Firewall Configuration Reference
Sympl contains an easy to use firewall system based on iptables which protects the server by controlling inbound and outbound connections, comprised of a set of rules as well as automatic whitelist and blacklist configuration.
Configuration changes can be made via SSH or serial/VNC console as the sympl
user, and will take effect immediately.
Basic Firewall Configuration
The default configuration for Sympl should cover the majority of use cases, and caution should be taken when making any changes in case you lock yourself out. If this happens, you can still access the server via the serial or VNC console.
The configuration of the sympl-firewall package is built from a series of files and directories in the /etc/sympl/firewall/
directory, with incoming connections controlled by the files in /etc/sympl/firewall/incoming.d/
and the outgoing connections controlled by the files in /etc/sympl/firewall/outgoing.d/
(which does not filter outgoing traffic by default).
These files are in the format of index_number-service_name_or_number
with the index_number
controlling order of the rules, and the service_name_or_number
as either a service name taken from /etc/services
, a TCP/UDP port number, or one of a few special keywords.
Each of these files can either be empty, or contain a list of hostnames or IP addresses which the rule applies to, one per line.
If hostnames are used in the configuration files rather than IP addresses, they will be translated when the firewall is updated, and the result cached for up to 15 minutes. If the DNS result changes in this period then the result will not update, therefore IP addresses should be used where possible.
Firewall Keywords
Sympl uses a number of specific keywords for a number of non port-related rules, in the incoming.d/
and outgoing.d/
directories.
As with normal service name rules, these can contain a target IP address or hostname, one per line which the rule will apply to.
Keyword | Action |
---|---|
accept
|
Accepts all connections. Uses the iptables ACCEPT target.
|
allow
|
Alias of accept .
|
whitelist
|
Alias of accept .
|
new
|
Permit new connections. Uses the iptables NEW target.
|
established
|
Permit traffic from connections which are already established. Uses the iptables ESTABLISHED target.
|
related
|
Accept new connections associated with existing connections, such as DNS queries and FTP transfers. Uses the iptables RELATED target.
|
reject
|
Reject all connections. Uses the iptables REJECT target. Returns a 'TCP reset' or 'port unreachable' message.
|
blacklist
|
Alias of reject .
|
drop
|
Drops all traffic. Uses the iptables DROP target.
|
ping
|
Permits ICMP echo-request, echo-reply and ttl-exceeded traffic, which allows the server to respond to pings and show up on traceroute tests. |
icmp
|
Permit all ICMP traffic. Applies to IPv4 only. |
icmpv6
|
Permit all ICMP6 traffic. Applies to IPv6 only. |
essential-icmpv6
|
Accept required ICMP traffic for IPv6 to operate. Allows destination-unreachable, packet-too-big, parameter-problem, router-solicitation, router-advertisement, neighbour-solicitation and neighbour-advertisement traffic.
If this rule is removed IPv6 will very likely cease working properly. Applies to IPv6 only. |
dns
|
Accept TCP and UDP connections from port 53 to high-numbered unprivileged ports. Designed to allow replies to DNS queries, but may be removed in favour of related . Applies to incoming connections only.
|
ftp
|
Permit connections on both port 20 (ftp-data) and 21 (ftp-control). |
collector
|
Permit TCP connections on port 1919. |
imager
|
Permit TCP connections on port 5000. |
Detailed definitions for these rules are contained in /usr/share/sympl/firewall/rule.d/
, and new rules can be created in /usr/share/sympl/firewall/rule.d/
if desired.
Firewall Example
Here is an example of a basic firewall configuration for incoming traffic in Sympl. The files below all reside in /etc/sympl/firewall/incoming.d/
File | Containing | Result |
---|---|---|
00-established
|
empty | Accepts packets from any already established connections. |
00-related
|
empty | Accepts packets from sources related to any already established traffic. |
05-essential-icmpv6
|
empty | Allows the required ICMP traffic for IPv6 to function. |
05-ping
|
10.11.12.13 |
Allows ICMP ping traffic, but only from the IPv4 address 10.11.12.13 . IPv6 traffic is not allowed by this rule.
|
07-ssh
|
10.11.12.13 2001:0db8:85a3::/64 |
Allows connections to port 22 (SSH) from IPv4 addresses between 10.11.12.13, and IPv6 traffic from the range 2001:0db8:85a3::/64 |
10-http
|
empty | Allows traffic to port 80 (HTTP). |
10-https
|
empty | Allows traffic to port 443 (HTTPS). |
100-pop3
|
empty | Allows traffic to port 110 (POP3). Note that this is processed at this point as the numbers are sorted as text. |
20-25
|
172.16.17.0/24 |
Allows connections to port 25 (SMTP) from the 172.16.17.0/24 range only.
|
99-reject
|
empty | Rejects any other traffic. |
You can view the generated incoming firewall rules being used by iptables with sudo iptables -L INPUT -vn
, which for the above looks like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 16 1024 whitelist all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 blacklist all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 0 0 ACCEPT icmp -- * * 10.11.12.13 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 10.11.12.13 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 10.11.12.13 0.0.0.0/0 icmp type 11 0 0 ACCEPT tcp -- * * 10.11.12.13 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 10.11.12.13 0.0.0.0/0 udp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:110 0 0 ACCEPT tcp -- * * 172.16.17.0/24 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT udp -- * * 172.16.17.0/24 0.0.0.0/0 udp dpt:25 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Note in the above result, the IPv6 address is not listed. This uses the alternate
ip6tables
tool to list it's rules.
