Article by Mark Boyd

www.simpleit.tumblr.com

The basics of a firewall rule

M ost all of t he inf ormat ion in this below writ ing piec e is inf ormat ion dis s eminat ed f rom www. s ans . org and its af f iliat es. M y ex perienc e is in t he M anaged Serv ic es Prov ider s ect or , more s pec if ic ally, t he Educ at ion v ert ic al

Understanding firewall rules: Source > Destination > Traffic Type > Allow / Deny. There you have it, you now understand firewalls. Move along people, nothing to see here. Or is there? In this article, I will talk briefly about how a basic firewall rule works. I wont be talking about packet inspection, I wont be talking about NAT and its intricacies, theres plenty of information on the old interwebs1 about that. Firewalls can be big complex beasts; this article might be seen as a for dummies guide to just one topic inside a firewall You will find this article is general in nature; it doesnt go into a huge amount of detail. This article is largely brand agnostic. If you are looking for a shameless plug for a reputable firewall company, I recommend Fortinet. Fortinet firewalls are well priced, feature full firewalls from SOHO to enterprise. I use Fortinet because they are powerful, quick and secure. For more information on Fortinet gear visit here Alright, lets get started. As always, decide what you are trying to achieve. In this example we want to block all traffic from 192.168.1.0 out to the internet except web traffic, and allow 172.16.0.0 traffic out to the internet. Arrive Pseudo code. Now dont be afraid, I have preached before that programming is the square root of everything evil and nasty, and I maintain that disposition, however, writing something out logically (Pseudo Code) is helpful. It logically spells out what you are trying to do. Lets try it. Source Traffic: 172.16.0.0 /16, Destination: Anywhere (0.0.0.0), Traffic type: Any, Allow / Deny Source Traffic: 192.168.1.0 /24, Destination: Anywhere (0.0.0.0), Traffic type: port 80, Allow / Deny explicitly deny any other traffic Looks simple enough? Good. But make sure to understand some common I.T lingo. - Common Service ports (Port 80 for HTTP, Port 443 for HTTPS, Port 53 for DNS etc) - Common Subnet allocations for IPV4, 16 = 255.255.0.0, /24 = 255.255.255.0 and so on - What the 0.0.0.0 IP Address designation is and how to use it. Confused? Remember the rule: source > destination > traffic type > allow / deny. Think about these statements if you get confused making firewall rules. - All firewall rules are in essence just an access control list. - All access control lists can be converted logically into an if then else type statement. - Remember that all Access control lists / firewall rules end with an explicit deny rule. - If your firewall rule doesnt work, think wether your traffic matches the rule. - Most useful, remember most good firewalls log allow / deny requests, the logs are your friend. Next article: Top tools for top administrators
1

(Deviate for a second, Microsoft Word doesnt believe interwebs is a word, it is now, and I implore you to add it to your dictionaries)

Thursday, 23 June 2011

Page 1