adm6: ip6tables, pf.conf, ipf mit python in deutsch

adm6: ip6tables, pf.conf, ipf mit python

Johannes Hubertz

hubertz-it-consulting GmbH

OpenChaos@C4 , 24. 2. 2011

Johannes Hubertz (hubertz-it-consulting GmbH) adm6: ip6tables, pf.conf, ipf mit python OpenChaos@C4 , 24. 2. 2011 1 / 53

Was zu zeigen ist

Vorstellung – Wer zeigt hier was?
Motivation – Warum das alles?
Konzept – Wie könnte es funktionieren?
Geräte – Informationen und deren Nutzen
Deﬁnitionen – Netze und Hosts
Filter-Regeln in der Sicht des Administrators
Filter-Regeln als generiertes Kreuzprodukt


Vorstellung: Johannes Hubertz

1954 in Köln-Lindenthal geboren
1973 Studium der Elektrotechnik, RWTH und FH Aachen
1980 Anstellung bei der Bull AG
1981 HW-Reparatur, ASM80, PLM80, Xenix, bourne-shell, C
1994 Erstkontakt mit IPv4
1996 Xlink, root@www.bundestag.de, . . .
1997 X.509 mit SSLeay, ipfwadm mit shell-scripts
1998 „Ins Allerheiligste“, iX 1/1998, Heise Verlag
1999 IT-Security Mgr. Bull D-A-CH
2002 Start der Entwicklung von http://sspe.sourceforge.net
2005 Gründung der hubertz-it-consulting GmbH

seit 1973 Bundesanstalt Technisches Hilfswerk in Köln-Porz
seit 2001 Segeln, am liebsten auf Salzwasser


Vorstellung: hubertz-it-consulting GmbH

Erkenntnisse aus dem Berufsleben
Bellovin and Cheswick: Firewalls and Internet Security, 1994
Fazit: Keep it simple!
Oder mit Einstein: So einfach wie möglich, aber nicht einfacher!

Etwas Erfahrung war Voraussetzung
Gründung am 8. August 2005, Sitz in Köln
Geschäftsinhalt: Dienstleistungen im Umfeld der IT-Sicherheit
Logo: Johannes Hubertz Certificate Authority als ASCII-Bitmuster
Diese Bits finden sich in einigen 104 X.509 Anwenderzertifikaten bei der
Kundschaft in der Seriennummer wieder
Wir sind käuflich ;-)


IPv6 filtern, warum das denn?

IPv6 . . .
ist genauso sicher wie IPv4
ist genauso unsicher wie IPv4
bietet keinen fragwürdigen Schutz durch NAT
ist immer Ende zu Ende Kommunikation
wird genutzt, machmal sogar, ohne dass man es bemerkt
bietet die gleichen Applikationen und Schwachstellen wie IPv4

Ergo wollen wir keinen ungefilterten Verkehr in unserem Netz!


IPv6 filtern, wo denn?

Wir filtern auf der Firewall, da ist alles sicher!
Wir filtern auf der Firewall und auf den Routern, da ist alles sicher!
auf der Firewall, auf den Routern, auf den Servern, da ist alles sicher!
Wirklich sicher?
Warum nicht auf jedem Gerät?
Zuviel Aufwand? Mit Sicherheit nicht, wenn die Geräte
über eine sichere Methode verfügen, Kommunikation zu betreiben
über eine sichere Methode verfügen, Konfiguration zu bearbeiten
administrativ zu einem Hoheitsbereich gehören

Wir bevorzugen es, auf jedem Gerät zu filtern. . . wirklich! . . .

überall!

IPv6 ﬁltern, womit denn?

system filter command
Linux NetFilter ip6tables
OpenBSD pf pf, pf.conf, rc.local
Free- u. NetBSD ipf ipf
OpenSolaris ipf ipf
? Other ? ??? ???


Ich hatte mal einen Traum . . .

Wer Visionen hat, soll zum Arzt gehen (Helmut Schmidt)

Deﬁnitionen in einfachen ASCII-Dateien: (Name, Adresse, Kommentar)
Firewallregeln in einfachen ASCII-Dateien:
(source, destination, protocol, port, action, comment)
Erledigt für IPv4: http://sspe.sourceforge.net
implementiert in Shell und Perl, etwas schwierig für Einsteiger
bei mehreren Kunden erfolgreich im Einsatz
keinerlei externe Resonanz seit 2003 außer einer Email,
jedoch weiterhin regelmäßig Downloads bei sf.net


Ich hatte noch einen Traum . . .

IPv6 ist ja noch gar nicht verbreitet
Da ist noch viel zu tun, laßt uns Geduld haben,
irgendwer wirds schon machen. . .

So nicht!

IPv6 ist schon implementiert, es funktioniert
und läßt sich heute schon nutzen und ﬁltern!

Aber wie?


notwendige Voraussetzungen (Auswahl)

eine globale Konﬁguration für alles: ~/.adm6.conf

Strukturen für Informationen: Verzeichnisbaum: ~/adm6/. . .

gesammelte Informationen über Geräte: Name, OS-Name, Adresse,
Routingtabelle, etc.: ~/adm6/desc/name/

Vollständige Liste der Adressen aller Datenverkehrsteilnehmer:
hostnet6

Vollständige Liste der erlaubten Verkehrsbeziehungen:
“source destination protocol port action“ : rules


