Steve,
On Fri, 24 May 2002, Steve Herber wrote:
> I looked at the 1.3 whitelist documentation and realized that the ops
> example, while interesting in and of itself, did not do what I think a
> whitelist does. Back to symmetry, if a blacklist is a list of sites not
> allowed to connect in through the fire wall, maybe to a web server, for
> example, then a whitelist should be a list of machines that are allowed to
> access a service or services, again, say a web server.
>
But that''s not the concept of a black list in Shorewall. In Shorewall,
hosts on the blacklist can''t do ANYTHING on your firewall or network;
they
can''t even ''ping''. So if that''s what a black
list is then if a white list
is the complement of a black list then a host on the white list can access
any service on any host in your network, including any open port on the
CEO''s PC.
> This just reminded me of NIS/YP netgroups where I can define a netgroup
> as a list of hosts and then add that list to and NFS export access list.
> I can control who can use the NFS mount point just by changing the
> netgroup membership.
>
> The ops example enables access based upon a subnet. How could it be
changed
> to allow a list of "white" hosts?
>
> Ok, so I just read the documentation for the hosts file. You were right,
> most people don''t need to use it.
>
> So could you add something like this to the whitelist example:
>
> ops eth2:10.10.10.0/24 routestopped
> ops eth1:1.2.3.4
> ops eth1:5.6.7.8
>
> along with a note to specifically say "move your old whitelist hosts
into
> the host file using this format"
>
I don''t want any reference to the ''old whitelist
hosts'' because the whole
notion of the whitelist that I released in 1.2.13 was a bad idea. Paul
Gear tried to tell me but my ego wouldn''t let me listen. Thankfully
the whitelist is only available on a single release and the documentation
on my web site now urges "Don''t Use It!!!".
> Just to really push this, why don''t you get rid of the blacklist
file
> and just create a zone called bad and put the entries in the host file
> like the whitelist? If you are going to get rid of the whitelist file,
> get rid of the blacklist file and have one way to do both.
>
When you are under attack from a rogue host, you want to be able to do
something quickly; even if that host has established connections to
services in your network, you want to cut it off. That''s what an entry
in
the black list does.
In contrast, when has someone run into your office screaming that IP
1.2.3.4 simply has to have access to every service in the world including
the CEO''s email (or in your case, the University President''s
email) or the
end of the world is at hand? -- just because a feature is worthwhile
doesn''t mean that the reflexive feature is equally desirable. The
whitelist that I unwisely included in 1.2.13 is a case in point.
Additionally, there are aspects of Netfilter that make the notion of a
white list ambiguous. Redirection and port forwarding rules are actually
two rules, one that rewrites IP headers and one that allows the modified
packets through the firewall. Should whitelisted hosts that match a
redirection or portforwarding rule obey these rules if they match? Is that
what you really want? Take another look at the ''ops''
example...
In summary:
a) The notion of a black list is well-defined. If you put a host on a
black list, then it can''t do anything to you.
b) The notion of a white list is ill-defined and possibly dangerous; as
such, it has no place in Shorewall and the ''ops'' example is as
close as
I''m going to get to such a concept.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net