Firewall¶

Overview of firewall protection¶

Some of the protections are:

syncookie protection
disable proxy-ARP
ignore faulty ICMP answers
ignore ICMP echo-broadcasts
icmp ratelimit
set tcp-fin-timeout to 30
deny private networks
block specific IPs
limit max current tcp connections from one ip
defend portscans
defend ping-of-death
deny invalid packages

In addition to that we only allow a very limited number of open ports for both inbound and outbound that are actually open, everything else is stealth.

Configuring the firewall¶

When ever you've changed any firewall configuration, deploy that by calling this:

1	`ascr firewall-config`

Inbound and outbound port configuration¶

The firewall configuration happens in the common role and in their default variables, all the inbound and outbound ports are defined with these values:

firewall_ports:
  in:
    - {type: TCP', number: '22', comment: 'ssh}
    - {type: TCP', number: '80', comment: 'http}
    - {type: TCP', number: '443', comment: 'https}
    - {type: UDP', number: '60000:61000', comment: 'mosh}
  out:
    - {type: UDP', number: '53', comment: 'unknown}
    - {type: UDP', number: '67:68', comment: 'DHCP}
    - {type: UDP', number: '123', comment: 'unknown}
    - {type: UDP', number: '60000:61000', comment: 'mosh}
    - {type: TCP', number: '22', comment: 'ssh}
    - {type: TCP', number: '25', comment: 'smtp}
    - {type: TCP', number: '80', comment: 'http}
    - {type: TCP', number: '8080', comment: 'http}
    - {type: TCP', number: '110', comment: 'pop3}
    - {type: TCP', number: '143', comment: 'imap}
    - {type: TCP', number: '220', comment: 'imap}
    - {type: TCP', number: '443', comment: 'https}
    - {type: TCP', number: '465', comment: 'smtp}
    - {type: TCP', number: '587', comment: 'smtp}
    - {type: TCP', number: '993', comment: 'imap}
    - {type: TCP', number: '995', comment: 'pop3}
    - {type: TCP', number: '9418', comment: 'git}

You can overwrite these values in your own inventory.