# Any benefit to running a firewall when I'm already behind one?



## osx-addict (Feb 27, 2009)

Hi all..

I'm about to install FreeBSD 7.1 on an older Proliant server (Compaq) that sits behind a NAT'd Cisco router that only has ports 25/80/993 open (smtp,web,imaps).. Today I'm  running Fedora Core 6 and have been for the last 2-3 years w/o too much trouble.. Anyway, if all of my services in the new installation are running inside of jails (e.g. mail server, apache, courier imap,etc) and all of those are still behind a Cisco router with recent IOS software, is there really any reason to have one of the s/w firewalls installed as well?

My server was recently hacked care of a buggy PHP script I had lying around (since removed) and was able to gain access to my server.. He opened some extra ports on the s/w based firewall but nothing worked since the Cisco router was blocking things.  I suppose the s/w firewall could keep outgoing connections from occuring?  Anyway, just thought I'd ask before I march down that path w/ FreeBSD.  Thx!


----------



## osx-addict (Feb 27, 2009)

I should note that I gather you can use a s/w firewall such as pf and related tools to weed out bad SMTP traffic that is unwanted.. Perhaps that alone might be reason enough to keep one going..


----------



## honk (Feb 28, 2009)

I think there is no simple answer to that. At least it depends on you network layout. If someone can break into one of your services again, he will reside inside of that particular jail. You should answer yourself the question what else he could do starting from that point. Could the attacker access your Cisco? The Cisco should be managed out-of-band and block any telnet/ssh/http/snmp on the interface which points to the jails. Is it possible to reach other ports/services on your server (starting from one of the jails) which you did not expose to the internet by your NATing Cisco? For example trying to reach the sshd of other jails (I avoid running sshd in each of my jails where possible) or the host-system. Also what else is within this network? Are there other servers running which could be attacked or might be used as source of an attack to your FreeBSD server? Personally I would configure a restrictive PF/IPF/IPFW on that box, because also user root within the jail would not be able to alter the ruleset of the host-system. This is the way I would try to prevent any outgoing connections just to make it harder to look for other targets within the net (of course if there are other systems in the net, then they should protect itself).

cheers,
honk


----------



## osx-addict (Feb 28, 2009)

Honk.. 

Thanks for the reply.. In my case they can't access the Cisco router -- I've got ssh/telnet access disabled -- only allowed via hard-serial console use with is currently unplugged (dumb luck on my end).

I'll ensure that no sshd is running in any jails and if I read your post correctly, you're suggesting that I install PF/IPF/IPFW outside on the host system.. (not in any jail)

I've currently got no other servers running but may have one or two MAC's behind the same Cisco firewall that only get used at night for doing homework, games,etc.  For now, everything is on the one server...

I'd personally love to find a way to have my personal files on an encrypted partition that is mounted from within a special jail AND not mounted by the host system -- that way if someone breaks out of 1 jail and somehow get into the host system (hopefully not) then at least they'll have a harder time getting access to my personal files if they don't know the encryption key.


----------



## honk (Feb 28, 2009)

osx-addict said:
			
		

> In my case they can't access the Cisco router -- I've got ssh/telnet access disabled -- only allowed via hard-serial console use with is currently unplugged (dumb luck on my end).



Perfect. Snmp is disabled also?



			
				osx-addict said:
			
		

> you're suggesting that I install PF/IPF/IPFW outside on the host system.. (not in any jail)



Exactly, it only works on the host system.



			
				osx-addict said:
			
		

> I've currently got no other servers running but may have one or two MAC's behind the same Cisco firewall that only get used at night for doing homework, games,etc.  For now, everything is on the one server...



Don't know what Cisco you are using, maybe another idea is to implement different Vlans, one (or multiple) for the DMZ where the jail(s) reside and one for your internal network (where your server will get an internal interface and will be accessible with ssh, nfs, smb... from your Apple boxes. You could implement this using one trunk between your server and the Cisco and isolate the DMZ(s) with ACL's on the Cisco. 



			
				osx-addict said:
			
		

> that way if someone breaks out of 1 jail and somehow get into the host system (hopefully not) then at least they'll have a harder time getting access to my personal files if they don't know the encryption key.



Forget it, if someone can break out of one jail, your game is over (don't think about it, instead keep your webservices free from vulnerable software). From the host system you can always access the content of all jails. And if you think about using encrypted partitions with geli or something else, this would only help as long as your server is no running. Also your key will reside in RAM on the server (e.g. /dev/mem). The only way would be to store encrypted files on your server and download it to your MAC where you have to decrypt it locally. That way an intruder would only see useless bits and bytes on your server.


----------



## vivek (Mar 2, 2009)

Yes, I will configure pf firewall. PF offers other benefits like syn proxy and ftp-proxy. You can also drop traffic from Windows 9x box to port 25 and so on. It offers lots of benefits to secure server further. At my work we have Cisco pix firewall (built into switchs itself) and we still run pf or iptables for each server. 

Please note that firewall will not magically protect any server. You also need to define security policy (like deny all and open required ports), use strong password, enable password aging, file level protections / acls, proper apache config, avoid information leaks, apply all freebsd patches, upgrade all ports in timely manner, upgrade php / perl scripts, monitor log files using automated tools (or use your own scripts), IPS and so on.


----------



## osx-addict (Mar 2, 2009)

Thanks guys..  I was able to get my machine up and running (had to use a 2nd CD-rom drive -- the original one refused to work anymore).  Anyway, FreeBSD is now installed and humming along nicely.  I started working towards installing a jail for Sendmail initially and found I had to rebuild the world to make ezJail happy which took ~4+ hours on this machine (when rebuilding stuff in /usr/ports can you do stuff like 'make -j3 install' instead of 'make install'?  I've got a quad Xeon CPU's and it would have sped things up considerably to use several CPU's instead of 1).

