Centralized database for firewall

pralive · Oct 13, 2011

Hi All,

Can anyone suggest an idea for a centralized database for firewall (pf, ipf, ipfw)? My requirement is if we add one ip in database for blocking, that ip should be blocked in all servers. Can any suggest an idea for this?

phoenix · Oct 13, 2011

Are you running a packet filter on a central firewall box (preferred)? Or are you running separate packet filters on each individual server?

pralive · Oct 13, 2011

Hi ,

thanks for ur reply, I am running separate firewalls on individual servers.That include pf,ipf and ipfw.Is it possible to have a centralized system for firewall.?so that if we add one ip to block in database(just a case) it should block in all servers?Manually adding each ip in all servers is quite difficult since i need to add ips frequently.Could you please suggest an idea?

Thanks

wblock@ · Oct 13, 2011

If they aren't even the same firewall, each will need scripts to add IP addresses to the shared database and query the database to update the local rules. Adding a single firewall in front of all of them is easier.

pralive · Oct 13, 2011

thanks for your valuable reply.

Thats a good one.For adding single firewall in front of all required a gateway right?But my servers are individual servers.If i am migrating all servers to a single firewall like pf,ipf or ipfw, is there any way to fetch rules directly from database?

Any reply is appreciated.

Thanks

SirDice · Oct 13, 2011

pralive said:
If i am migrating all servers to a single firewall like pf,ipf or ipfw, is there any way to fetch rules directly from database?

No, that's not possible. You would have to script something yourself.

CoTones · Oct 13, 2011

Wild guess - Puppet?

http://projects.puppetlabs.com/projects/puppet/wiki/About_Puppet

pralive · Oct 13, 2011

thanks to all for giving suggestions and helping me.

Is puppet really can do this?

CoTones · Oct 13, 2011

Sorry, don't know.

mix_room · Oct 18, 2011

Puppet would let you distribute the same config-file to all servers.

If you require a solution which dynamically adds ips to some form of blacklist, you would then have to update this config-file from each of the hosts. It should not be impossible, but I do not believe it is the best solution.

I would go with the firewall-in-front solution.

EDIT: you might be able to create a bastard son of CARP and pfsync to achieve something like this.

geodni · Oct 22, 2011

Also have a look on PFS here dump/restore tool for PF. You will just have to use a simple script to automatically distribute your modifications :

validate new rule
make the rules modification you want in PF
test good working of new rules
dump rules
send the dump to all other firewalls
make other firewalls load new rules replacing old ones

But take care of this, any mistake will be immediatly distributed to all firewalls!

ecazamir · Oct 24, 2011

This can be done with:
/sbin/pf
net/rsync
1. Create a template layout, use PF with tables loaded from files

A very short example:
/etc/pf.conf:

Code:

table <me> { self }
# the files on /etc/pf/global table will be synchronized by rsync
table <system_admins> file "/etc/pf/global/system_admins" persist
table <squid_clients> file "/etc/pf/local/squid_clients" persist
table <blacklist> file "/etc/pf/global/blacklist" persist

...
block in log all
block in quick inet from <blacklist> to any
block out quick inet from any to <blacklist>
pass in inet proto tcp from <system_admins> to <me>
pass in on $int_if inet proto tcp from <squid_clients> to <me> port = 3128 keep state

2. Create a repository containing the 'master copy' of the files used for pf's tables.
Sample filesystem hierarchy:
/pf_master/global/
./system_admins

Code:

10.0.0.1
10.0.0.2

./blacklist

Code:

192.0.2.1
192.0.2.2

3. Configure a rsync server on each machine which require replication and enable a

Code:

post-xfer exec = /path/to/some/script/which/reloads/firewall

command.
Sample rsync config, /usr/local/etc/rsyncd.conf

Code:

.... some lines trimmed
[firewall_cfg]
    path = /etc/pf
    comment = PF Configuration
    auth users = pfsync
    secrets file = /usr/local/etc/etc/rsyncd.secrets
    read only = false
    write only = false
    list = false
    transfer logging = true
    uid = 0
    gid = 0
    post-xfer exec = /etc/rc.d/pf reload

4. The script which is executed on the management station, after some changes on the master repository.
The complete file list is stored on /pf_master/file_list.txt:

Code:

global/system_admins
global/blacklist
global/some_other_file

The script

Code:

#!/bin/sh
TARGET_IP="10.x.x.1"
TARGET_NAME="target_name"
export RSYNC_PASSWORD=some_rsync_password

LOG_FILE="/var/log/pf/sync_${TARGET_NAME}_${TARGET_IP}.log"
SRC_DIR="/pf_master"

#set -x

# Replica ACL out
/usr/local/bin/rsync -rtz --no-owner --chmod=Fug+rw,Fo-rx,Dug+rwx,Do-rx \
    --files-from=${SRC_DIR}/file_list.txt \
    --log-file ${LOG_FILE} --log-file-format="%o %f %l" \
    -4 ${SRC_DIR} rsync://pfsync@${TARGET_IP}/firewall_cfg

Of course, this can be improved.

qsecofr · Nov 3, 2011

I dunno why not. Shouldn't be too terribly difficult to roll your own if need be. I imagine level of difficulty differs with the firewall chosen. IPFW appears to be shell script commands. I use a simple text file for something similar.

Code:

...
# IPs i want to block
exec < /path/rc.ipfw_blocked_ip.txt
while read ip
do
        $ipfw -q table 2 add $ip
done
...

Being shell, I don't see why you couldn't use perl to fetch from a RDBM if that level of complexity were needed.

Centralized database for firewall

Administrator