ITVal is a tool for iptables configuration analysis. It can be used to:
- Detect unprotected ports/hosts.
- Determine whether certain services are incorrectly
blocked by the firewall.
- Validate changes to the firewall policy.
- Generate an equivalence class abstraction of the firewall policy that can be used to easily detect many different types of errors.
ITVal implements a query engine based on a simple query language that a system administrator can use to investigate firewall behaviors.
COMMAND LINE OPTIONS:
ITVal understands the following flags:
-q <query file>
Full Path to a query file.
-t <topology file>
Full Path to a topology mapping
The topology mapping is optional. It should be formatted as a
list of network interface, IP address pairs. For example:
eth0 192.168.1.1
eth1 70.5.123.110
-f <filter file>
Full Path to a filtering rule set file. This file is the output
of `iptables -L -n'.
-n <NAT file>
Full Path to a NAT rule set file. This file is the output of
`iptables -t nat -L -n'.
-F <verbose filter file >
Full Path to a filtering rule set file. This file is the output
of `iptables -v -L -n'.
-N <verbose NAT file>
Full Path to a NAT rule set file. This file is the output of
`iptables -t nat -v -L -n'.
The output of the query engine can be modified and used as a query file.
CONSTRUCTING QUERIES AND ASSERTIONS:
An ITVal query file consists of a number of group and service definitions, followed by any number of query and/or assertion statements. Group and service definitions can be mixed with queries and assertions in any order as long as the definition of a group or service precedes every use.
GROUP DEFINITIONS
A group definition allows the user to name a list of IP addresses for easier future reference. The syntax is as follows:
GROUP <name> <list>;
The name must be unique and must be alphanumeric. The list is a space-separated sequence of IP addresses in dot notation. It is permissible to use the '*' character as a wildcard.
- Example
GROUP mail_clients 192.168.1.1 192.168.1.3 192.168.2.*;
SERVICE DEFINITIONS
A service definition is analogous to a group definition, but for various network services, specified by port number. The syntax is:
SERVICE <name> <list>;
Where name is unique and list is a space separated list of <protocol> <port> pairs. The '*' character may be used as a wildcard for the port number and the protocol "BOTH" can be used to specify both TCP -AND- UDP connections.
- Example
SERVICE mail TCP 25 TCP 110 TCP 993;
QUERY STATEMENTS
Queries have the syntax:
QUERY <subject> <condition>;
The "subject" parameter specifies what information ITVal should display for packets that match the query condition. The valid subjects are:
SADDY Source Address DADDY Destination Address SPORT Source Port DPORT Destination Port STATE Connection State
The "condition" parameter specifies criteria against which all packets will be considered. All packets that match the conditions are displayed. The query condition is built from eleven primitives:
FROM <source> Matches source address
TO <destination> Matches destination address
ON <source> Matches source port
FOR <destination> Matches destination port
IN <state> Matches connection state WITH <flag> Matches active TCP flag INFACE <iface> Matches incoming network interface OUTFACE <iface> Matches outgoing network interface LOGGED Matches if there is a rule that MAY log the packet.
ACCEPTED <chain> Matches all packets accepted by built-in chain <chain>. DROPPED <chain> Matches all packets discarded by built-in chain <chain>.
These primitives can be combined with the logical operators "AND", "OR", and "NOT". Parentheses can be used to disambiguate expressions. Otherwise, precedence is from left to right.
- Examples
QUERY SADDY FROM 192.168.1.1 AND FOR mail; QUERY DPORT (NOT FROM mail_clients OR TO 192.168.1.4) AND NOT LOGGED; QUERY DPORT NOT FROM 192.168.1.* AND INFACE eth0;
ASSERTIONS
The user can also provide ITVal with a set of assertions to verify. ITVal will check each assertion and determine whether it is true or false. The syntax for assertion statements is as follows:
ASSERT <condition> <assertion_operator> <condition>;
Both conditions are defined as for QUERY statements (see above). The assertion operator can be either "IS" or "SUBSET OF". The "IS" operator tests whether the set of packets described by the left condition is precisely equivalent to the set of packets described by the right condition. The "SUBSET OF" operator tests whether the set of packets described by the left condition is (not strictly) contained in the set described by the right condition.
- Examples
//SSH packets, and only SSH packets, are accepted from subnet 192.168.1.0/24 ASSERT (ACCEPTED INPUT AND FROM 192.168.1.*) IS (FROM TCP 22);
//All hosts on 192.168.2. can be reached by some packet ASSERT TO 192.168.2. SUBSET OF ACCEPTED FORWARD;
CLASSES
Network hosts can be grouped into classes based on which services the firewall allows them to access and provide. ITVal provides a special query (QUERY CLASSES) that generates a list of which hosts belong to which group. This list can be used to easily detect certain kinds of anomalies in the firewall policy. For instance, if your mail server shows up in the same group as an untrusted host from outside your network, you probably have a typo or other error. (For more, see the proceedings of LISA '06). Similarly, the set of all services can be partioned into classes (based on which hosts can use those services), with the "SCLASSES" query.
- Examples
QUERY CLASSES;
QUERY SCLASSES;