Datei- und Verzeichnisstrukturen

.adm6.conf adm6/desc/sfd/interfaces
adm6 adm6/desc/sfd/routes

adm6/bin/ adm6/desc/r-ex/00-rules.admin
adm6/desc/ adm6/desc/r-ex/hostnet6
adm6/etc/ adm6/desc/r-ex/interfaces
adm6/desc/r-ex/routes
adm6/desc/adm6/
adm6/desc/ns/ adm6/desc/obi-lan/00-rules.admin
adm6/desc/sfd/ adm6/desc/obi-lan/mangle-startup
adm6/desc/r-ex/ adm6/desc/obi-lan/mangle-endup
adm6/desc/obi-lan/ adm6/desc/obi-lan/hostnet6
adm6/desc/obi-lan/interfaces
adm6/desc/ns/00-rules.admin adm6/desc/obi-lan/routes
adm6/desc/ns/mangle-startup
adm6/desc/ns/mangle-endup adm6/etc/00-rules.admin
adm6/desc/ns/hostnet6 adm6/etc/Debian-footer
adm6/desc/ns/interfaces adm6/etc/Debian-header
adm6/desc/ns/routes adm6/etc/hostnet6
adm6/etc/OpenBSD-footer
adm6/desc/sfd/00-rules.admin adm6/etc/OpenBSD-header
adm6/desc/sfd/hostnet6


File: ~/.adm6.conf

# global adm6 system configuration 1
2
[global] 3
version = 0.1 4
timestamp = 2010-07-13 5
home = /home/hans/adm6/ 6
devices = r-ex, ns, obi-wan 7
software = [’Debian’, ’OpenBSD’, ’OpenSolaris’] 8
9
[device#r-ex] 10
desc = external router via ISP to the world 11
os = Debian GNU/Linux, Lenny 12
ip = 2001:db8:f002:1::1 13
fwd = 1 14
active = 1 15
16
[device#ns] 17
desc = company dns server 18
os = Debian GNU/Linux, Lenny 19
ip = 2001:db8:f002:1::23 20
fwd = 0 21
active = 1 22
23
[device#obi-wan] 24
desc = gif-tunnel from company to home 25
os = OpenBSD 4.5 26
ip = 2001:db8:f002:1::2 27
fwd = 0 28
active = 1 29


class Adm6ConfigParser config-file
import os 1 def get_version(self): 34
from ConfigParser import ConfigParser 2 return self.cf.get(’global’, ’version’).strip() 35
3 36
"""ugly: module wide variable cfg_file""" 4 def get_devices(self): 37
cfg_file = "adm6.conf" 5 """give list of all devices named in global section""" 38
6 return self.cf.get(’global’, ’devices’, False, {}) 39
7 40
class Adm6ConfigParser(ConfigParser): 8 def get_software(self): 41
"""Read global config from configfile: cfg_file.""" 9 """give a list of all os-software named in global 42
10 section"""
def __init__(self): 11 return self.cf.get(’global’, ’software’, False, {}) 43
self.cf = ConfigParser() 12 44
self.filename = os.path.expanduser(’~/.’+cfg_file) 13 def get_device_home(self, device): 45
self.cf.read([self.filename]) 14 """give directory of device as full pathname""" 46
15 pat = self.get_adm6_home() 47
def get_adm6_home(self): 16 pat = pat.strip() +’desc/’ + device.strip() 48
return self.cf.get(’global’, ’home’, False, {}) 17 return pat 49
18 50
def get_adm6_debuglevel(self): 19 def get_desc(self, device): 51
"""get applicationwide debuglevel""" 20 """give description of named device""" 52
level = int(self.cf.get(’global’, ’debuglevel’, False, 21 section = "device#" + device.strip() 53
{})) return self.cf.get(section, ’desc’).strip() 54
return level 22 55
23 def get_os(self, device): 56
def get_apply(self, device): 24 """give OS-String of named device""" 57
"""give back applyflag (missing flag means true!)""" 25 section = "device#" + device.strip() 58
section = "device#" + device.strip() 26 return self.cf.get(section, ’os’).strip() 59
value = False 27 60
try: 28 def show_cf(self): 61
return self.cf.getboolean(section, ’active’) 29 """show complete content as dict of dicts""" 62
except: 30 for section in self.cf.sections(): 63
return False 31 print section, self.cf.items(section) 64
return value 32
33


hostnet6.py


hostnet6 – deﬁnitions of hosts, networks and groups
# hostnet6 part of adm6 # hosts, networks and groups
# name CIDR address # comment
# #
any 2000::/3 # anybody outside and inside
# #
admin 2001:db8:f002:1::23/128 # 1st adminstrators workstation
admin 2001:db8:f002:3::23/128 # 2nd adminstrators workstation
#
ns 2001:db8:f002:1::53/128 # 1st domain name server
ns 2001:db8:f002:2::53/128 # 2nd domain name server
ns 2001:db8:f002:3::53/128 # 3rd domain name server
www 2001:db8:f002:3::80/128 # internet web server
intra 2001:db8:f002:1::443/128 # intranet web server
#
office-cgn 2001:db8:f002:2::/64 # office cologne
office-muc 2001:db8:f002:3::/64 # office munich
office-bln 2001:db8:f002:7::/64 # office berlin
#
fw-i 2001:db8:f002:2::1/128 # firewall internal view
fw-e 2001:db8:f002:1::2/128 # firewall external view
#
r-mine 2001:db8:f002::2/128 # my router to r-isp
r-mine-i 2001:db8:f002:1::1/128 # my router to r-isp
r-isp-e 2001:db8:abba::1/128 # ISP routers ISP-side
r-isp 2001:db8:f002::1/128 # ISP router to r-mine
#
ripe-net 2001:610:240:22::c100:68b/128 # ripe.net web-server
www-kame-net 2001:200:dff:fff1:216:3eff:feb1:44d7/128 # orange.kame.net
#
# EOF


