NICE: Foolish Firewall Configurations

Setting Rules on Network Firewall

Goal: Network firewall only allows external HTTP and HTTPS traffic to Prod-Joomla

Connecting to the network firewall we can see it is running pfsense which is typically configured through its web interface.

To access this, we will remote into the Security-Desk and navigate to the firewall ip address in the browser.

Navigating to the Firewall | NAT section of pfsense, we can begin creating the rules.

To create a rule to direct HTTP traffic

  • In the rule configuration screen
    • set the source port range
    • Set the destination port range to HTTP.
    • Set the destination IP to the firewall’s IP.

Repeat these steps for the HTTPS rule. Apply the configuration changes.

Setting Prod-Joomla firewall rules

Goal: Prod-Joomla only has HTTP HTTPS and SSH available via host firewall

Running iptables -L to list the existing rules returns an error message stating command not found.

iptables can be installed using apt with the command

Once installed, we’ll add two rules to allow the desired traffic, and one rule to deny nonmatching traffic.

  • The following command creates an allow rule for traffic destined to port 22 (SSH)
    • sudo iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  • To open samba ports, we can use an additional modifier to list multiple ports in a single command.
    • sudo iptables -A INPUT -p tcp -m multiport –dports 80,443 -j ACCEPT
  • Lastly, to deny all other traffic, enter the fullowing command:
    • sudo iptables -A INPUT -j DROP

Setting Database firewall rules

Goal: Database only has MySQL available via host firewall

In the Windows Server Manager screen, open the Windows Firewall with Advanced Security tool from the Tools dropdown menu.

Enable each of the firewall domains on the main screen.

  • Click the Windows Firewall Properties button
    • Enable the firewall within each domain’s tab.

The default settings will block any non-matching connections.

To create a new firewall rule

  • right click Inbound Rules, select New Rule
  • Click through the prompt, assigning the rule to apply to port 3306, and to allow the port.

Setting FileShare firewall rules

Goal: Fileshare only has SFTP and Samba available via host firewall

Running iptables -L to list the existing rules returns an error message stating command not found.

iptables can be installed using apt with the command

  • sudo apt update && sudo apt install iptables

Once installed, we’ll add two rules to allow the desired traffic, and one rule to deny nonmatching traffic.

  • The following command creates an allow rule for traffic destined to port 22 (SSH/SFTP)
    • sudo iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  • To open samba ports, we can use an additional modifier to list multiple ports in a single command.
    • sudo iptables -A INPUT -p tcp -m multiport –dports 137,138,139,445 -j ACCEPT
  • Lastly, to deny all other traffic, enter the fullowing command:
    • sudo iptables -A INPUT -j DROP

Note: It’s may be worth double checking the SSH config file to ensure it contains the line required to enable SFTP.

  • Check the contents of /etc/ssh/sshd_config for the following line:
    • Subsystem sftp /usr/lib/openssh/sftp-server
  • Uncomment or append the line to the file if needed.

Previous post

NICE: Linux Administration 201

Next post

LetsDefend: Malicious WordPress Plugin