10 Firewalls

ITECH2108 Topic 10
Firewalls
Advanced Network Services
Topic 10 - Firewalls
17:24 ( 1 of 24)
What is a firewall?
It is not a virus scanner
Although it might include that
It is not a secure communication system

A firewall regulates network traffic
At some network boundary
In and out of your home computer
Through your broadband router
Through a computer configured as router
Classes of firewall
Network layer
- our focus
Inspect each packet at the network & transport layer

Accept/reject according to rules
Application layer
Particular to an application
Eg ftp, telnet
Filter on content
Stateless/Stateful
Keeps a check on responses relative to requests
Stateful example
Consider user accessing Web site
Stateless firewall will need to say:
All outbound port 80 traffic OK
All inbound non-SYN traffic OK
Stateful firewall can say:

All outbound port 80 traffic OK
Inbound traffic for open connections OK
What kind of attacks?

Denial of Service (DOS)
Anything that ties up server resources
Why?
To slow things down
To distract for some other attack
TCP connect to listening port

Once connected attempt to break in
Buffer overflow might allow attackers code to execute
Many, many others

Packet-level operations
A network layer firewall involves
inspection of each packet
Where does this occur?
In the OS kernel
Privileged operation
Requires root/Administrator login
In User Space
More relaxed
How its done on Windows

User
Networking Application
W2K packet
filtering interface
winsock
Transport Driver Interface
Kernel
TCPIP driver
Application
layer firewall
Network layer
firewall
NDIS Driver
How its done on Linux

Same User/Kernel split
Kernel includes netfilter hooks
Kernel filtering controlled by user space
programs
ipfw
ipchains
iptables
This is what we will study
ipfw
The earliest framework for configuring
netfilter
Still used in BSD Unix
Cant handle non-IP rules
Simple rule format

add 1000 allow all from any to any
allow,
Rule number
deny,
lowest number
reset,
that fits is
count
followed
Type
eg tcp,
icmp..
Source
& Dest
ipchains netfilter architecture

Packets move through the kernel and can
have rules from a chain applied
input
To be
routed?
Process
forward
output
ipchains why not?

The main disadvantages of ipchains
Excessive activity for the input chain rules
Because they are applied before the routing decision
Only stateless rules can be defined

Not extensible
What about completely new criteria?
No way to add them
Note lower case chain names

iptables netfilter architecture

An improved flowchart for packets allows
less use of the INPUT chain
To be
routed?
INPUT
FORWARD
Process
OUTPUT
Adding two more steps

The extra steps are places that we could
apply rules like NAT
PREROUTING
To be
routed?
INPUT
POSTROUTING
FORWARD
Process
OUTPUT
So what are the tables?

In iptables tables are a collection of chains
There are 3 built-in tables:
filter
INPUT, OUTPUT and FORWARD chains
nat
PREROUTING, POSTROUTING and OUTPUT
chains
mangle (other changes in packets eg QoS

options)
All the chains!
iptables rule format

[command-type] [pattern-match-options] -j [target]
Add, delete, list

etc on a
specified chain
Protocol, port,
interface and
many other
options
DROP, REJECT,
ACCEPT,
LOG
iptables command types

-L <chain>
List rules in chain
-F <chain>
Flush all rules from the chan
-P <chain>
Set policy for chain (eg ACCEPT, REJECT)
Compare with ipfw approach
-A <chain>
Add (append) a rule to the chain (insert I and replace R also)
-D <chain> <rule number>

Delete a rule from the chain
-N <chain name>
Create a new chain
iptables pattern match options

Unbounded given the extensibility but.
-p [protocol]
tcp, udp or icmp.
-d [address / mask], -s [address / mask]

Destination/source address
--dport [port], --sport [port]

Destination/source port
-i [interface], -o [interface]
eth0, wlan0 a standard Linux interface in or out
-m state --state state_type
For tcp: NEW, ESTABLISHED For icmp: RELATED
-icmp-type [typename]
Such as ECHO, REPLY

iptables targets
ACCEPT
Stop processing let the packet through
DROP
Stop processing - silently
LOG
Make an entry in the log
REJECT
Stop processing and try to reply with an appropriate message
DNAT
Modify packet with specified dest address for Destination NAT
SNAT
Modify packet with specified source address for Source NAT
MASQUERADE
Modify packet with dynamically assigned source address
Saving the rules

The rules you have created can be saved to
/etc/sysconfig/iptables
Use:
service iptables save
These rules will be re-established at startup
Reading some rules

# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Accept all established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Accept all SSH and Web server connections
-A INPUT -p tcp --dport 22 -j ACCEPT
# Reject and log all other inbound
-A INPUT -j LOG
-A INPUT -j REJECT
-A FORWARD -j LOG
-A FORWARD -j REJECT
The nat table

iptables -t nat -A POSTROUTING
-o ppp0 -j MASQUERADE
This single entry does it
nat table
append rule
POSTROUTING chain
Dial up interface
MASQUERADE
The right kind of mangling
Easing rule writing

iptables rules are quite hard to write!
Firewall Builder
On ADIOS and can be downloaded for
Windows it creates rules in a generalised
XML format and then compiles them into rules
for a specific platform (eg iptables on Linux)
Although the tool is available for Windows too
the actual firewall will always be on Linux
The lab
Build a test environment
NAT
Router
A
(Linux)
Public
address
Client
(Linux or
Windows)
192.168.a.1
192.168.a.2
Apply Linux firewalls

Virtual machines to the rescue

User Mode Linux (UML)

10 Firewalls

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

10 Firewalls

Загружено:

Авторское право:

Доступные форматы

ITECH2108 Topic 10

Advanced Network Services

It is not a secure communication system

Inspect each packet at the network & transport layer

Stateful firewall can say:

What kind of attacks?

TCP connect to listening port

Many, many others

How its done on Windows

Advanced Network Services

How its done on Linux

Simple rule format

ipchains netfilter architecture

ipchains why not?

Only stateless rules can be defined

Note lower case chain names

iptables netfilter architecture

Adding two more steps

Advanced Network Services

So what are the tables?

mangle (other changes in packets eg QoS

iptables rule format

Add, delete, list

iptables command types

-D <chain> <rule number>

iptables pattern match options

-d [address / mask], -s [address / mask]

--dport [port], --sport [port]

eth0, wlan0 a standard Linux interface in or out

-m state --state state_type

For tcp: NEW, ESTABLISHED For icmp: RELATED

Such as ECHO, REPLY

Saving the rules

These rules will be re-established at startup

Advanced Network Services

Reading some rules

The nat table

Advanced Network Services

Easing rule writing

Apply Linux firewalls

Virtual machines to the rescue

Advanced Network Services

Вам также может понравиться