-
8/10/2019 Firewalls (13)
1/15
Poor Mans Firewall
A firewall that can be setup andimplemented with a minimum
amount oftime and money.
-
8/10/2019 Firewalls (13)
2/15
Why do I need one? A Windows server can not be secured as
itstands. Dont believe anyone who tells youotherwise.
MSSQL server should never be placed directlyon the Internet.
And yes, some people do have too much timeon their hands. Anyone
remember the Blasterworm?
-
8/10/2019 Firewalls (13)
3/15
OSI Model Lower Layers
Lower layers provide more primitivenetwork-specific functions
like routing,addressing, and flow control.
Layer II - (Data Link Layer) of the OSIModelLayer III - (Network
Layer) of the OSIModel
-
8/10/2019 Firewalls (13)
4/15
Switch/Hub (Layer II)Switches and Hubs are used to connect
variousdevices to a network.
Switches are intelligent, they look at the sourceand destination
of each packet and route themto the appropriate switch port.
Hubs are dumb devices that present a copy ofeach packet that is
seen to every other port onthe device.
-
8/10/2019 Firewalls (13)
5/15
Bridge (Layer II)
A device that can be used to segment Local Area Networks
(LANs).
They can be used to control the traffic goingbetween two network
segments based onEthernet addresses.
They are essentially transparent devices. Theycan be replaced
with a cross-over cable.
-
8/10/2019 Firewalls (13)
6/15
Router (Layer III)
A network device used for connectingdifferent networks
together.
They are responsible for intelligentlyrouting packets based on
IP address.
-
8/10/2019 Firewalls (13)
7/15
Firewall
A firewall filters packets based on a set of filterrules.
Packets that pass the rule set are forwardedthrough the firewall
from one network interfaceto another. Packets that dont, are
dropped.
Firewalls can be either Software or Hardwarebased.
-
8/10/2019 Firewalls (13)
8/15
Bridging Mode Firewalls
A bridge that allows you to filter thepackets that pass through
its interfaces.
Can be placed anywhere in an existingnetwork without disrupting
existingservices.
Transparent to your servers.
-
8/10/2019 Firewalls (13)
9/15
Linux Bridging Mode Firewall
A software based firewall that uses Linuxas the operating
system.
The software is free.Relatively easy to setup.
Can run on old hardware.
-
8/10/2019 Firewalls (13)
10/15
-
8/10/2019 Firewalls (13)
11/15
Hardware Needed
Any old Pentium based computer128MB of RAM~1GB Harddrive2 -
Network Cards (Minimum)
-
8/10/2019 Firewalls (13)
12/15
Example Bridge Script#!/bin/bash# /etc/rc.d/init.d/bridge
BRCTL=/usr/sbin/brctlIFCONFIG=/sbin/ifconfig
return=$rc_donecase "$1" in
start)
echo "Starting service bridge br0"# Create bridge
interface$BRCTL addbr br0 || return=$rc_failed# Turn Spanning Tree
Protocall off$BRCTL stp br0 off || return=$rc_failed# Add
interfaces to bridge$BRCTL addif br0 eth1 ||
return=$rc_failed$BRCTL addif br0 eth2 || return=$rc_failed# Reset
to clean state$IFCONFIG eth1 down || return=$rc_failed$IFCONFIG
eth2 down || return=$rc_failed# Set interfaces to Promiscuous
Mode$IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed$IFCONFIG
eth2 0.0.0.0 promisc || return=$rc_failed
#Bring bridge interface up$IFCONFIG br0 promisc up ||
return=$rc_failed
$BRCTL showecho -e "$return";;
stop)echo "Shutting down service bridge br0"$IFCONFIG br0 down
|| return=$rc_failed$BRCTL delif br0 eth1 || return=$rc_failed
$BRCTL delif br0 eth2 || return=$rc_failed$BRCTL delbr br0 ||
return=$rc_failedecho -e "$return";;
status)$IFCONFIG br0$BRCTL show;;
restart)$0 stop && $0 start || return=$rc_failed;;
*)echo "Usage: $0 {start|stop|status|restart}"exit 1
esac
test "$return" = "$rc_done" || exit 1exit 0
-
8/10/2019 Firewalls (13)
13/15
Example Filter Rules#!/bin/bash# Example Firewall
ScriptIPTABLES="/sbin/iptables -v"
# Any Subnet ANY=0.0.0.0/0
# ILLIAD ServerILLIAD=128.193.123.456
#### Flush all rules
$IPTABLES -F
# Delete all user created chains$IPTABLES -X
# Zero all byte counters$IPTABLES -Z
# Drop all packets without a rule$IPTABLES -P FORWARD DROP
# loopback interface$IPTABLES -A FORWARD -i lo -j ACCEPT
# Syn-flood protection:$IPTABLES -A FORWARD -p tcp --syn -m
limit --limit 1/s -j ACCEPT
# Ping of death:$IPTABLES -A FORWARD -p icmp --icmp-type
echo-request -m limit --limit
1/s -j ACCEPT
# HTTP$IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80
-m state --
state NEW -j ACCEPT
$IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m
state --state ESTABLISHED -j ACCEPT
-
8/10/2019 Firewalls (13)
14/15
-
8/10/2019 Firewalls (13)
15/15
