[Dshield] distributing internal block lists
cef at optus.net
Sat Jan 8 06:26:24 GMT 2005
On Sat, 8 Jan 2005 09:18, David Cary Hart wrote:
> On Fri, 2005-01-07 at 12:06 -0500, Johannes B. Ullrich wrote:
> > Time for me to ask a question:
> > What systems do people use to distribute block lists to internal
> > firewalls?
> I'm no firewall expert (to say the least). Wouldn't it make sense,
> though, to try to figure out how to serve one common IPTables chain to
> several machines?
This makes sense. A few things to remember though:
1. You need to make sure that the machine can load it's standard tables at
boot, or whenever the admin of the box wishes to, from the box itself. You
don't want the default rules to wipe out your changes and then have to push
them down again. Store the rules for the blocking chain in a separate script
file, but when you load your normal rules, you need to remember to call this
2. When you push down a new blocking chain, you want to reload the chain
only, and not the whole set of rules. IPTables supports deleting the contents
of the chain (-F), but you don't want to delete the chain itself (-X) as it
won't work while any other rule references the chain. This means you'll have
to create the blocking chain in your normal iptables scripts.
3. For least privileges, you could set it up so that the user you use to push
down the script (or the file the script reads it's details from) has sudo
privileges to just run the reload script. You can then do all this via a
shell (wether local or ssh) while avoiding most privilege issues.
4. It would be better if the blocking chain details are loaded from a file
and are not an actual script. This cuts down on the chance that someone can
do damage by somehow getting in and changing the script. Of course, you then
need to worry about parts of the file being interpreted by the script when it
runs, but that's not that hard to do.
I don't know of anything out there that does this sort of suff, but it
shouldn't be too hard to script something up.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list