Professional Documents
Culture Documents
Firewalls
Topic 10 - Firewalls
17:24 ( 1 of 24)
What is a firewall?
It is not a virus scanner
Although it might include that
Topic 10 - Firewalls
Classes of firewall
Network layer
- our focus
Application layer
Particular to an application
Eg ftp, telnet
Filter on content
Stateless/Stateful
Keeps a check on responses relative to requests
Advanced Network Services
Topic 10 - Firewalls
Stateful example
Consider user accessing Web site
Stateless firewall will need to say:
All outbound port 80 traffic OK
All inbound non-SYN traffic OK
Topic 10 - Firewalls
Topic 10 - Firewalls
Packet-level operations
A network layer firewall involves
inspection of each packet
Where does this occur?
In the OS kernel
Privileged operation
Requires root/Administrator login
In User Space
More relaxed
Advanced Network Services
Topic 10 - Firewalls
Networking Application
W2K packet
filtering interface
winsock
Transport Driver Interface
Kernel
TCPIP driver
Application
layer firewall
Network layer
firewall
NDIS Driver
Topic 10 - Firewalls
Topic 10 - Firewalls
ipfw
The earliest framework for configuring
netfilter
Still used in BSD Unix
Cant handle non-IP rules
Type
eg tcp,
icmp..
Source
& Dest
Topic 10 - Firewalls
To be
routed?
Process
Advanced Network Services
forward
output
Topic 10 - Firewalls
Topic 10 - Firewalls
INPUT
Advanced Network Services
FORWARD
Process
OUTPUT
Topic 10 - Firewalls
To be
routed?
INPUT
POSTROUTING
FORWARD
Process
Topic 10 - Firewalls
OUTPUT
nat
PREROUTING, POSTROUTING and OUTPUT
chains
Topic 10 - Firewalls
Protocol, port,
interface and
many other
options
DROP, REJECT,
ACCEPT,
LOG
Topic 10 - Firewalls
-F <chain>
Flush all rules from the chan
-P <chain>
Set policy for chain (eg ACCEPT, REJECT)
Compare with ipfw approach
-A <chain>
Add (append) a rule to the chain (insert I and replace R also)
-N <chain name>
Create a new chain
Advanced Network Services
Topic 10 - Firewalls
-i [interface], -o [interface]
-icmp-type [typename]
Topic 10 - Firewalls
iptables targets
ACCEPT
Stop processing let the packet through
DROP
Stop processing - silently
LOG
Make an entry in the log
REJECT
Stop processing and try to reply with an appropriate message
DNAT
Modify packet with specified dest address for Destination NAT
SNAT
Modify packet with specified source address for Source NAT
MASQUERADE
Modify packet with dynamically assigned source address
Advanced Network Services
Topic 10 - Firewalls
Topic 10 - Firewalls
Topic 10 - Firewalls
nat table
append rule
POSTROUTING chain
Dial up interface
MASQUERADE
The right kind of mangling
Topic 10 - Firewalls
Topic 10 - Firewalls
The lab
Build a test environment
NAT
Router
A
(Linux)
Public
address
Client
(Linux or
Windows)
192.168.a.1
192.168.a.2
Topic 10 - Firewalls
Topic 10 - Firewalls