Firewall Plan - HackMD

# Firewall Plan A firewall is necessary to defend hachyderm. The plan is as follows: # Identify Services and ports ## Running netstat Note: Some of the sockets are running as `raw` or `raw6`, which allow for **writing** arbitrary IP packets as long as they provide the full header. See https://man7.org/linux/man-pages/man7/raw.7.html for more details. ``` netstat -lpn tcp 0 0 10.6.6.100:2379 0.0.0.0:* LISTEN 4411/etcd tcp 0 0 10.6.6.100:2380 0.0.0.0:* LISTEN 4411/etcd tcp 0 0 0.0.0.0:30020 0.0.0.0:* LISTEN 5482/nginx: master tcp 0 0 127.0.0.1:40871 0.0.0.0:* LISTEN 2214/crio tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1381/sshd: /usr/bin tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2234/nginx: master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2234/nginx: master tcp 0 0 100.116.92.92:38425 0.0.0.0:* LISTEN 2281/tailscaled tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 2407/kubelet tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN 5398/kube-proxy tcp 0 0 127.0.0.1:10257 0.0.0.0:* LISTEN 2803/kube-controlle tcp 0 0 127.0.0.1:10259 0.0.0.0:* LISTEN 2810/kube-scheduler tcp 0 0 127.0.0.1:9234 0.0.0.0:* LISTEN 5339/cilium-operato tcp 0 0 127.0.0.1:9876 0.0.0.0:* LISTEN 6053/cilium-agent tcp 0 0 127.0.0.1:9890 0.0.0.0:* LISTEN 6053/cilium-agent tcp 0 0 127.0.0.1:9891 0.0.0.0:* LISTEN 5339/cilium-operato tcp 0 0 127.0.0.1:2381 0.0.0.0:* LISTEN 4411/etcd tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 4411/etcd tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN 10155/puma 5.6.4 (t tcp 0 0 127.0.0.1:4000 0.0.0.0:* LISTEN 10166/node tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1294/redis-server 1 tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 10188/postgres tcp6 0 0 :::30010 :::* LISTEN 1049074/hcio tcp6 0 0 :::30000 :::* LISTEN 5835/nivenly tcp6 0 0 :::4240 :::* LISTEN 6053/cilium-agent tcp6 0 0 :::4244 :::* LISTEN 6053/cilium-agent tcp6 0 0 :::6443 :::* LISTEN 4490/kube-apiserver tcp6 0 0 :::22 :::* LISTEN 1381/sshd: /usr/bin tcp6 0 0 :::80 :::* LISTEN 2234/nginx: master tcp6 0 0 :::443 :::* LISTEN 2234/nginx: master tcp6 0 0 :::3020 :::* LISTEN 2215/activity-relay tcp6 0 0 :::3210 :::* LISTEN 1985318/grafana-ser tcp6 0 0 :::9100 :::* LISTEN 2001801/prometheus- tcp6 0 0 :::9090 :::* LISTEN 2001814/prometheus tcp6 0 0 :::9115 :::* LISTEN 2001808/prometheus- tcp6 0 0 :::10250 :::* LISTEN 2407/kubelet tcp6 0 0 :::10256 :::* LISTEN 5398/kube-proxy tcp6 0 0 ::1:6379 :::* LISTEN 1294/redis-server 1 tcp6 0 0 fd7a:115c:a1e0:ab:38425 :::* LISTEN 2281/tailscaled tcp6 0 0 :::41053 :::* LISTEN 6053/cilium-agent udp 0 0 0.0.0.0:41641 0.0.0.0:* 2281/tailscaled udp 0 0 192.168.0.19:123 0.0.0.0:* 1403/ntpd udp 0 0 100.116.92.92:123 0.0.0.0:* 1403/ntpd udp 0 0 10.6.6.100:123 0.0.0.0:* 