FirewallFirewall

Dave GrizzantiDave Grizzanti

Steve CurtiSteve Curti

What is an Internet Firewall?What is an Internet Firewall?

An Internet firewall is most often installed at the point An Internet firewall is most often installed at the point where your protected internal network connects to the where your protected internal network connects to the Internet. Internet. It prevents the dangers of the Internet from spreading to It prevents the dangers of the Internet from spreading to your internal network.your internal network.

What is an Internet Firewall?What is an Internet Firewall?

All traffic coming from the Internet or going out from your All traffic coming from the Internet or going out from your internal network passes through the firewall. Because it internal network passes through the firewall. Because it does, the firewall has the opportunity to make sure that does, the firewall has the opportunity to make sure that this traffic is acceptable. this traffic is acceptable.

What does "acceptable" mean to the firewall? Basically What does "acceptable" mean to the firewall? Basically anything being done - email, file transfers, remote logins, anything being done - email, file transfers, remote logins, or any kinds of specific interactions between specific or any kinds of specific interactions between specific systems - conforms to the rule set of the network. systems - conforms to the rule set of the network.

What can a firewall do?What can a firewall do?

A firewall is a focus for security decisions. All traffic in and out must pass through this single, narrow checkpoint.All traffic in and out must pass through this single, narrow checkpoint.

A firewall can enforce a security policy. It enforces the site's security policy, allowing only "approved" services to

pass through and those only within the rules set up for them.

A firewall can log Internet activity. Because all traffic passes through the firewall, the firewall provides a

good place to collect information about system and network use - and possible misuse..

A firewall can limit your exposure. A firewall can also be used to keep one section of your site's network

separate from another section.

SetupSetup

Used IPFirewall (IPFW).Used IPFirewall (IPFW).

The IPFirewall (IPFW) is a FreeBSD sponsored firewall The IPFirewall (IPFW) is a FreeBSD sponsored firewall software application authored and maintained by software application authored and maintained by FreeBSD volunteer staff members.FreeBSD volunteer staff members.

IPFW is included in the basic FreeBSD install as a IPFW is included in the basic FreeBSD install as a separate run time loadable module. The system will separate run time loadable module. The system will dynamically load the kernel module when the rc.conf is dynamically load the kernel module when the rc.conf is modified.modified.

SetupSetup

/etc/rc.conf Options/etc/rc.conf Options firewall_enable="YES“firewall_enable="YES“ Set the script to run to activate your rules: Set the script to run to activate your rules:

firewall_script="/etc/ipfw.rules”firewall_script="/etc/ipfw.rules” Enable logging: Enable logging:

firewall_logging="YES" firewall_logging="YES"

IPFW Rule SetIPFW Rule Set

A rule set is a group of ipfw rules coded to allow or deny A rule set is a group of ipfw rules coded to allow or deny packets based on the values contained in the packet. packets based on the values contained in the packet. The firewall rule set processes the packet twice: once on The firewall rule set processes the packet twice: once on its arrival from the public Internet host and again as it its arrival from the public Internet host and again as it leaves for its return trip back to the public Internet host. leaves for its return trip back to the public Internet host. When a packet enters the firewall it is compared against When a packet enters the firewall it is compared against the first rule in the rule set and progress one rule at a the first rule in the rule set and progress one rule at a time moving from top to bottom of the set in ascending time moving from top to bottom of the set in ascending rule number sequence order. When the packet matches rule number sequence order. When the packet matches a rule selection parameters, the rules action field value is a rule selection parameters, the rules action field value is executed and the search of the rule set terminates for executed and the search of the rule set terminates for that packet. that packet.

IPFW Rule SetIPFW Rule Set

This is referred to as “the first match wins” search This is referred to as “the first match wins” search method. If the packet does not match any of the rules, it method. If the packet does not match any of the rules, it gets caught by the mandatory ipfw default rule, number gets caught by the mandatory ipfw default rule, number 65535 which denies all packets and discards them 65535 which denies all packets and discards them without any reply back to the originating destination. without any reply back to the originating destination.

An inclusive firewall only allows services matching the An inclusive firewall only allows services matching the rules through. This way you can control what services rules through. This way you can control what services can originate behind the firewall destined for the public can originate behind the firewall destined for the public Internet and also control the services which can originate Internet and also control the services which can originate from the public Internet accessing your private network. from the public Internet accessing your private network.

Everything else is denied by default design.Everything else is denied by default design.

IPFW CommandsIPFW Commands

EnablingEnabling or disabling the firewall or disabling the firewall ““ipfw enable firewall”ipfw enable firewall” ““ipfw disable firewall’”ipfw disable firewall’”

Loading rulesetLoading ruleset ““sh ipfw.rules”sh ipfw.rules”

Seeing active rulesSeeing active rules ““ipfw list”ipfw list”

Log FileLog File ““/var/log/security”/var/log/security”