Poor Man’s Firewall Poor Man’s Firewall

A firewall that can be setup and A firewall that can be setup and implemented with a minimum amount of implemented with a minimum amount of time and money.time and money.

Why do I need one?Why do I need one?

A Windows server can A Windows server can notnot be secured as it be secured as it stands. Don’t believe anyone who tells you stands. Don’t believe anyone who tells you otherwise.otherwise.

MSSQL server should MSSQL server should nevernever be placed directly be placed directly on the Internet. on the Internet.

And yes, some people do have too much time And yes, some people do have too much time on their hands. Anyone remember the Blaster on their hands. Anyone remember the Blaster worm? worm?

OSI Model Lower LayersOSI Model Lower Layers

Lower layers provide more primitive Lower layers provide more primitive network-specific functions like routing, network-specific functions like routing, addressing, and flow control.addressing, and flow control.

Layer II - (Data Link Layer) of the OSI Layer II - (Data Link Layer) of the OSI Model Model

Layer III - (Network Layer) of the OSI Layer III - (Network Layer) of the OSI ModelModel

Switch/Hub (Layer II)Switch/Hub (Layer II)

Switches and Hubs are used to connect various Switches and Hubs are used to connect various devices to a network.devices to a network.

Switches are intelligent, they look at the source Switches are intelligent, they look at the source and destination of each packet and route them and destination of each packet and route them to the appropriate switch port.to the appropriate switch port.

Hubs are dumb devices that present a copy of Hubs are dumb devices that present a copy of each packet that is seen to every other port on each packet that is seen to every other port on the device. the device.

Bridge (Layer II)Bridge (Layer II)

A device that can be used to segment Local A device that can be used to segment Local Area Networks (LANs). Area Networks (LANs).

They can be used to control the traffic going They can be used to control the traffic going between two network segments based on between two network segments based on Ethernet addresses.Ethernet addresses.

They are essentially transparent devices. They They are essentially transparent devices. They can be replaced with a cross-over cable.can be replaced with a cross-over cable.

Router (Layer III)Router (Layer III)

A network device used for connecting A network device used for connecting different networks together. different networks together.

They are responsible for intelligently They are responsible for intelligently routing packets based on IP address. routing packets based on IP address.

FirewallFirewall

A firewall filters packets based on a set of filter A firewall filters packets based on a set of filter rules. rules.

Packets that pass the rule set are forwarded Packets that pass the rule set are forwarded through the firewall from one network interface through the firewall from one network interface to another. Packets that don’t, are dropped.to another. Packets that don’t, are dropped.

Firewalls can be either Software or Hardware Firewalls can be either Software or Hardware based.based.

Bridging Mode FirewallsBridging Mode Firewalls

A bridge that allows you to filter the A bridge that allows you to filter the packets that pass through its interfaces.packets that pass through its interfaces.

Can be placed anywhere in an existing Can be placed anywhere in an existing network without disrupting existing network without disrupting existing services.services.

Transparent to your servers. Transparent to your servers.

Linux – Bridging Mode FirewallLinux – Bridging Mode Firewall

A software based firewall that uses Linux A software based firewall that uses Linux as the operating system.as the operating system.

The software is free.The software is free.

Relatively easy to setup.Relatively easy to setup.

Can run on old hardware.Can run on old hardware.

Software NeededSoftware Needed

Iptables – Software that filters IP based Iptables – Software that filters IP based traffic based on a set of rules.traffic based on a set of rules.

Ebtables – Software that allows Iptables to Ebtables – Software that allows Iptables to see the packets as they go through the see the packets as they go through the Bridge interface.Bridge interface.

Bridge-Utils – Software that allows you to Bridge-Utils – Software that allows you to create the bridge. create the bridge.

Hardware NeededHardware Needed

Any old Pentium based computerAny old Pentium based computer

128MB of RAM128MB of RAM

~1GB Harddrive~1GB Harddrive

2 - Network Cards (Minimum)2 - Network Cards (Minimum)

Example Bridge ScriptExample Bridge Script#!/bin/bash#!/bin/bash# /etc/rc.d/init.d/bridge# /etc/rc.d/init.d/bridge

