Friday, December 28, 2007

Accessing Services behind packet filtered firewall

This article details the work around I use to accomplish several different technological hurdles in implementing a firewall / snort implementation for my home network. The goal is was to use a firewall based on Linux or BSD that was "appliance" in nature and I really did not have to devote alot of brain power to. I would rather use that power to solve other problems.

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation.

Problem #1: Using DSL with PPPoE, I needed a way that I could deploy Snort on the "naked" internet to see traffic before it hit the firewall ruleset, without trying to delve in dissecting PPPoE traffic.
Problem #2: Need a firewall with a minimum of 3 interfaces, WAN, LAN and DMZ.
Problem #3: I would like to be able to host a web server in the DMZ and access it using the URL. (See Packet Filter Problem below). This problem will likely be manifested with a variety of firewalls on varying platforms.

The solution does involve a kludge but does work and satisfy the above requirements. In order to solve Problem #1, I determined that I would deploy a Linksys router that would handle the PPPoE negotiation. Set the linksys to be a gateway, no dhcp and assign a host (your firewall) as the DMZ (linksys terminology). What this does in essense is make the Linksys a bridge from PPPoE to Ethernet.

The host that you put in the Linksys DMZ configuration should be the WAN interface on the firewall, in this case I choose to run m0n0wall (Problem 2 solved). Configure m0n0wall's WAN interface for Static, for example 192.168.0.2. The LAN interface on the Linksys should be set to 192.168.0.1, so you now have a private network between the Linksys and the external WAN interface on the firewall.

With this "private LAN" between the Linksys and your firewall, your firewall now sees all traffic from the "internet". If you put a HUB in between the Linksys and the Firewall you can deploy another port for SNORT and it will see all traffic outside the firewall. This configuration is good for building a honeypot architecture. NOTE: You could bypass using the hub and deploy an ethernet tap for SNORT and achieve the same functionality.

A little more about why I did this. In order for firewall rules to process requests (hence being able to surf your own website via URL) the packets must originate from outside the firewall, by putting the Linksys router upstream, you force all packets to go to the linksys, then they come back in the same direction and look as if the request actually comes from outside the network.



Continue with the rest of the configuration:

Now connect the LAN (192.168.1.0/24) interface to a small HUB, and then cascade that HUB to a switch, which is where all of your servers are connected. This will allow you to again plug snort into the LAN on the HUB and see all of the traffic that is inside the firewall, which is good for verifying that rulesets are behaving as expected. (Again you could use an ethernet tap instead of the hub).

Solving problem 3: Configure the DMZ on the m0n0wall (192.168.2.0/24) and setup your web server. If you do not have a static IP, I recommend using DNSexit's service to register your IP with DNS so the rest of the world can see your website, send you email or whatever.

Configure m0n0wall with the NAT rules to allow the port 80 traffic into your DMZ web server and you should be in business. If you so choose to also put a hub on the DMZ you can then use SNORT to watch raw traffic at each point on your network and possibly even trap some packet captures that the script kiddies and robots launch at your website.

If there is sufficient interest I would be happy to post a simple drawing of this setup and maybe some screen shots of the m0n0wall and Linksys configs. I would appreciate your feedback on whether or not this was helpful or just a waste of typing.



email: paul dot pescitelli at gmail dot com


Packet Filter Problem:
Taken from the m0n0wall FAQ - http://doc.m0n0.ch/handbook-single/#id2610631

It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind m0n0wall and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN.

Reason. This is due to a limitation in ipfilter/ipnat (which are used in m0n0wall). Read the ipfilter FAQ for details. m0n0wall does not (and probably will not) include a "bounce" utility.

A Solution for m0nowall: If you use m0n0wall's built-in DNS forwarder for your LAN clients, you can add one or more overrides so that they will get the internal (LAN) IP address of your server instead of the external one, while external clients still get the real/public IP address. Note: This will only work if you use m0n0wall as the primary DNS server on your LAN hosts. If you use another DNS server, you need to use its functionality to resolve that host to the appropriate private IP. See your DNS server documentation for more information.

No comments: