[Dshield] distributing internal block lists

Cef cef at optus.net
Sat Jan 8 06:26:24 GMT 2005


On Sat, 8 Jan 2005 09:18, David Cary Hart wrote:
> On Fri, 2005-01-07 at 12:06 -0500, Johannes B. Ullrich wrote:
> > Time for me to ask a question:
> >
> > What systems do people use to distribute block lists to internal
> > firewalls?
>
> I'm no firewall expert (to say the least). Wouldn't it make sense,
> though, to try to figure out how to serve one common IPTables chain to
> several machines?

This makes sense. A few things to remember though:

 1. You need to make sure that the machine can load it's standard tables at 
boot, or whenever the admin of the box wishes to, from the box itself. You 
don't want the default rules to wipe out your changes and then have to push 
them down again. Store the rules for the blocking chain in a separate script 
file, but when you load your normal rules, you need to remember to call this 
script.
 2. When you push down a new blocking chain, you want to reload the chain 
only, and not the whole set of rules. IPTables supports deleting the contents 
of the chain (-F), but you don't want to delete the chain itself (-X) as it 
won't work while any other rule references the chain. This means you'll have 
to create the blocking chain in your normal iptables scripts.
 3. For least privileges, you could set it up so that the user you use to push 
down the script (or the file the script reads it's details from) has sudo 
privileges to just run the reload script. You can then do all this via a 
shell (wether local or ssh) while avoiding most privilege issues.
 4. It would be better if the blocking chain details are loaded from a file 
and are not an actual script. This cuts down on the chance that someone can 
do damage by somehow getting in and changing the script. Of course, you then 
need to worry about parts of the file being interpreted by the script when it 
runs, but that's not that hard to do.

I don't know of anything out there that does this sort of suff, but it 
shouldn't be too hard to script something up.

-- 
 Stuart Young - aka Cefiar - cef at optus.net



More information about the list mailing list