1 / 17

Training

Training. Firewalls An Introduction. Overview. Theory IP Packets, Filtering IP chains, Chain Policies Firewall Rules Filtering ATM Vision Interfaces Firewall Implementation Examples. IP Packets. 32 Bit. Version. IHL. Type of Service. Total Length. Identification. Flags.

huebner
Download Presentation

Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Training Firewalls An Introduction

  2. Overview • Theory • IP Packets, Filtering • IP chains, Chain Policies • Firewall Rules • Filtering • ATM Vision • Interfaces • Firewall Implementation • Examples

  3. IP Packets 32 Bit Version IHL Type of Service Total Length Identification Flags Fragment offset Time to Live Protocol Header Checksum IP Header Source Address Destination Address Options Padding IP Data Data (1 Bytes – 64 kBytes) IHL: Internet Header Length

  4. IP Filtering • Filtering can be performed on • Interfaces (Source or Destination) • Source address • Source port • Destination address • Destination port

  5. IP Chains Loopback Device (lo) ACCEPT REDIRECT C H E C K S U M S A N I T Y R O U T I N G ACCEPT Input Chain Forward Chain Output Chain REJECT DENY REJECT DENY REJECT DENY DENY DENY LOCAL PROCESS

  6. Chains • Default chains: • „input“ chain • 1st chain for received packets • „output“ chain • chain for all outgoing packets • „forward chain • chain for received packets with another destination than the local system • User defined chains • Any name (8 char. Max.) except „input“, „output“, „forward“ „ACCEPT“, „DENY“, „REJECT“, “REDIRECT” and „RETURN“ • grouping of rules (easier maintenance)

  7. Policy • Firewall policies • ACCEPT Pass the packet • REJECT Discard the packet, but send response • DENY Discard the packet, no response

  8. Firewall Rules • Rules are applied to a chain • Rules are defining a filter criteria • Multiple rules can exist per chain • Each packet traverses through the list of rules until a match occures • In case of a match the packet is treated according to the target of the rule • If there is no match the policy of the chain is taken as target • Targets are: „ACCEPT“, „REJECT“, „DENY“, „REDIRECT“, „RETURN“ or any user defined chain.

  9. Filtering by Address • Source Address -s • Destination Address -d • Address Formats: • Address/Maskbits i.e. 192.168.0.0/24 • Adddress/Mask i.e. 192.168.0.0/255.255.255.0

  10. Filtering by Interface • The interface is related to the chain: • „input“ chain: Interface the packet was received by • „output““ and „forward“ chain: Interface the packet will be send out

  11. Filtering by Protocol • Option -p • Protocol names/numbers are listed in /etc/protocols • ICMP (1) – Internet Control Message Protocol • ECHO, REDIRECT, UNREACHABLE • TCP (6) – Transmission control Protocol • TELNET, SSH, RLOGIN, FTP, ... • UDP (17) – User datagram Protocol • SNMP, MAIL, DNS, ...

  12. Filtering by Service • The service name or number follows a source or destination address • The service names and numbers are listed in /etc/services, i.e.: • Ranges are specified by min:max ftp-data 20 ftp 21 ssh 22 telnet 23 smtp 25 time 37 domain 53 http 80 pop3 110 ntp 123 snmp 161 snmptrap 162 syslog 514 router 520 timed 525 vision 9600

  13. User defined Chains Received TCP packet from 192.168.1.1 to 1.2.3.4: Chain „input“ Rule1: -p icmp –j REJECT Chain „Test“ Rule2: -p TCP –j Test Rule1: -s 192.168.1.1 Rule2: -d 192.168.1.1 Rule3: -p UDP –j DENY

  14. ATM Vision IP Interfaces ATM VISION clip0 clip0 eth0 10/100BaseT FIREWALL clip0 clip0 clip0 eth1 10BaseT lane0 LOCAL PROCESSES 2 * Ethernet Ports N * CLIP (Classical IP) N * LANE (LAN Emulation)

  15. Commands • -P Set chain policy ipchains –P <chain> <policy> • -A Add rule ipchains –A <chain> <filter> [-j target] • -D Delete rule # of a chain ipchains –D <chain> <rule> • -F Delete all rules of a chain ipchains –F <chain> • -N Create a new chain ipchains –N <chain name> • -X Delete a chain ipchains –X <chain name>

  16. Examples Drop all packets directed to 192.168.1.1: sysconf ipchains –A output –d 192.168.1.1/32 –j DENY Command Add Output chain Destination address Target DENY Accept only telnet connections from 10.0.0.1: sysconf ipcahins –P input –DENY sysconf ipchains –A input –s 10.0.0.1/32 23 –j ACCEPT Command Add Input chain Source address Target ACCEPT

  17. Sample Network

More Related