30T18:29:58Z
0 likes, 0 repeats
@mmezo I see firehol accepts hostnames, but the documentation doesn't describe when or how often name resolution is done.Presumably it's only once at the time the rule is added. They'd be talking about it more if it did more than that.But an ipset does look like a reasonable feature to leverage if I do decide to roll my own solution.The RedHat docs on the feature have some nice, simple examples of usage.Stashing this link for later: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_iptables
(DIR) Post #AVBws26jkpph6uCbeS by mmezo@fosstodon.org
2023-04-30T22:39:19Z
0 likes, 0 repeats
@adamYes it is only resolved when the host is added, but you can change it (add or remove hosts) dynamically. You can even create another ipset and swap it "atomically" if needed. Together with a cron update, it could be an option.
(DIR) Post #AVDZMv4Xx6h3gTIChc by pmevzek@framapiaf.org
2023-05-01T17:25:21Z
0 likes, 0 repeats
@adam If you control the clients and the DNS server they use, then it is "easy". If on the contrary the clients can choose whatever DoH/DoT endpoint they want, then any filtering is moot.
(DIR) Post #AVDZjBjMhJJfih0Huy by pmevzek@framapiaf.org
2023-05-01T17:29:25Z
0 likes, 0 repeats
@adam I don't know if there is an open source solution packaging all of that, but does not seem hard, any good DNS server can be extended to record IP it sees (see `dnsdist`) and then add to network firewall. But still makes like sense for any resource behind a heavy CDN or any case of frontrunning. And makes sense only in a very tightly controlled network with clients completely remotely enforced with company policies.