HostNet6 ﬁle to be read by python

class HostNet6(IPv6Network): 1
"""Instance is content of hostnet6-file""" 2
def __init__(self,file): 3
"""read file into self.entries""" 4
self.entries = [] 5
self.append(file) 6
7
def __read_file(self,filename): 8
"""reads file using filename and fills self.entries""" 9
file1 = open(filename,’r’) 10
linenr = 0 11
for zeile in file1: 12
linenr = linenr + 1 13
line = str(zeile) 14
lefthalf = line.split(’#’) 15
try: 16
(name, address) = lefthalf.pop(0).split() 17
try: 18
ipad=IPv6Network(address) 19
if self.entries.count([name,ipad]) == 0: 20
self.entries.append([name,ipad]) 21
except: 22
print "User-Error: file:",filename 23
print "User-Error: line:",linenr 24
print "User-Error: content:",zeile 25
pass 26
finally: 27
pass 28
except: 29
pass 30
self.entries.sort(cmp=self.__mycmp__, key=None, reverse=False) 31


HostNet6 entry to be found by python

# class HostNet6(IPv6Network) continued 32
33
def get_addrs(self,name): 34
"""return list of addresses belonging to a name""" 35
addrs = [] 36
for entry in self.entries: 37
(hname,addr) = entry 38
if hname == name: 39
addrs.append(addr) 40
return addrs 41
42
def show_hostnet6(self): 43
"""show all current entries""" 44
nice_print("# hostnet6 contents:",’’) 45
number = 0 46
for entry in self.entries: 47
number = number + 1 48
(hname,addr) = entry 49
nice_print( ’# ’+str(hname),str(addr)) 50
s = "# hostnet6: %5d entries found" % number 51
nice_print(s,’’) 52
nice_print(’#’,’’) 53


device.py


device.py: Gerätespeziﬁsches

Betriebssystem
Interfaces, Adressen, Netzmasken
Routingtabellen
Angebot einzelner Dienste
Nutzung einzelner Dienste


device.py: (__init__)

class ThisDevice: 26
"""Object keeps all sampled information about a device, 27
information is read from a subdirectory in adm6/desc/ 28
interface-config (output of ifconfig) and 29
routing-table (output of ip -6 route show) and 30
filter-rules (plain ascii-filese with defs and actions) 31
might be useful for other things than generating filters""" 32
33
def __init__(self, device, confParser, hostnet): 34
self.name = device.strip() 35
self.confParser = confParser 36
self.device_os = confParser.get_os(device) 37
self.device_ip = confParser.get_ip(device) 38
print "# Device:" + str(device) + " Found IP:" + str(self.device_ip) 39
self.hn6 = hostnet 40
self.interfaces = [] 41
self.interfaces_file = confParser.get_device_home(device).strip() 42
self.interfaces_file = self.interfaces_file + ’/interfaces’ 43
self.read_interface_file() 44
self.routingtab = [] 45
self.routingtab_file = confParser.get_device_home(device).strip() 46
self.routingtab_file = self.routingtab_file + ’/routes’ 47
self.read_routingtab_file(self.device_os) 48
self.rules_path = confParser.get_device_home(device).strip() 49
self.rule_files = [] 50
self.rules = [] 51


device.py: (interface_ﬁle)

def read_interface_file(self): 53
try: 54
f = open(self.interfaces_file, ’r’) 55
while True: 56
line = f.readline() 57
if not line: 58
break 59
else: 60
pass 61
self.interface_line(line) 62
f.close() 63
except IOError, e: 64
print self.interfaces_file + ": ", e.strerror 65
return 66


device.py: (interface_line)

def interface_line(self, line): 68
"""evaluate one line of ifconfig-output store results in self.interfaces = []""" 69
nam = re.findall(’^[a-z]+[ 0-9][ :] ’, line, flags=0) 70
if nam: 71
self.int_name = nam.pop(0).strip() 72
add = [] 73
if ’Linux’ in self.device_os: 74
add = re.findall(’s*inet6 .* Scope:*’, line, flags=0) 75
if add: 76
ine = add.pop(0).split() 77
adr = ine.pop(2) 78
self.int_addr = IPv6Network(adr) 79
self.interfaces.append([self.int_name, self.int_addr]) 80
if ’OpenBSD’ in self.device_os: 81
if ’inet6’ in line: 82
if ’%’ in line: 83
(le, ri) = line.split(’%’) 84
else: 85
le = line 86
ine = le.split() 87
adr = ine.pop(1) 88
self.int_addr = IPv6Network(adr) 89
self.interfaces.append([self.int_name, self.int_addr]) 90
return 91


device.py: (read routingtable)

def read_routingtab_file(self, os): 93
"""read plain file containg output of 94
Debian: ip -6 route show 95
OpenBSD: route -n show 96
""" 97
try: 98
f = open(self.routingtab_file, ’r’) 99
while True: 100
line = f.readline() 101
if not line: 102
break 103
self.routingtab_line(line, os) 104
f.close() 105
except IOError, e: 106
print self.routingtab_file + ": ", e.strerror 107
return 108
109
def routingtab_line(self, line, os): 110
"""read a line using os-spcific version 111
""" 112
if os == "Debian GNU/Linux, Lenny": 113
self._debian_routingtab_line(line) 114
elif os == "OpenBSD 4.5": 115
self._bsd_routingtab_line(line) 116
else: 117
raise "# error: Attempt to read routingtable for unknown OS" 118
return 119