Custom Firewall Additions
While the Sympl firewall configuration should cover most day-to-day firewall administration, sometimes custom changes are needed which are more complex, such as when the server is running something like Docker which configures the firewall itself.
In these instances, scripts can be placed in /etc/sympl/firewall/local.d/
which are run once the any firewall rules have been loaded, and can be used to adjust firewall rules using iptables and/or ip6tables.
These scripts must be named in run-parts format, with the script marked executable and the filename being limited to alphanumeric characters. All scripts in firewall/local.d/
must exit with a zero status normally, as any other result will be considered a failure, and will revert any changes.
Blocking and Allowing Hosts and Networks
Sympl includes both support for automatically blacklisting abusive hosts with a blacklist, and allowing known-good hosts with a whitelist.
Blacklisting
The sympl-firewall-blacklist
task run every 15 minutes, and scans the servers log files for abusive behavior from malicious hosts on the internet, which will lead to the hosts being blocked for 2 days.
Malicious activity is defined as 25 failed logins to:
- SSH
- FTP
- SMTP
- POP3/IMAP/Sieve
The definitions of abusive behaviour are stored in /etc/sympl/firewall/patterns.d/
, and contain filename, ports to block, and patterns to match against, with the tag __IP__
being the source of the abuse.
Any IPv6 addresses automatically matched result in the relevant /112 network being blocked, as this is the smallest assignment of addresses recommended.
Automatically blocked IP addresses will have names ending .auto
and are blocked for 2 days, however manual block rules can be added to the blacklist by creating a file in /etc/sympl/firewall/blacklist.d/
named after the IP address, for example /etc/sympl/firewall/blacklist.d/10.11.12.13
.
To block an IP range, create a file with the range in CIDR notation, with the slash (/
) character replaced with a pipe character (|
).
For example, to block the IP range 172.31.65.0/24
, you would run touch '/etc/sympl/firewall/blacklist.d/172.31.65.0|24'
, using the quotes to allow usage of the normally special pipe character.
Files can be blank or contain the text all
which will block all traffic, or be a list of ports to allow, one per line.
To fully disable the blacklisting for both automatic and manual entries, create the file /etc/sympl/firewall/blacklist.d/disabled
.
Whitelisting
Similar to the blacklist, the sympl-firewall-whitelist
task runs once per hour, and checks for IPs which successfully connected via SSH or SFTP, and automatically allows access to SSH for 7 days, even if the IP address becomes blacklisted for other reasons.
The whitelist only has one item to match, the IP addresses from /var/log/wtmp
, and whitelists the successful IP address for both IPv4 and IPv6, naming the files after the IP address.
To add manual rules, add them in the same format as the blacklist, in /etc/sympl/firewall/whitelist.d/
.
To fully disable the whitelisting for both automatic and manual entries, create the file /etc/sympl/firewall/whitelist.d/disabled
.
SYN Flood Protection
Sympl includes some basic SYN flood protection, which attempts to open a all available ports on the server, consuming resources until the server is unable to server any content.
This can be enabled by creating the file /etc/sympl/firewall/incoming.d/00-syn-ack-flood-protection
.
Disabling the Firewall
To prevent firewall updates, create the file /etc/sympl/firewall/blacklist.d/disabled
. This will disable updates, but not clear the firewall rules.
To clear all firewall rules, and allow all hosts to access all publicly visible services (not recommended!), run sudo sympl-firewall flush
.
Configuration Reference
File or Directory | Used For | More |
---|---|---|
/etc/sympl/firewall/
|
Contains the firewall configuration. | More... |
/etc/sympl/firewall/incoming.d/
|
Contains rules for incoming traffic. | More... |
/etc/sympl/firewall/outgoing.d/
|
Contains rules for outgoing traffic. | More... |
/etc/sympl/firewall/disabled
|
Disables all updates for sympl-firewall .
|
More... |
/etc/sympl/firewall/blacklist.d/
|
Contains automatic and manual blacklist rules. | More... |
/etc/sympl/firewall/blacklist.d/disabled
|
Fully disables the automatic blacklist functionality. | More... |
/etc/sympl/firewall/patterns.d/
|
Contains patterns matched to detect abusive hosts. | More... |
/etc/sympl/firewall/whitelist.d/
|
Contains automatic and manual whitelist rules. | More... |
/etc/sympl/firewall/whitelist.d/disabled
|
Fully disables the automatic whitelist functionality. | More... |
/etc/sympl/firewall/local.d/
|
Contains manual rules to be run after the firewall is updated. | More... |
See also Configuration Reference for other configuration files.