1403/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1403/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1403/ntpd udp 0 0 0.0.0.0:8472 0.0.0.0:* - udp6 0 0 :::41053 :::* 6053/cilium-agent udp6 0 0 :::41641 :::* 2281/tailscaled udp6 0 0 fe80::601a:e0ff:fe9:123 :::* 1403/ntpd udp6 0 0 fe80::84ea:cbff:feb:123 :::* 1403/ntpd udp6 0 0 fe80::44c1:56ff:fef:123 :::* 1403/ntpd udp6 0 0 fe80::20ca:48ff:fed:123 :::* 1403/ntpd udp6 0 0 fe80::10a9:bdff:fe2:123 :::* 1403/ntpd udp6 0 0 fe80::6c80:43ff:fe1:123 :::* 1403/ntpd udp6 0 0 fd7a:115c:a1e0:ab12:123 :::* 1403/ntpd udp6 0 0 fe80::1f4f:4007:725:123 :::* 1403/ntpd udp6 0 0 fe80::5ed6:56f2:f05:123 :::* 1403/ntpd udp6 0 0 ::1:123 :::* 1403/ntpd udp6 0 0 :::123 :::* 1403/ntpd udp6 0 0 :::8472 :::* - raw 0 0 0.0.0.0:1 0.0.0.0:* 7 6053/cilium-agent raw 214528 0 127.0.0.1:17 0.0.0.0:* 7 6053/cilium-agent raw6 0 0 :::58 :::* 7 866/NetworkManager < unix sockets omitted> ``` ## List of Services ``` * Kubernetes * etcd * 10.6.6.100:2379/tcp * 10.6.6.100:2380/tcp * 127.0.0.1:2379/tcp * 127.0.0.1:2381/tcp * crio * 127.0.0.1:40871/tcp * kube-apiserver * :::6443/tcp6 * kubelet * 127.0.0.1:10248/tcp * :::10250/tcp6 * kube-proxy * 127.0.0.1:10249/tcp * :::10256/tcp6 * kube-controller * 127.0.0.1:10257/tcp * kube-scheduler * 127.0.0.1:10259/tcp * cilium-operator * 127.0.0.1:9234/tcp * cilium-agent * 127.0.0.1:9876/tcp * 127.0.0.1:9890/tcp * :::4240/tcp6 * :::4244/tcp6 * :::41053/tcp6 * :::41053/udp6 * **0.0.0.0:1/raw** * **127.0.0.1:17/raw** * cilium-operator * 127.0.0.1:9891/tcp * sshd * 0.0.0.0:22/tcp * :::22/tcp6 * tailscaled * 100.116.92.92:38425/tcp * fd7a:115c:a1e0:ab:38425/tcp6 * 0.0.0.0:41641/udp * :::41641/udp6 * hachyderm * puma * 127.0.0.1:3000/tcp * redis-server * 127.0.0.1:6379/tcp * ::1:6379/tcp6 * postgres * 127.0.0.1:5432/tcp * grafana * :::3210/tcp6 * prometheus * :::9100/tcp6 * :::9090/tcp6 * :::9115/tcp6 * ntp * 192.168.0.19:123/udp * 100.116.92.92:123/udp * 10.6.6.100:123/udp * 127.0.0.1:123/udp * 0.0.0.0:123/udp * fe80::601a:e0ff:fe9:123/udp6 * fe80::84ea:cbff:feb:123/udp6 * fe80::44c1:56ff:fef:123/udp6 * fe80::20ca:48ff:fed:123/udp6 * fe80::10a9:bdff:fe2:123/udp6 * fe80::6c80:43ff:fe1:123/udp6 * fd7a:115c:a1e0:ab12:123/udp6 * fe80::1f4f:4007:725:123/udp6 * fe80::5ed6:56f2:f05:123/udp6 * ::1:123/udp6 * :::123/udp6 * Need additional context * nginx * presumed to be in Kubernetes, but validating before moving up the plan. There are two instances of nginx running, as seen above with PID 5482 and 2234. Determine what each of these does. * PID 5482 * 0.0.0.0:30020/tcp * PID 2234 * 0.0.0.0:80/tcp * 0.0.0.0:443/tcp * :::80/tcp6 * :::443/tcp6 * node * 127.0.0.1:4000/tcp * hcio * :::30010/tcp6 * nivenly * :::30000/tcp6 * activity-relay * :::3020/tcp6 * `-` * 0.0.0.0:8472 * :::8472 * NetworkManager * :::58/raw6 ``` * Properties: * Allow/deny services as necessary * rate limiting? * fail2ban for ssh