routingtable: Debian version
# ip -6 route show 1
2001:db8:23::/64 dev eth3 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 2
2001:db8:23:1::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 3
2001:db8:23:2::/64 dev sit1 metric 1024 mtu 1480 advmss 1420 hoplimit 4294967295 4
2001:db8:23:3::/64 via :: dev sit1 metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 5
2001:db8:23:fa00::/56 via fe80:0:fa00::2 dev tun0 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 6
2001:db8:23:fb00::/56 via fe80:0:fb00::2 dev tun1 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 7
2001:db8:23:fc00::/56 via fe80:0:fc00::2 dev tun2 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 8
2001:db8:23:fd00::/56 via fe80:0:fd00::2 dev tun3 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 9
2001:db8:23:fe00::/56 via fe80:0:fe00::2 dev tun4 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 10
2001:db8:23:ff00::/56 via fe80:0:ff00::2 dev tun5 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 11
unreachable 2001:db8:23::/48 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295 12
2000::/3 via 2001:db8:23::1 dev eth3 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295 13
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 14
fe80::/64 via :: dev sit1 metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 18
fe80::/64 dev tun0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 19
fe80:0:fa00::/64 dev tun0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 25
fe80:0:fb00::/64 dev tun1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 26
fe80:0:fc00::/64 dev tun2 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 27
fe80:0:fd00::/64 dev tun3 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 28
fe80:0:fe00::/64 dev tun4 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 29
fe80:0:ff00::/64 dev tun5 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 30
# 31


device.py: (_debian_routingtab_line)

def _debian_routingtab_line(self, line): 121
"""evaluate one line of debian ipv6 routingtable""" 122
words = line.split() 123
w1 = words.pop(0).strip() 124
if not line.find("unreachable"): 125
return 126
if not line.find("default") and line.find("via") > 0: 127
target = ’::/0’ 128
via = words.pop(1) 129
interf = words.pop(2) 130
else: 131
target = w1 132
if line.find("via") == -1: 133
via = "::/0" 135
else: 136
via = words.pop(1) 137
self.routingtab.append([IPv6Network(target), 139
IPv6Network(via), interf]) 140


routingtable: OpenBSD version
# route -n show 1
... 2
3
Internet6: 4
Destination Gateway Flags Refs Use Mtu Prio Iface 5
::/104 ::1 UGRS 0 0 - 8 lo0 6
::/96 ::1 UGRS 0 0 - 8 lo0 7
::1 ::1 UH 14 0 33204 4 lo0 8
::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 9
::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0 10
::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 11
::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0 12
2000::/3 2001:db8:23:5afe::2 UGS 0 65934 - 8 gif0 13
2001:db8:23:2::/64 link#1 UC 1 0 - 4 sis0 14
2001:db8:23:2::1 00:00:24:c8:cf:04 UHL 0 6 - 4 lo0 15
2001:db8:23:2:216:3eff:fe14:4b91 00:16:3e:14:4b:91 UHLc 0 12625 - 4 sis0 16
2001:db8:23:3::1 2001:db8:23:3::2 UH 0 4 - 4 gif0 17
2001:db8:23:3::2 link#6 UHL 0 6 - 4 lo0 18
2001:db8:23:5afe::1 link#6 UHL 0 12 - 4 lo0 19
2001:db8:23:5afe::2 2001:db8:23:5afe::1 UH 1 153 - 4 gif0 20
2002::/24 ::1 UGRS 0 0 - 8 lo0 21
2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0 22
2002:e000::/20 ::1 UGRS 0 0 - 8 lo0 23
2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0 24
fe80::/10 ::1 UGRS 0 0 - 8 lo0 25
fe80::%sis0/64 link#1 UC 2 0 - 4 sis0 26
fe80::200:24ff:fec8:cf04%sis0 00:00:24:c8:cf:04 UHL 1 0 - 4 lo0 27
fe80::216:3eff:fe14:4b91%sis0 00:16:3e:14:4b:91 UHLc 0 10950 - 4 sis0 28
fe80::21c:25ff:fed7:c0dd%sis0 00:1c:25:d7:c0:dd UHLc 0 3502 - 4 sis0 29
fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0 30
fe80::1%lo0 link#5 UHL 0 0 - 4 lo0 31
... 32
# 33


device.py: (_bsd_routingtab_line)

def _bsd_routingtab_line(self, line): 142
"""evaluate one line of OpenBSD routing-table, enter only, if useful content""" 143
zeile = line.split() 144
if len(zeile) > 0: 145
targ = zeile.pop(0) 146
if not ":" in targ: 147
return 148
try: 149
target = IPv6Network(targ) 150
except: 151
"""no IPv6 Address in column one""" 152
return 153
try: 154
hop = zeile.pop(0) 155
nhp = IPv6Network(hop.strip()) 156
nhp._prefixlen = 128 157
dev = zeile.pop(-1) 158
self.routingtab.append([target, nhp, dev]) 159
#print "APPEND:",str([target, nhp, dev]) 160
return 161
except: 162
#print " something wrong reading bsd-routingtable" 163
return 164


device.py: (do_this_rule I)
def do_this_rule(self, clone, rn, filter6, 166
rh, sr, ds, pr, po, ac, op): 167
"""build os-independant detailed rule without options, 168
which are very os-specific 169
Step 1: find IP-Addresses of Sources and Destinations, ’de-grouping’ """ 170
srcs = self.hn6.get_addrs(sr) 171
dsts = self.hn6.get_addrs(ds) 172
rule_start_text = rh 173
nice_print(rule_start_text +u’has ’+str(len(srcs))+" source(s) and " 174
+str(len(dsts))+" destination(s) in hostnet6", ’’) 175
pair = 0 176
"""Step 2: Loop over all Source and Destination pairs""" 177
for source in srcs: 178
i_am_source = self.address_is_own(source) 179
for destin in dsts: 180
pair += 1 181
i_am_destin = self.address_is_own(destin) 182
(ifs, ros) = self.look_for(rn, source) 183
(ifd, rod) = self.look_for(rn, destin) 184
"""Step 3: Which traffic is it?""" 185
if i_am_source: 186
"""Step 3a: This is outgoing traffic""" 187
nice_print(rule_start_text, 188
’ outgoing traffic!’) 189
elif i_am_destin: 190
"""Step 3b: This is incoming traffic""" 191
nice_print(rule_start_text, 192
’ incoming traffic!’) 193
else: 194
"""Step 3c: This is possibly traversing traffic""" 195
... 196


