Saturday, January 23, 2010

How not to setup your firewall

(This is of course an entirely hypothetical set of notes, since it's inconceivable [1] that I would make any of these errors).

For the purposes of this exercise, we assume a gateway machine, running a simple firewall, which we want to use to drop various packets on the floor - such as those from machines particiapting in a distributed brute for ssh attack, for instance. We assume there are several scripts managing the blocked list. For best effect, your gateway box should be mounting a few directories via nfs from another machine.
  1. Ensure that packets between the gateway box and the file server need to traverse the blocked list first.
  2. Don't lock properly when adding new IPs to the firewall. This ensures that, under load, you can add large numbers of duplicate entries to the list.
  3. Have every packet traverse the blocked list twice.
Under smallish numbers of blocked IPs, the results aren't impressive, so, for best effect, you need to wait until a there's a reasonably large attack before the effects are really noticeable. If done properly, however, at a few thousand unique entries, the network performance should slow to an absolute crawl.

[1] Which means exactly what I think it means.