Firewalls

This section discusses advanced configuration options for firewalls.

Privilege Management for Unix and Linux can communicate through firewalls. To configure a firewall, it is necessary to know the following:

  • TCP/IP concepts and terms
  • How Privilege Management for Unix and Linux establishes a connection
  • Which directions the firewall is filtering

TCP/IP Concepts and Terms

In a TCP/IP network, a connection or communications channel between two processes is made up of a path through the network with a socket at each end. Each socket has its own identifying address consisting of its host ID (IP address) and a port number. The combination of the two socket addresses uniquely defines the channel in that network.

Port numbers can be assigned by the user or selected by the operating system. In some cases, the port number is well known and established by tradition. For example, FTP has used port 21 for many years. To establish an FTP session, a process opens a socket (identified by the local host ID and a port number that is assigned by the operating system) and attempts to connect it to the socket that is identified by the combination of the remote host ID and port 21. Historically, port numbers below 1024 are usually reserved for programs that are run by root, while ports from 1024 through 65535 are open for use by any program.

By default, pbmasterd uses port 24345, pblocald uses port 24346,pblogd uses port 24347, and pbguid uses ports 24348 and/or 24349. The user can reassign these by changing the port number in their services and in the settings file. Aside from those ports, Privilege Management for Unix and Linux is content to let the operating systems assign ports for the rest of its connections, unless there is a firewall in the middle.

A firewall is a security mechanism that controls network traffic that tries to pass through it. Privilege Management for Unix and Linux can work with packet-filtering firewalls. A packet-filtering firewall can allow traffic on designated ports to pass though it with no filtering.

To work with a firewall, both Privilege Management for Unix and Linux and the firewall have to agree on which ports can pass through the firewall. As an extra measure of security, Privilege Management for Unix and Linux makes use of reserved ports (numbered less than 1024) to initiate connections across a firewall. Doing so helps assure the remote machine that it is being contacted by a root-enabled program on the other end. The remote end of the connection can use any non-reserved ports that the firewall permits.

Previously, connections could be originated using reserved ports only. Beginning with v3.2, connections can be originated using reserved and non-reserved ports. On the receiving side, connections from non-reserved ports can be enabled by setting allownonreservedconnections to true.

The range of reserved ports that can be used to initiate outbound connections is defined in the settings file in v3.2 and later using minoutgoingport and maxoutgoingport.

In v3.2 and later, the non-reserved ports that can be used on the receiving side are defined in the settings file using minlisteningport and maxlisteningport.

Privilege Management for Unix and Linux Connections

Before you learn how Privilege Management for Unix and Linux establishes connections across a firewall, it is important to understand how Privilege Management for Unix and Linux establishes connections in general. The following example shows a typical session without I/O logging.

A user starts pbrun to access a command.

pbrun opens a port in the range from the minoutgoingport to the maxoutgoingport and attempts to connect to the pbmasterd well-known port on the policy server host.

If the pbmasterd policies reject the request, then pbmasterd opens a port in the minoutgoingport to maxoutgoingport range, and attempt to connect it to pblogd’s well-known port on the log host to log the rejection, and the process ends here.

If the pbmasterd policies accept the request, then pbmasterd opens a port in the minoutgoingport to maxoutgoingport range, and attempts to connect it to the pblocald well-known port on the run host.

pblocald opens a port in the minoutgoingport to maxoutgoingport range, and attempts to connect it to pblogd’s well-known port on the log host. pblocald then sends the accept information to the log server. pblocald then closes the log server connection.

If the configuration permits, pblocald attempts to connect directly to pbrun, freeing pbmasterd to exit from the job stream. pblocald does this by obtaining a port in the minoutgoingport to maxoutgoingport range and attempting to connect to a port in the minlisteningport to maxlisteningport range, which pbrun is listening to (pbrun’s actual port number is passed to pblocald through pbmasterd). pbmasterd can then exit. If pblocaldreconnection is set to true, then pbrun will originate and pblocald will listen.

pblocald runs the requested job. When it finishes, it opens another connection to the log server to log the finish status of the job.

Connections Across a Firewall

A full Privilege Management for Unix and Linux session requires two to six connections. Generally, there are two types of connections:

  • Connection to a well-known port
  • Connection to a dynamic connection

When connecting to a well-known port, the originator asks the operating system for a port in the range between minoutgoingport and maxoutgoingport. The port number is selected by the operating system and is called an ephemeral port. This port is opened on the originating side and connected to the well-known port on the target side. The firewall must be able to pass traffic on the well-known port. No configuration is needed for Privilege Management for Unix and Linux in this case. The following table summarizes the connection information for well-known ports.

Originator Outbound Port Type Target Inbound Port Type Default
pbrun Ephemeral pbmasterd Well known 24345
pbmastered Ephemeral pblocald Well known 24346
pbmasterd Ephemeral pblogd Well known 24347
pblocald Ephemeral pblogd Well known 24347

The second type of connection is a dynamic connection. These connections originate on a port in the range from minoutgoingport and maxoutgoingport that is selected by the originating machine’s operating system (ephemeral port) and connect to a listening port on the target end (also an ephemeral port).

For this configuration, the firewall must be configured to pass a range of ports and Privilege Management for Unix and Linux must be configured to use those ports. If the originating side is filtered, the firewall needs to allow a range of reserved ports to pass. Beginning with Privilege Management for Unix and Linux v3.2, the port range should be configured in the firewall and the same range of ports should be set in pblocald’s settings file with the settings minlisteningport and maxlisteningport.

If the target machine is filtering incoming traffic, then the firewall should be configured to pass the listening ports, and the settings file on the submit host and the log host should set the same port range in their respective settings files, using the minlisteningport and maxlisteningport settings (Privilege Management for Unix and Linux v3.2 and later).

The dynamic connections from pblocald are summarized in the following table:

Setting pbrunreconnection and/or pblogreconnection to true reverses the direction of the connections that are listed in the following table.

Originator Outbound Port Type Settings File Target Inbound Port Type Settings File
pblocald

Ephemeral

reserved

minoutgoingport

maxoutgoingport

pbrun

Ephemeral

non- reserved

minlisteningport

maxlisteningport

pblocald

(when logmktemp()

is used in a policy)

Ephemeral

reserved

minoutgoingport

maxoutgoingport

pblogd

Ephemeral

non- reserved

minlisteningport

maxlisteningport