device.py: (do_this_rule II)
... 193
else: 194
"""Step 3c: This is possibly traversing traffic""" 195
if ros == rod: 196
if not ’FORCED’ in op: 197
nice_print(rule_start_text 198
+u’bypassing traffic, nothing done!’, ’’) 199
continue 200
+u’bypassing traffic but FORCED’, ’’) 202
else: 203
"""We are sure about traversing traffic now""" 204
+u’traversing traffic, action needed’, ’’) 206
"""Step 4: append appropriate filter""" 207
filter6.append([clone, rn, pair, i_am_source, i_am_destin, 208
source, destin, ifs, ros, ifd, rod, 209
pr, po, ac, op]) 210


device.py: (do_rules)
def do_rules(self, filter): 212
"""invocation: dev.do_rules(filter)""" 213
nice_print(’# begin on rules expecting interface and routing for:’, 214
self.device_os) 215
nice_print("#"*76, ’#’) 216
rn = 0 217
for rule in self.rules: 218
rn += 1 219
clone = str(rule) 220
rule_header = u’# Rule ’+str(rn)+u’: ’ 221
lstart = rule_header + "has "+str(len(rule))+" items : " 222
nice_print(lstart, ’’) 223
nice_print(u’# ’+str(rule), ’’) 224
if len(rule) > 0: 225
src = rule.pop(0) 226
dst = rule.pop(0) 228
pro = rule.pop(0) 230
prt = rule.pop(0) 232
act = rule.pop(0) 234
else: 235
nice_print(rule_header +"has insufficient parametercount", ’’) 236
nice_print(rule_header + str(rule), ’’) 237
continue 238
self.do_this_rule(clone, rn, filter, rule_header, 239
src, dst, pro, prt, act, rule) 240
nice_print("#"*76, ’#’) 241
nice_print(’# ’+self.name+u’: ready, ’+str(rn)+u’ rules found’, ’’) 242
filter.mach_output() 243


device.py (__main__)

def do_all_configured_devices(): 375
confParser = Adm6ConfigParser() 376
version = confParser.get_version() 377
confParser.print_header() 378
debuglevel = confParser.get_adm6_debuglevel() 379
#confParser.show_cf() 380
my_devices = confParser.get_devices().split(’,’) 381
for device_name in my_devices: 382
if confParser.get_apply(device_name): 383
device_os = confParser.get_os(device_name) 384
confParser.print_head(device_name) 385
path = str(confParser.get_device_home(device_name)) 386
h_path = path+’/hostnet6’ 387
hn6 = HostNet6(h_path) 388
dev = ThisDevice(device_name, confParser, hn6) 389
dev.read_rules() 390
#hn6.show_hostnet6() 391
#dev.show_interfaces() 392
#dev.show_routingtab() 393
#dev.show_rules() 394
filter6 = IP6_Filter(debuglevel, 395
path, 396
device_name, 397
device_os, 398
dev.interfaces) 399
dev.do_rules(filter6) 400
#filter6.mach_output(version) 401
print "#"*80 402
403
if __name__ == "__main__": 404
do_all_configured_devices() 405


ﬁlter6.py


rules.admin – ﬁlter rules use defs of hostnet6

# rules.admin part of adm6
#
# source destin proto port action options # comment or not
#
admin ns tcp ssh accept
admin ns udp 53 accept INSEC NOSTATE # for debug
any ns udp 53 accept NOSTATE # faster without
admin www tcp 80 accept
#
office-cgn any tcp 80 accept
office-cgn any tcp 443 accept
office-cgn office-muc ipv6 all accept
#
office-muc office-cgn ipv6 all accept
any office-cgn icmpv6 all accept
#
# EOF


class IP6_Filter (__init__)
class IP6_Filter(): 1
os = ’’ 2
me = None 3
"""Devicetype mostly independant Filter""" 4
5
def __init__(self, debuglevel, path, name, os, interfaces): 6
"""start with an empty filter""" 7
self.rules = [] 8
self.debuglevel = debuglevel 9
self.path = path 10
self.name = name 11
if ’Debian’ in os: 12
self.os = ’Debian’ 13
elif ’OpenBSD’ in os: 14
self.os = ’OpenBSD’ 15
elif ’OpenSolaris’ in os: 16
self.os = ’OpenSolaris’ 17
else: 18
print "# try to create filter object for unknown OS" 19
return 20
21
def append(self, rule): 22
"""append a rule to the creation list""" 23
#print "APPENDING to filter rule: "+str(rule) 24
self.rules.append(rule) 25
return 26


class IP6_Filter (mangle_ﬁle)
def mangle_file(self,outfile,mangleinclude): 28
mangle_filename = self.path + u’/’ + mangleinclude 29
#print "#" 30
#outfile.write("#") 31
try: 32
mang = open(mangle_filename) 33
print "# mangle-file: %s inclusion starts" % mangle_filename 34
outfile.write("# mangle-file: %s inclusion startsn" % mangle_filename) 35
for line in mang: 36
print line, 37
outfile.write(line) 38
mang.close() 39
print "# mangle-file: %s inclusion successfully ended" % mangle_filename 40
outfile.write("# mangle-file: %s inclusion successfully endedn" % mangle_filename) 41
except: 42
print "# mangle-file: %s for inclusion not foundn" % mangle_filename 43
outfile.write("# mangle-file: %s for inclusion not foundn" % mangle_filename) 44


