dataswamp.org/1/~solene/article-writing-firewall-rules

  URI:

       Title: Getting started to write firewall rules
       Author: Solène
       Date: 07 December 2024
       Tags: network security
       Description: In this blog post, you will learn how to get started to
       write firewall rules
       
       # Introduction
       
       This blog post is about designing firewall rules, not focusing on a
       specific operating system.
       
       The idea came after I made a mistake on my test network where I exposed
       LAN services to the Internet after setting up a VPN with a static IPv4
       on it due to too simplistic firewall rules.  While discussing this
       topic on Mastodon, some mentioned they never know where to start when
       writing firewall rules.
       
       # Firewall rules ordering
       
       Firewall rules are evaluated one by one, and the evaluation order
       matters.
       
       Some firewall use a "first match" type, where the first rule matching a
       packet is the rule that is applied.  Other firewalls are of type "last
       match", where the last matching rule is the one applied.
       
       # Block everything
       
       The first step when writing firewall rules is to block all incoming and
       outgoing traffic.
       
       There is no other way to correctly configure a firewall, if you plan to
       block all services you want to restrict and let the default allow rule
       do its job, you are doing it wrong.
       
       # Identify flows to open
       
       As all flows should be blocked by default, you have to list what should
       go through the firewall, inbound and outbound.
       
       In most cases, you will want to allow outbound traffic, except if you
       have a specific environment on which you want to only allow outgoing
       traffic to a certain IP / port.
       
       For inbound traffic, if you do not host any services, there are nothing
       to open.  Otherwise, make a list of TCP, UDP, or any other ports that
       should be reachable, and who should be allowed to reach it.
       
       # Write the rules
       
       When writing your rules, whether they are inbound or outbound, be
       explicit whenever possible about this:
       
       * restrict to a network interface
       * restrict the source addresses (maybe a peer, a LAN, or anyone?)
       * restrict to required ports only
       
       Eventually, in some situations you may want to filter by source and
       destination port at the same time.  This is usually useful when you
       have two servers communicating over a protocol enforcing both ports.
       
       This is actually where I failed and exposed my LAN minecraft server to
       the wild.  After setting up a VPN with a static IPv4 address, I only
       had a "allow tcp/25565" rule on my firewall as I was relying on my ISP
       router to not forward traffic.  This rule was not effective once the
       traffic was received from the VPN, although it would have been
       filtrated when using a given network interface or a source network.
       
       If you want to restrict the access of a critical service to a some user
       (1 or more), but that they do not have a static IP address, you should
       consider using a VPN for this service and restrict the access to the
       VPN interface only.
       
       # Write comments and keep track of changes
       
       Firewall rules will evolve over time, you may want to write for your
       future you why you added this or that rule.  Ideally, use a version
       control system on the firewall rules file, so you can easily revert
       changes or track history to understand a change.
       
       # Do not lock yourself out
       
       When applying the firewall rules the first time, you may have made a
       mistake and if it is on remote equipment with no (or complicated)
       physical access, it is important to prepare an escape.
       
       There are different methods, the most simple is to run a command in a
       second terminal that sleeps for 30 seconds before resetting the
       firewall to a known state, you have to run this command just before
       loading the new rules.  So if you are locked out after applying, just
       wait 30 seconds to fix the rules.
       
       # Add statistics and logging
       
       If you want to monitor your firewall, consider adding counters to
       rules, it will tell you how many times it was evaluated/matched and how
       many packets and traffic went through.  With nftables on Linux they are
       named "counters", whereas OpenBSD packet filter names this "label".
       
       It is also possible to log packets matching a rule, this can be useful
       to debug an issue on the firewall, or if you want to receive alerts in
       your logs when a rule is triggered.
       
       # Conclusion
       
       Writing firewall rules is not a hard task once you identified all
       flows.
       
       While companies have to maintain flow tables, I do not think it can be
       useful for a personal network (your mileage may vary).