Iptables comments

When working as a team, sharing information is critical. Nothing beats inline comments for this, as programmers and *nix admins will appreciate. For years I've been frustrated with the lack of comments in our *nix iptables files. What is this rule? Who put this here? Is it still valid? One could put helpful comments in the /etc/sysconfig/iptables file, but they'd be overwritten if anyone ran "iptables-save" or "service iptables save" (the latter being recent and pleasant discovery).

Like most things *nix, the answer has been there all along I just never looked in the right place for it. Strangely, i found this one in the man page for iptables. Fancy that! Simply add an additional packet patching module, in this case the comment module, in your rule definition. Rules and caveats:

• It can be anywhwere in the rule _before_ the -j or "jump" bit.
• It is limited to 245 characters.
• There is only one directive used by the comment module: --comment ""
• Remember to wrap your comment in _double_ quotes

[root@localhost]#iptables -I INPUT 1 -d 10.10.10.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "This is a comment" -j ACCEPT


results in:
[root@localhost]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.10.0/24 anywhere state NEW tcp dpt:ssh /* this is a comment */

Remember to run "service iptables save". Enjoy!

Cisco ASA 5505 licensing caveats

While the Cisco ASA firewall appliance is a nice piece of work, it is a bit like a British sports car: it's great when it's working and not so great when it's not. In addition to the usual code-based caveats to watch out for there are also a few licensing issues to be aware of on the ASA5505. The output of the "show ver" command will quickly display the limitations of your ASA:

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10       
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10       
WebVPN Peers                : 2        
Dual ISPs                   : Disabled 
VLAN Trunk Ports            : 0        

This platform has a Base license.

Here is an example of the Security Plus License feature set:

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 25       
WebVPN Peers                : 2        
Dual ISPs                   : Enabled  
VLAN Trunk Ports            : 8        

This platform has an ASA 5505 Security Plus license.

A brief explanation of the items highlighted in red:

1. Only 10 hosts from the DMZ and LAN combined may communicated with the Outside interface at any one time.  
2. Only 2 fully-functional VLANs (inside and outside usually) are permitted.  The 3rd VLAN, typically a DMZ can only be activated with the "no forward vlan n" command which prevents it from initiating connections to one of the other VLANs, usually the inside. 
   
   
   
   
   interface Vlan3
    description DMZ
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address
   
   
   
     Fortunately, it still permits replies from connections initiated from the inside to the DMZ.  ***Use caution here and think it through***  This means that:
   
   • You cannot host your DNS server (frequently also your Windows Domain Controller) on your inside vlan.  
   • Your backup strategy may fail.  If your backup server is on the inside vlan, you won't be able to SSH (and by extension SCP, RSYNC, etc.) to it.  You can still SSH from the inside to the DMZ of course...
   •  An SMTP server on the DMZ cannot initiate LDAP queries (or other methods of recipient verification) to an inside host.
   
   
   

    It would appear that only the 5505 (e.g. not the 5510, nor the 5520 etc.) offers this DMZ limitation. See Cisco's Comparison Chart for more details.  So before you think you've just gotten a great deal on a refurbished firewall from Brian at Network Liquidators (hint hint), make sure you've asked yourself, and your vendor, the right questions.