class IP6_Filter (mach_output)
def mach_output(self): 46
"""construct header, rules and footer altogether""" 47
fname = self.path + ’/output’ 48
header_file = self.path + "/../../etc/" + str(self.os) + "-header" 49
footer_file = self.path + "/../../etc/" + str(self.os) + "-footer" 50
outfile = open(fname, ’w’) 51
head = open(header_file, ’r’) 52
header_name = u"%-25s" %(self.name) 53
date = time.localtime() 54
header_date = time.strftime("%Y-%m-%d %H:%M") 55
# beautify header, device-name, date, 56
for line in head: 57
l = line.replace(’cccccc ’, header_name) 58
line = l.replace(’dddddd ’, header_date) 59
outfile.write(line) 60
head.close() 61
# read mangle-start if present 62
self.mangle_file(outfile,u’mangle-startup’) 63
# every rule could do an output now 64
for rule in self.rules: 65
self.final_this_rule(rule, outfile) 66
# some finalization, get ready 67
# read mangle-end if present 68
self.mangle_file(outfile,u’mangle-endup’) 69
foot = open(footer_file, ’r’) 70
outfile.writelines(foot.readlines()) 71
outfile.close() 72
return 73


class IP6_Filter (ﬁnal_this_rule) I
def final_this_rule(self, rule, outfile): 75
"""do output for one pair out of rule-nr into file: outfile, 76
convert simple list-structure in rule into Rule-UserDict-Object""" 77
r = Ip6_Filter_Rule() 78
r[’debuglevel’] = self.debuglevel 79
r[’Output’] = outfile 80
r[’OS’] = self.os 81
r[’System-Name’] = self.name.strip() 82
r[’RuleText’] = rule.pop(0) # Orig. Rule Text as List 83
r[’Rule-Nr’] = rule.pop(0) 84
r[’Pair-Nr’] = rule.pop(0) 85
r[’i_am_s’] = rule.pop(0) 86
r[’i_am_d’] = rule.pop(0) 87
if ’NOIF’ in rule[-1]: 88
r[’noif’] = True 89
if ’NONEW’ in rule[-1]: 90
r[’nonew’] = True 91
if ’NOSTATE’ in rule[-1]: 92
r[’nostate’] = True 93
if ’INSEC’ in rule[-1]: 94
r[’insec’] = True 95
r[’Source’] = rule.pop(0) 96
r[’Destin’] = rule.pop(0) 97
r[’source-if’] = rule.pop(0) 98
r[’source-rn’] = rule.pop(0) 99
r[’destin-if’] = rule.pop(0) 100
r[’destin-rn’] = rule.pop(0) 101
r[’Protocol’] = rule.pop(0) 102
r[’dport’] = rule.pop(0) 103
r[’Action’] = rule.pop(0) 104
... 105


class IP6_Filter (ﬁnal_this_rule) II
... 103
r[’Action’] = rule.pop(0) 104
r[’src-multicast’] = r[’Source’].is_multicast 105
r[’src-linklocal’] = r[’Source’].is_link_local 106
r[’dst-multicast’] = r[’Destin’].is_multicast 107
r[’dst-linklocal’] = r[’Destin’].is_link_local 108
if r[’source-rn’] <> r[’destin-rn’]: 109
r[’travers’] = True 110
if r[’source-if’] <> r[’destin-if’]: 111
# source or destin doesn’t do forwarding except FORCED 113
if r[’i_am_s’]: 114
r[’travers’] = False 115
if r[’i_am_d’]: 116
r[’travers’] = False 117
# option FORCED overrides some calculations 118
if ’FORCED’ in rule[-1]: 119
r[’i_am_s’] = True 120
r[’i_am_d’] = True 121
s = "# "+’-’*76 + " #" 123
print s 124
outfile.write(s+’n’) 125
print "%s" % (r), 126
outfile.write(str(r)) 127
r.produce(outfile) 128


class IP6_Filter_Rule – I
class Ip6_Filter_Rule(UserDict): 1
"""IP6_Filter_Rule is a container with all the neccessary stuff 2
for device-type independant filter-generation. 3
It is filled by reading all the specific device-files of one device, 4
device-type is one out of (Debian, OpenBSD, OpenSolaris) 5
interfaces, routing-table, hostnet6 and all device-rules""" 6
7
def __init__(self, dict=None, **kwargs): 8
"""set initial params valid for all instances, and create a 9
DisplayList for representation of this Object""" 10
UserDict.__init__(self, dict, **kwargs) 11
self[’travers’] = False 12
self[’i_am_s’] = False 13
self[’i_am_d’] = False 14
self[’noif’] = False 15
self[’nonew’] = False 16
self[’nostate’] = False 17
self[’insec’] = False 18
self[’sport’] = u’1024:’ 19
# we cannot print a filedescriptor 20
self.NeverDisplay = [’Output’, ’debuglevel’] 21
self.DisplayList = [ 22
# meta-info 23
’Rule-Nr’, ’Pair-Nr’, ’System-Name’, ’OS’, 24
# user-given rule-info 25
’RuleText’, 26
’Source’, ’Destin’, ’Protocol’, ’sport’, ’dport’, ’Action’, 27
’nonew’, ’noif’, ’nostate’, ’insec’, 28
# caclulated info 29
’i_am_s’, ’i_am_d’, ’travers’, 30
’source-if’, ’source-rn’, ’src-linklocal’, ’src-multicast’, 31
’destin-if’, ’destin-rn’, ’dst-linklocal’, ’dst-multicast’, 32
] 33
return 34


class IP6_Filter_Rule – II
def __repr__(self): 36
"""representaion of Rule-Object for printouts""" 37
retStr = u’’ 38
if self[’debuglevel’]: 39
reprList = self.DisplayList 40
else: 41
reprList = self.CommentList 42
# sample the wellknown keys of DisplayList first 43
for key in reprList: 44
try: 45
s = u"# %-15s: %-59s #n" % (key, self[key]) 46
except: 47
continue 48
retStr += s 49
# unsorted keys at last 50
for key in dict(self): 51
s = u’’ 52
try: 53
if key in self.NeverDisplay: 54
s = u"# %-15s: %-59s #n" % (key, str(self[’key’])) 55
elif not key in self.DisplayList: 56
s = u"# %-15s: %-59s #n" % (key, self[key]) 57
except: 58
continue 59
retStr +=s 60
return retStr 61


class IP6_Filter_Rule – III
def produce(self, outfile): 63
if ’Debian’ in self[’OS’]: 64
self.produce_Debian(outfile, False) 65
elif ’OpenBSD’ in self[’OS’]: 66
self.produce_OpenBSD(outfile, False) 67
elif ’BSD’ in self[’OS’]: 68
self.produce_IPF(outfile, False) 69
elif ’OpenSolaris’ in self[’OS’]: 70
#self.produce_Debian(outfile, True) 71
self.produce_IPF(outfile, False) 72
else: 73
print "# cannot make filter commands for unknown OS" 74
return 75


