Blackd
adding web paranoia | italian

preface

Most part of the “live on cd” firewalls available on the net, free and not free, have easy and comfortable web interfaces for configuration routines. Those interfaces relays on web servers like Apache, lighthttpd, with root privileges and not chrooted environment.

pfSense is a Freebsd-beta based firewall derived from m0n0wall, but it has implemented OpenBSD pf for packet filtering. You can configure everything from the web, almost every piece of code is written with php, system init scripts and a lot of routines too. Configuration files are XML based.

pfw is another pf frontend written in php by Johan Allard, of Allard Consulting. Code is simpler, because the scope is only to configure pf, and not the whole system. It’s studied around OpenBSD, the “secure by default” system.

considerations

OpenBSD teaches us that chroot is good. Apache is chrooted by default, and chroot is stronger than on other systems. If you think security is a process made of steps, for an administrative scope of a simple firewall, having a webgui in a chrooted enviroment means adding a little more security.

“A final comment on chroot vs non-chroot. With pfw in the typical firewall setup where it's not doing anything else than running as a firewall, the exposure of apache, php and pfw should be minimised in several ways. In most situations, a list of ip's where the administrators are coming from can be provided. Combined with ssl and http-authentication at the first page, the exposure is really minimal, and if you can't trust your firewall administrators not trying to get unauthorised access (if they don't already authorised to access the firewall using a shell) then it seems that your real security problem is not running apache in a non-chrooted environment.” (http://www.allard.nu/pfw/security)

Blackd

Leaving a web gui in a chrooted environment and still giving the possibility to change files and still receive an output is possible only with something out the chroot jail that, listening for changes, will act launching a command outside the chroot . For example, launching "pfctl -f /chroot/pf.conf" when something changes pf.conf
The most obvious solution for this, is to launch a cron script constantly checking every N seconds for a file modification, and, on a positive check, launch the appropriate command. It’s not an “elegant” solution, and it could require a lot of time when you have a lot of files, and last but not least, you’ll never get the whole thing immediately, you’ll still have to wait for the cron.

But on OpenBSD, and *BSD, you can use kqueue(2), the kernel event notification mechanism, for monitoring the changes you make to a file. This open a wide range of possibilities to reach our scopes.

This is how blackd works. We have an /etc/blackd.conf file with the syntax "file:command". On every change to file, command is executed.

# cat /etc/blackd.conf
/BM/pf/pf.conf:/sbin/pfctl -f /BM/pf/pf.conf
/BM/vpn/access.list:/bin/checkvpn.sh
/BM/logs:/bin/cat /var/log/dansguardian/access.log|tail -10| mail admin@firewall

# ./blackd
0 /BM/pf/pf.conf /sbin/pfctl -f /BM/pf/pf.conf && echo 1 > /tmp/test
1 /BM/vpn/access.list /bin/checkvpn.sh
2 /BM/logs /bin/cat /var/log/dansguardian/access.log|tail -10| mail admin@firewall