[tech] Firewalling system ideas wanted

David Adam zanchey at ucc.gu.uwa.edu.au
Tue May 16 10:00:39 AWST 2017 

On Mon, 15 May 2017, Andrew Adamson wrote:
> This coming weekend we are basically breaking everything, so this is an 
> opportunity to do it good and properly. I've been thinking about user 
> friendliness of our firewall (particularly for VM's), and how things would 
> ideally work versus how they currently do. 
> 
> At the moment, a lot of users who get a VM can't necessarily do a great 
> deal with them, because firewalling of their machine is quite obfuscated 
> to them (unless they are on wheel, and sometimes even then), and it's not 
> always clear to them why something might not be working. I have a similar 
> problem learning about mail servers with the UWA firewall - I never know 
> if it's me or not. The firewall on a VM is something that a user can't 
> easily inspect, change, or experiment with, because it's on murasoi which 
> is wheel access only.
> 
> To me, the best scenario here is that VM users can easily inspect the 
> firewall rules on their machine, easily request changes, some trusted 
> users can easily be given control of their machines firewall, and the 
> whole lot can be audited/checked/modified by wheel at any time. 
> 
> Can anyone suggest such a system? Ideally it would have some sort of nice 
> interface, or proxmox integration. I know proxmox has firewall support but 
> haven't had a chance to really play with it, plus it would mean splitting 
> our firewall between murasoi and the cluster. Has anyone tried it before 
> and have advice/comments? Advice/comments on splitting the firewall? Other 
> options for a routing box? Thoughts on moving dns onto the routing 
> machine?

Old guard opinion, I guess...

I think what you're asking about is delegated firewall control, which as 
far as I know doesn't exist even in high-end firewall products - I've had 
a read through the Cisco FirePower 9000* and Juniper SRX manuals and all I 
can see is whole-of-system roles, rather than permission to firewall 
specific subnets or IP addresses.

My impression is that full virtualisation of networks with virtual 
firewalls is the Enterprise Solution to this problem.

I don't think splitting the firewall is so much of a problem. Several 
machines (mooneye, mussel, motsugo) already run their own firewalls as a 
replacement or addition to the central firewall.

Firewalling on Proxmox does appear to require full network administration 
privileges to the VM, which we don't grant users (and probably shouldn't).

I think we should probably rewrite the firewall in nftables. Linux is 
still the right platform - although firewall platforms like pf(4) are 
better, the wider networking infrastructure tools on Linux still seem more 
diverse and well-understood.

Your question about putting the nameserver on the router is a separate 
issue. From a *.ucc.asn.au perspective it will be easy, but it would also 
require UWA to make some changes to keep *.ucc.gu.uwa.edu.au and the 
reverse DNS zone working. Perhaps others have more of an appetite. Our DNS 
records in the UWA nameservers have been semi-broken for years, and we 
never did get IPv6 reverse delegation set up.

David Adam
zanchey at ucc.gu.uwa.edu.au


*: Yes.

More information about the tech mailing list