ﬁlter-rules


generated output: Debian Header
#!/bin/bash 1
POLICY_D=’DROP’ 2
I6=’/sbin/ip6tables ’ 3
IP6I=’/sbin/ip6tables -A input___new ’ 4
IP6O=’/sbin/ip6tables -A output__new ’ 5
IP6F=’/sbin/ip6tables -A forward_new ’ 6
CHAINS="$CHAINS input__" 7
CHAINS="$CHAINS output_" 8
CHAINS="$CHAINS forward" 9
for chain in $CHAINS 10
do 11
/sbin/ip6tables -N ${chain}_act >/dev/null 2>/dev/null 12
/sbin/ip6tables -N ${chain}_new 13
done 14
# but ignore all the boring fault-messages 15
$I6 -P INPUT $POLICY_D 16
$I6 -P OUTPUT $POLICY_D 17
$I6 -P FORWARD $POLICY_D 18
# 19
# some things need to pass, even if you don’t like them 20
# do local and multicast on every interface 21
LOCAL="fe80::/10" 22
MCAST="ff02::/10" 23
# 24
$IP6I -p ipv6-icmp -s ${LOCAL} -d ${LOCAL} -j ACCEPT 25
$IP6O -p ipv6-icmp -s ${LOCAL} -d ${LOCAL} -j ACCEPT 26
# 27
$IP6I -p ipv6-icmp -s ${MCAST} -j ACCEPT 28
$IP6I -p ipv6-icmp -d ${MCAST} -j ACCEPT 29
$IP6O -p ipv6-icmp -s ${MCAST} -j ACCEPT 30
# all prepared now, individual mangling and rules following 31
# 32


generated output: Debian Footer I
#ICMPv6types="${ICMPv6types} destination-unreachable" 1
ICMPv6types="${ICMPv6types} echo-request" 2
ICMPv6types="${ICMPv6types} echo-reply" 3
ICMPv6types="${ICMPv6types} neighbour-solicitation" 4
ICMPv6types="${ICMPv6types} neighbour-advertisement" 5
ICMPv6types="${ICMPv6types} router-solicitation" 6
ICMPv6types="${ICMPv6types} router-advertisement" 7
for icmptype in $ICMPv6types 8
do 9
$IP6I -p ipv6-icmp --icmpv6-type $icmptype -j ACCEPT 10
$IP6O -p ipv6-icmp --icmpv6-type $icmptype -j ACCEPT 11
done 12
$IP6I -p ipv6-icmp --icmpv6-type destination-unreachable -j LOG --log-prefix "unreach: " 13
-m limit --limit 30/second --limit-burst 60 14
$IP6I -p ipv6-icmp --icmpv6-type destination-unreachable -j ACCEPT 15
# 16
CHAINS="" 17
CHAINS="$CHAINS input__" 18
CHAINS="$CHAINS output_" 19
CHAINS="$CHAINS forward" 20
#set -x 21
do 23
/sbin/ip6tables -E "${chain}_act" "${chain}_old" 24
/sbin/ip6tables -E "${chain}_new" "${chain}_act" 25
done 26
# 27
$I6 -F INPUT 28
$I6 -A INPUT -m rt --rt-type 0 -j LOG --log-prefix "rt-0: " -m limit --limit 3/second --limit-burst 6 29
$I6 -A INPUT -m rt --rt-type 0 -j DROP 30
$I6 -A INPUT -m rt --rt-type 2 -j LOG --log-prefix "rt-2: " -m limit --limit 3/second --limit-burst 6 31
$I6 -A INPUT -m rt --rt-type 2 -j DROP 32
$I6 -A INPUT -i lo -j ACCEPT 33
$I6 -A INPUT --jump input___act 34
# 35


generated output: Debian Footer II
# 34
$I6 -F OUTPUT 35
$I6 -A OUTPUT -o lo -j ACCEPT 36
$I6 -A OUTPUT --jump output__act 37
# 38
$I6 -F FORWARD 39
$I6 -A FORWARD -m rt --rt-type 0 -j LOG --log-prefix "rt-0: " -m limit --limit 3/second --limit-burst 6 40
$I6 -A FORWARD -m rt --rt-type 0 -j DROP 41
$I6 -A FORWARD --jump forward_act 42
# 43
do 45
/sbin/ip6tables -F "${chain}_old" 46
/sbin/ip6tables -X "${chain}_old" 47
done 48
$I6 -F logdrop 49
$I6 -X logdrop 50
$I6 -N logdrop 51
$I6 -A INPUT --jump logdrop 52
$I6 -A OUTPUT --jump logdrop 53
$I6 -A FORWARD --jump logdrop 54
$I6 -A logdrop -j LOG --log-prefix "drp: " -m limit --limit 3/second --limit-burst 6 55
$I6 -A logdrop -j DROP 56
# 57
/sbin/ip6tables-save -c >/root/last-filter 58
echo "**********************************************************************" 59
echo "**********************************************************************" 60
echo "## ##" 61
echo "## All rules applied, thanks for your patience ... ##" 62
echo "## cu ##" 63
echo "## ##" 64
echo "**********************************************************************" 65
echo "**********************************************************************" 66
# EOF 67


