firewall watchdog Rule

[dillongreen]

We should come up with a watchdog rule that tests whether or not certain netfilter rules are in place

• use iptables to gather current state
• maybe be smart such as: if we run a httpd let port 80 be open, look for Port xxxx in sshd_config, ...
• even if this rule has a tiny bit of "smartness" at its core, the user still has total control i.e. can add config on top or entirely override
• don't try to do to much though as watchdog is not ruleset creator

I guess what I am trying to say is for example: if I want all ports but 80 be closed from the outside, it would be nice to have a watchdog rule that could check that... e.g. after a reboot, maybe loading my iptables script into the kernel didn't work for some reason, someone fiddled with the live-config, some process...

[sebastien]

What you would do then is create a Rule that tries to open either an UDP or TCP connection on a remote host, Succeed if the connection starts, Fails if the connection fails. This would allow a remote machine running watchdog to test the server ports.

[dillongreen]

I don't think that's the smart way to do it... for the same reason you don't run nmap against a machine continuously just to check whether or not it's firewall settings are what you want them to be. I'd rather use iptables-save on the machine in question (triggered by a Rule) and compare it to what I wanted it to be (e.g. using a simple diff to compare the current state to what it should be). Sorry if I didn't manage to get the idea across initially :)