BRCTL=/usr/sbin/brctlBRCTL=/usr/sbin/brctlIFCONFIG=/sbin/ifconfigIFCONFIG=/sbin/ifconfig

return=$rc_donereturn=$rc_donecase "$1" incase "$1" in

start)start) echo "Starting service bridge br0"echo "Starting service bridge br0" # Create bridge interface# Create bridge interface $BRCTL addbr br0 || return=$rc_failed$BRCTL addbr br0 || return=$rc_failed # Turn Spanning Tree Protocall off# Turn Spanning Tree Protocall off $BRCTL stp br0 off || return=$rc_failed$BRCTL stp br0 off || return=$rc_failed # Add interfaces to bridge# Add interfaces to bridge $BRCTL addif br0 eth1 || return=$rc_failed$BRCTL addif br0 eth1 || return=$rc_failed $BRCTL addif br0 eth2 || return=$rc_failed$BRCTL addif br0 eth2 || return=$rc_failed # Reset to clean state# Reset to clean state $IFCONFIG eth1 down || return=$rc_failed$IFCONFIG eth1 down || return=$rc_failed $IFCONFIG eth2 down || return=$rc_failed$IFCONFIG eth2 down || return=$rc_failed # Set interfaces to Promiscuous Mode# Set interfaces to Promiscuous Mode $IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed$IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed $IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed$IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed

#Bring bridge interface up#Bring bridge interface up $IFCONFIG br0 promisc up || return=$rc_failed $IFCONFIG br0 promisc up || return=$rc_failed

$BRCTL show$BRCTL show

echo -e "$return"echo -e "$return"

;;;;

stop)stop) echo "Shutting down service bridge br0"echo "Shutting down service bridge br0" $IFCONFIG br0 down || return=$rc_failed$IFCONFIG br0 down || return=$rc_failed $BRCTL delif br0 eth1 || return=$rc_failed$BRCTL delif br0 eth1 || return=$rc_failed $BRCTL delif br0 eth2 || return=$rc_failed$BRCTL delif br0 eth2 || return=$rc_failed $BRCTL delbr br0 || return=$rc_failed$BRCTL delbr br0 || return=$rc_failed echo -e "$return"echo -e "$return" ;;;;status)status) $IFCONFIG br0$IFCONFIG br0 $BRCTL show $BRCTL show ;;;;restart)restart) $0 stop && $0 start || return=$rc_failed$0 stop && $0 start || return=$rc_failed ;;;;*)*) echo "Usage: $0 {start|stop|status|restart}"echo "Usage: $0 {start|stop|status|restart}" exit 1exit 1

esacesac

test "$return" = "$rc_done" || exit 1test "$return" = "$rc_done" || exit 1exit 0exit 0

Example Filter RulesExample Filter Rules#!/bin/bash#!/bin/bash# Example Firewall Script# Example Firewall ScriptIPTABLES="/sbin/iptables -v"IPTABLES="/sbin/iptables -v"

# Any Subnet# Any SubnetANY=0.0.0.0/0ANY=0.0.0.0/0

# ILLIAD Server# ILLIAD ServerILLIAD=128.193.123.456ILLIAD=128.193.123.456

#### Flush all rules#### Flush all rules$IPTABLES -F $IPTABLES -F

# Delete all user created chains# Delete all user created chains$IPTABLES -X$IPTABLES -X

# Zero all byte counters# Zero all byte counters$IPTABLES -Z$IPTABLES -Z

# Drop all packets without a rule# Drop all packets without a rule$IPTABLES -P FORWARD DROP$IPTABLES -P FORWARD DROP

# loopback interface# loopback interface$IPTABLES -A FORWARD -i lo -j ACCEPT$IPTABLES -A FORWARD -i lo -j ACCEPT

# Syn-flood protection: # Syn-flood protection: $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Ping of death: # Ping of death: $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j

ACCEPTACCEPT

# HTTP# HTTP$IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80 -m state --state $IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80 -m state --state

NEW -j ACCEPTNEW -j ACCEPT$IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m state --state $IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m state --state

ESTABLISHED -j ACCEPTESTABLISHED -j ACCEPT

Useful ApplicationUseful Application

Ethereal – A powerful network protocol/packet Ethereal – A powerful network protocol/packet analyzer that can be used to aid in the development analyzer that can be used to aid in the development of your filter rules.of your filter rules.

ResourcesResources

Linux bridging how-toLinux bridging how-tohttp://bridge.http://bridge.sourceforgesourceforge.net.net

EbtablesEbtableshttp://ebtables.sourceforge.nethttp://ebtables.sourceforge.net

EtherealEtherealhttp://www.ethereal.com/http://www.ethereal.com/