Firewall: Difference between revisions
No edit summary |
|||
Line 1: | Line 1: | ||
A Firewall is an extension to an Operating System that allows one to create policies for Internet protocols in order to deny content that is deemed illegal or harmful. Firewalls are most common to work on [[OSI]] layers 3 and 4. Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content ([[RFC]] 2821 and 2822). Firewalls cannot inspect encrypted protocols (see [[cryptography]]) unless they have been given the secret key. | A Firewall is an extension to an Operating System that allows one to create policies for Internet protocols in order to deny content that is deemed illegal or harmful. Firewalls are most common to work on [[OSI]] layers 3 and 4. Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content ([[RFC]] 2821 and 2822). Firewalls cannot inspect encrypted protocols (see [[cryptography]]) unless they have been given the secret key. | ||
Our recommended process for installing a firewall is to "block all in" and block all out" by default. Once that has been established, then only allow rules as required. | |||
For example, if you have blocked all by default, first you will want to try to resolve [[DNS]] I'm sure. So you will need to start a packet sniffer ([[tcpdump]], [[ethereal]], [[snoop]]) and watch the packets trying to leave and come in. In another window, type "host yashy.com" to try and resolve my DNS. As you should see, you need to allow [[port]] 53.. but was that [[TCP]] or [[UDP]]? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host yashy.com" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Eventually you'll have a very decent firewall. | For example, if you have blocked all by default, first you will want to try to resolve [[DNS]] I'm sure. So you will need to start a packet sniffer ([[tcpdump]], [[ethereal]], [[snoop]]) and watch the packets trying to leave and come in. In another window, type "host yashy.com" to try and resolve my DNS. As you should see, you need to allow [[port]] 53.. but was that [[TCP]] or [[UDP]]? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host yashy.com" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Eventually you'll have a very decent firewall. |
Revision as of 08:53, 24 October 2005
A Firewall is an extension to an Operating System that allows one to create policies for Internet protocols in order to deny content that is deemed illegal or harmful. Firewalls are most common to work on OSI layers 3 and 4. Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content (RFC 2821 and 2822). Firewalls cannot inspect encrypted protocols (see cryptography) unless they have been given the secret key.
Our recommended process for installing a firewall is to "block all in" and block all out" by default. Once that has been established, then only allow rules as required.
For example, if you have blocked all by default, first you will want to try to resolve DNS I'm sure. So you will need to start a packet sniffer (tcpdump, ethereal, snoop) and watch the packets trying to leave and come in. In another window, type "host yashy.com" to try and resolve my DNS. As you should see, you need to allow port 53.. but was that TCP or UDP? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host yashy.com" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Eventually you'll have a very decent firewall.
Firewalls for UNIX
- pf
- A stateful firewall written by Daniel Hartmeier for OpenBSD. Has been ported to all BSD's. pf has a nice logging mechanism that one can view with tcpdump. This firewall can share states between other firewalls meaning communication can continue if the path of communication changes through another firewall. This firewall has built-in NAT.
- ipfw
- IP Firewall available in FreeBSD and Apple Mac OS X. Much work done from Luigi Rizzo. States were introduced with the second version of ipfw. NAT can be achieved with IPDIVERT sockets with programs such as natd.
- ipf
- IP Filter available in a number of UNIX OS's. Written by Darren Reed. Stateful, has built-in NAT.
- netfilter / iptables
- The standard firewall software that comes with the Linux Operating System. Stateful has built-in NAT.
- Checkpoint
- Expensive commercial firewall runs on Solaris. Written in Israel. Could have been the first stateful firewall, patented. Has NAT.
Firewalls for Windows
A common free firewall for Windows that blocks all of your ports is zone alarm. Checkpoint Firewall also works on Windows.