Anyway, in the end I was not comfortable with the whole jail setup & usage thing so I bit the bullet and just setup Sendmail to use the host environment (including SpamAssassin, ClamAV, Milter,Cyrus-IMAP+SASL) for now.. Anyway, when I've got more time in the coming weeks I'll revisit the relocation of these things into the jails.. 

I will however plop Apache into a jail from the get-go.  Initially it will be serving static files and working as a reverse application proxy so PHP will initially be disabled,etc.

As for some of the questions above :

1) SNMP is disabled (if I recall)
2) My router is a Cisco 1841 ISR router with VLAN support if I recall
3) I'll ditch the idea of encrypted filesystems.. I'll just make sure everything else is locked up very tight.
4) I'll eventually try to get all services in their own jails -- Sendmail+imaps, Apache

Should helpers such as Postgres be in their own jails too?  Ultimately PSQL will be pinged by a web-application that will reside in another jail.. Not sure if there's any big security thread there or not.. Perhaps be on the safe side..


----------



## mk (Mar 2, 2009)

> (when rebuilding stuff in /usr/ports can you do stuff like 'make -j3 install' instead of 'make install'? I've got a quad Xeon CPU's and it would have sped things up considerably to use several CPU's instead of 1).


yes, but is not advisable - currently there is no mechanism to guarantee that you will not begin building of dependency currently building by another instance of the shell. 
if that happen the build fails


----------



## osx-addict (Mar 2, 2009)

mk said:
			
		

> yes, but is not advisable - currently there is no mechanism to guarantee that you will not begin building of dependency currently building by another instance of the shell.
> if that happen the build fails



That's what I was afraid of.. I figured I'd play it safe and just
be patient.. Thx!


----------



## honk (Mar 2, 2009)

Hey the jail thing is quite easy. Go on with downloading a base package, create a directory for your jail, set environment variable $DESTDIR to your new jail directory, run install.sh, create an alias ip-address and issue "jail /the/jail/directory jailhostname 1.2.3.4 /bin/sh". 

Then you get a first impression quickly, without spending hours of compilation (in short: replace the make word thing in the manpage with a standard base installation). If you want to make your life easier, have a look at ezjail later. You definitely want the read something about the devfs rules and the sysctl variables!!! E.g. you don't want to have access to /dev/bpf from a jail (prevent sniffing network traffic).

The decision if the PostgreSQL could be in the same jail as the webserver depends on the content of the database. I would separate it, if it contains data which is not intended for all of the webapp-users (means different privilege levels or one PostgreSQL for internal and external purposes).

Wherever your journey will go, I highly recommend to make some documentation on paper as soon as you start to install. Having one physical server running multiple jails with multiple applications, things get complicated soon. Keep it simple and stupid. I reinstalled my homesetup multiple times at the point where I forget most things I did weeks before, because it was to complicated for me to get all the details again (mounts from here to there; which directories where shared between which jails; the communication flow between the jails and the filters between them...). And think about the Vlan idea with your Cisco, at least I would do one external DMZ Vlan and one internal Vlan. Have fun!


----------



## osx-addict (Mar 3, 2009)

Thanks Honk!

I'll try that out.. In this case for Postgres, the data is almost exclusively for the web-app.. I may opt to put something in there that isn't, later.. I think for simplicity of separation I'll put it in its own jail -- As long as the other jails can talk to it via sockets I should be OK.

As for the jails.. I'll try your suggestion.. Sounds easy and almost painless.

I've still got to figure out the big picture in my head and whether its worthwhile to do that 'make world' thingie (e.g. does it buy me anything -- can I do without?  It took up a bit over 2G in space -- not an issue today but...).  I need to read up on the benefits of rebuilding the kernel to reduce the 'fluff' that isn't needed, the steps to follow,etc.  I used to do that for Linux so it can't be any worse than Linux is..


----------



## honk (Mar 3, 2009)

Building an own kernel for FreeBSD is pretty simple (documentation in handbook is excellent for this). You can't compare that task with Linux distros, you see it when you open the Kernel config file (much smaller). I do it on every machine, I start with GENERIC and omit all the drivers for devices I will never have, and add some things (like firewall modules...). This task takes round about an half hour on my hardware (you can comment out debug symbols). But don't expect wonders, you probably won't feel a significant advantage in performance. This why there are also a lot of users out there which don't do this if not needed. But so far I had no reason for a "make world" to use jails (if there are any, someone should tell me/us), so I propose you start without it. You will recognize it, when there are requirements for that.


----------



## osx-addict (Mar 3, 2009)

Thanks for the info Honk.. One question I've got regarding jails.. If I want to remove a jail, I can't just do an "rm -rf" on it (assuming its not running).. That removes most files but one apparently non-empty directory remains that I can't remove.. I've rebooted and it still exists.. I don't see why FreeBSD won't let me remove it (even as root).. Any ideas?  Sorry for being OT.


----------



## SirDice (Mar 3, 2009)

osx-addict said:
			
		

> Thanks for the info Honk.. One question I've got regarding jails.. If I want to remove a jail, I can't just do an "rm -rf" on it (assuming its not running).. That removes most files but one apparently non-empty directory remains that I can't remove.. I've rebooted and it still exists.. I don't see why FreeBSD won't let me remove it (even as root).. Any ideas?  Sorry for being OT.



Some files/directories have system flags set. A *chflags -R nosch <jailroot>* should take care of that. After that you should be able to remove them using rm.


----------



## vivek (Jun 4, 2009)

SirDice said:
			
		

> Some files/directories have system flags set. A *chflags -R nosch <jailroot>* should take care of that. After that you should be able to remove them using rm.



Should be

```
chflags -R noschg <jailroot>
```


----------

