BCP38 and Red Hat

Christopher Morrow morrowc.lists at gmail.com
Thu Dec 15 15:54:44 UTC 2016 

On Thu, Dec 15, 2016 at 9:48 AM, Stephen Satchell <list at satchell.net> wrote:

> https://bugzilla.redhat.com/show_bug.cgi?id=1370963
>
> Just a reminder that I have a feature request outstanding with Red Hat
> to add support for BCP38, as well as measures for certain protocol-based
> amplification reflection attacks.  My intent for making the suggestion
> is to stiffen firewalld(8) in Red Hat Enterprise and clones,
> particularly when an RHEL-based box is used as an edge router or
> firewall box.
>
> I've looked at firewalld, and it would be easy to add *some* of BCP38
> into it rather quickly...assuming that the developers step up to the
> plate.  There are parts of BCP38 that won't be so easy to do, given the
> architecture of the package.
>
> In my spare time, by the way, I'm working on a BCP-compilant firewall
> generator for IPTABLES.  Spare time?  Well, that *is* a bit of a laugh...
>

Given some quick time with definition making:
  https://github.com/google/capirca

does this pretty easily, for example:
def/NETWORK.net - content:
  MYNETS = 192.0.24.0/24
  MYWEB = 192.0.24.2/32
  STEPHEN_HOME = 198.16.0.23/32

def/SERVICES.svc - content:
  HTTP = tcp/80
  HTTPS = tcp/443
  SQUID = tcp/3128
  APACHE_PROXY = tcp/8080
  PROXY = SQUID APACHE_PROXY

office/pol/fw.pol - content
  header {
    comment:: "My firewall policy"
    target:: iptables OUTPUT DROP nostate
  }
  term permit-web-stephen {
    comment:: "Permit stephen to my web, really FROM my web to stephen"
    destination-address:: STEPHEN_HOME
    source-address:: MYWEB
    protocol:: tcp
    destination-port:: HTTP HTTPS PROXY
    action:: permit
  }
  term bcp-38-only {
    comment:: "Permit only mynets outbound"
    source-address:: MYNETS
    action:: accept
  }
  term default-deny {
    comment:: "All other traffic dies"
    action:: deny
  }


run the acl generation (aclgen.py) and ... out pops iptables to do what you
want.
a simple matter of script/software makes this even simple for iptables
operators across many flavors of topology.

-chris
(note: I am not just a user of this solution I'm also a contributor)

More information about the NANOG mailing list