[tech] Firewalling system ideas wanted
David Adam
zanchey at ucc.gu.uwa.edu.au
Tue May 16 10:00:39 AWST 2017
On Mon, 15 May 2017, Andrew Adamson wrote:
> This coming weekend we are basically breaking everything, so this is an
> opportunity to do it good and properly. I've been thinking about user
> friendliness of our firewall (particularly for VM's), and how things would
> ideally work versus how they currently do.
>
> At the moment, a lot of users who get a VM can't necessarily do a great
> deal with them, because firewalling of their machine is quite obfuscated
> to them (unless they are on wheel, and sometimes even then), and it's not
> always clear to them why something might not be working. I have a similar
> problem learning about mail servers with the UWA firewall - I never know
> if it's me or not. The firewall on a VM is something that a user can't
> easily inspect, change, or experiment with, because it's on murasoi which
> is wheel access only.
>
> To me, the best scenario here is that VM users can easily inspect the
> firewall rules on their machine, easily request changes, some trusted
> users can easily be given control of their machines firewall, and the
> whole lot can be audited/checked/modified by wheel at any time.
>
> Can anyone suggest such a system? Ideally it would have some sort of nice
> interface, or proxmox integration. I know proxmox has firewall support but
> haven't had a chance to really play with it, plus it would mean splitting
> our firewall between murasoi and the cluster. Has anyone tried it before
> and have advice/comments? Advice/comments on splitting the firewall? Other
> options for a routing box? Thoughts on moving dns onto the routing
> machine?
Old guard opinion, I guess...
I think what you're asking about is delegated firewall control, which as
far as I know doesn't exist even in high-end firewall products - I've had
a read through the Cisco FirePower 9000* and Juniper SRX manuals and all I
can see is whole-of-system roles, rather than permission to firewall
specific subnets or IP addresses.
My impression is that full virtualisation of networks with virtual
firewalls is the Enterprise Solution to this problem.
I don't think splitting the firewall is so much of a problem. Several
machines (mooneye, mussel, motsugo) already run their own firewalls as a
replacement or addition to the central firewall.
Firewalling on Proxmox does appear to require full network administration
privileges to the VM, which we don't grant users (and probably shouldn't).
I think we should probably rewrite the firewall in nftables. Linux is
still the right platform - although firewall platforms like pf(4) are
better, the wider networking infrastructure tools on Linux still seem more
diverse and well-understood.
Your question about putting the nameserver on the router is a separate
issue. From a *.ucc.asn.au perspective it will be easy, but it would also
require UWA to make some changes to keep *.ucc.gu.uwa.edu.au and the
reverse DNS zone working. Perhaps others have more of an appetite. Our DNS
records in the UWA nameservers have been semi-broken for years, and we
never did get IPv6 reverse delegation set up.
David Adam
zanchey at ucc.gu.uwa.edu.au
*: Yes.
More information about the tech
mailing list