Endprodukt einer Regel (Version für Debian)
# ---------------------------------------------------------------------------- # 1
# Rule-Nr : 3 # 2
# Pair-Nr : 1 # 3
# System-Name : r-ex # 4
# OS : Debian # 5
# RuleText : [’any’, ’ns’, ’udp’, ’53’, ’accept’, ’NOSTATE’] # 6
# Source : 2000::/3 # 7
# Destin : 2001:db8:23:1::23/128 # 8
# Protocol : udp # 9
# sport : 1024: # 10
# dport : 53 # 11
# Action : accept # 12
# nonew : False # 13
# noif : False # 14
# nostate : True # 15
# insec : False # 16
# i_am_s : None # 17
# i_am_d : None # 18
# travers : True # 19
# source-if : eth3 # 20
# source-rn : 10 # 21
# src-linklocal : False # 22
# src-multicast : False # 23
# destin-if : eth1 # 24
# destin-rn : 1 # 25
# dst-linklocal : False # 26
# dst-multicast : False # 27
/sbin/ip6tables -A forward_new -i eth3 -s 2000::/3 -d 2001:db8:23:1::23/128 28
-p udp --sport 1024: --dport 53 -j ACCEPT 29
/sbin/ip6tables -A forward_new -o eth1 -d 2000::/3 -s 2001:db8:23:1::23/128 30
-p udp --dport 1024: --sport 53 -j ACCEPT 31


Endprodukt einer Regel (Version für OpenBSD)
# ---------------------------------------------------------------------------- # 1
# Rule-Nr : 3 # 2
# Pair-Nr : 1 # 3
# System-Name : obi-lan # 4
# OS : OpenBSD # 5
# RuleText : [’any’, ’ns’, ’udp’, ’53’, ’accept’, ’NOSTATE’] # 6
# Source : ::/0 # 7
# Destin : 2001:db8:23:1::23/128 # 8
# Protocol : udp # 9
# sport : 1024: # 10
# dport : 53 # 11
# Action : accept # 12
# nonew : False # 13
# noif : False # 14
# nostate : True # 15
# insec : False # 16
# i_am_s : None # 17
# i_am_d : None # 18
# travers : True # 19
# source-if : undef # 20
# source-rn : 17 # 21
# src-linklocal : False # 22
# src-multicast : False # 23
# destin-if : gif0 # 24
# destin-rn : 7 # 25
# dst-linklocal : False # 26
# dst-multicast : False # 27
pass in quick from ::/0 to 2001:db8:23:1::23/128 port 53 proto udp 28
pass out quick to ::/0 from 2001:db8:23:1::23/128 proto udp 29
# n o t y e t r e a d y 30


gui – a design example


hostnet6 – 1st dream of a gui


rule editor – 1st dream of a gui


Quellen und Anregungen (Auszug)

... only a few of more than 200 ...
RFC 2460 Internet Protocol, Version 6 (IPv6) Specification
RFC 2461 Neighbor Discovery for IP Version 6 (IPv6)
RFC 2462 IPv6 Stateless Address Autoconfiguration
RFC 2463 Internet Control Message Protocol for the Internet Protocol Version 6 (IPv6) Specification
RFC 2464 Transmission of IPv6 Packets over Ethernet Networks
RFC 3315 Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
RFC 3756 IPv6 Neighbor Discovery (ND) Trust Models and Threats
RFC 3775 Mobility Support in IPv6
RFC 3971 SEcure Neighbor Discovery (SEND)
RFC 3972 Cryptographically Generated Addresses (CGA)
RFC 4429 Optimistic Duplicate Address Detection (DAD) for IPv6
RFC 4443 Internet Control Message Protocol for the Internet Protocol Version 6 (IPv6) Specification
RFC 4861 Neighbor Discovery for IPv6
RFC 4890 Recommendations for Filtering ICMPv6 Messages in Firewalls
RFC 5095 Deprecation of RH0

Linux:
http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html
OpenVPN-tunnelbroker: http://blog.ghitr.com/index.php/archives/673
http://www.6net.org/publications/presentations/strauf-openvpn.pdf

Books:
IPv6 in Practice, Benedikt Stockebrand, Springer, ISBN 978-3-540-24524-7
IPv6, Sylvia Hagen, Sunny Edition, 2. Auflage, ISBN 978-3-9522842-2-2
Deploying IPv6 Networks, Ciprian Popoviciu et.al., Cisco Press, ISBN 1587052105

Tests: Security:
http://freeworld.thc.org/thc-ipv6/ http://www.wecon.net/files/48/GUUG-RT_WEST2010-SvI.pdf
http://lg.he.net/ http://seanconvery.com/ipv6.html


Jez hammer et geschaff . . .

Noch Fragen?


Ich bedanke mich für Ihre Aufmerksamkeit

hubertz-it-consulting GmbH jederzeit zu Ihren Diensten
Ihre Sicherheit ist uns wichtig!

Frohes Schaffen
Johannes Hubertz

it-consulting _at_ hubertz dot de
H-alpha ∈ { kompetenzspektrum.de }
Python es e Geföhl!

powered by L TEX 2ε
A

and PSTricks
Besonderer Dank gilt Markus | Markus ∈ { kompetenzspektrum.de }
für seine stetige Geduld, meine Python-Unkenntnis zu [lm]indern.

adm6: ip6tables, pf.conf, ipf mit python in deutsch

More Related Content

Similar to adm6: ip6tables, pf.conf, ipf mit python in deutsch (20)

More from Marc Manthey (20)

Recently uploaded (20)

adm6: ip6tables, pf.conf, ipf mit python in deutsch