Firewall: Difference between revisions
→Firewalls for UNIX: forgot link |
etherreal -> wireshark |
||
Line 3: | Line 3: | ||
Our recommended process for installing a firewall is to have a "default deny" stance. This means "block all in" and block all out" by default. Once that has been established, then only allow rules as required. | Our recommended process for installing a firewall is to have a "default deny" stance. This means "block all in" and block all out" by default. Once that has been established, then only allow rules as required. | ||
For example, if you have blocked all by default, first you will want to try to resolve [[DNS]] I'm sure. So you will need to start a packet sniffer ([[tcpdump]], [[ | For example, if you have blocked all by default, first you will want to try to resolve [[DNS]] I'm sure. So you will need to start a packet sniffer ([[tcpdump]], [[wireshark]], [[snoop]]) and watch the packets trying to leave and come in. In another window, type "host hackepedia.org" to try and resolve this DNS. As you should see, you need to allow [[ports|port]] 53.. but was that [[TCP]] or [[UDP]]? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host hackepedia.org" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Repeat this process as needed for each service, and eventually you'll have a very decent firewall. | ||
Of course, this is time consuming, and error prone, especially for someone who is just starting. A better solution may be to find a ruleset, or script online, and modify it until it works and fits your specific requirements. | Of course, this is time consuming, and error prone, especially for someone who is just starting. A better solution may be to find a ruleset, or script online, and modify it until it works and fits your specific requirements. |
Latest revision as of 04:01, 9 December 2012
A Firewall is part of an Operating System's networking stack that allows one to create policies for network traffic, and permit or deny that traffic accordingly. Firewalls most commonly work on OSI layers 3 and 4, although any layer except 1 is possible. Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content (RFC 2821 and 2822). Firewalls cannot inspect encrypted protocols (see cryptography) unless they have been given the secret key. Firewalls can run either on a specific host, or on a dedicated system that sits between the production systems and the rest of the Internet.
Our recommended process for installing a firewall is to have a "default deny" stance. This means "block all in" and block all out" by default. Once that has been established, then only allow rules as required.
For example, if you have blocked all by default, first you will want to try to resolve DNS I'm sure. So you will need to start a packet sniffer (tcpdump, wireshark, snoop) and watch the packets trying to leave and come in. In another window, type "host hackepedia.org" to try and resolve this DNS. As you should see, you need to allow port 53.. but was that TCP or UDP? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host hackepedia.org" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Repeat this process as needed for each service, and eventually you'll have a very decent firewall.
Of course, this is time consuming, and error prone, especially for someone who is just starting. A better solution may be to find a ruleset, or script online, and modify it until it works and fits your specific requirements.
A common mistake we see it an implicit allow all outbound, this is a mistake, and very beneficial to anyone who has just compromised your machine. Allow only the required ports and protocols outbound, most commonly ports 80 (web) and 25 (smtp), and block and log everything else outbound. If you find something isn't working, check the logs and allow a rule for that application, if you approve of its usage. It will be a short bell curve until you will very rarely have to modify your outbound ruleset, as outbound traffic rarely changes.
Firewalls for UNIX
- pf
- A stateful firewall written by Daniel Hartmeier for OpenBSD. Has been ported to all BSD's. pf has a nice logging mechanism that one can view with tcpdump. This firewall can share states between other firewalls meaning communication can continue if the path of communication changes through another firewall. This firewall has built-in NAT. Apple Mac OS X has started using pf with Mountain Lion.
- npf
- A stateful firewall in NetBSD. According to the manpage it will be released for NetBSD 6.0.
- ipfw
- IP Firewall available in FreeBSD and Apple Mac OS X. Much work done from Luigi Rizzo. States were introduced with the second version of ipfw. NAT can be achieved with IPDIVERT sockets with programs such as natd.
- netfilter / iptables
- The standard firewall software that comes with the Linux Operating System. Stateful has built-in NAT. Has a huge number of specialized filters ranging from statistical matching ("30% of all tcp packets"), to packet burst management, to raw content checking.
- Checkpoint
- Expensive commercial firewall runs on Solaris. Written in Israel. Could have been the first stateful firewall, patented. Has NAT.
- Cisco PIX
- More expensive commercial hardware/software solution from Cisco. Runs on a dedicated box, using a highly specialized UNIX variant as the OS. Supports most (all?) major firewall features.
Home Firewall
Brands such as Soekris, Alix and Lanner are pretty popular in geek circles. They are small, energy efficient boxes with 2 or more ethernet ports so that they can act like a firewall. They run open source and proprietary operating systems.
Here is a picture of a Lanner firewall/router.
You can surely also run a firewall in a PC or laptop but it's not as dedicated as these.