Firewall

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 17:53, 16 May 2010 (edit)
Glenn (Talk | contribs)
(NAT incompatible protocols - chg)
← Previous diff
Revision as of 18:19, 16 May 2010 (edit) (undo)
Glenn (Talk | contribs)
(DD-WRT - more)
Next diff →
Line 52: Line 52:
There is a default ip firewall with NAT between vlan0 and vlan1 on non-802.11n network devices. There is a default ip firewall with NAT between vlan0 and vlan1 on non-802.11n network devices.
 +See [[internal_device_network#Examples_of_changed_internal_network]] for other firewall examples.
 +
 +===Netfilter iptables architecture===
*[http://www.sns.ias.edu/~jns/files/iptables_talk/x14.htm sns.ias.edu: Kernel space structure - simple packet journey through kernel] *[http://www.sns.ias.edu/~jns/files/iptables_talk/x14.htm sns.ias.edu: Kernel space structure - simple packet journey through kernel]
**The left and right upper red arrows together, is the input and output of your network device logical [[:Category:Interfaces|network interface]]s (bridges=[[:Category:switch|switches]] and [[wikipedia:Virtual_LAN|vlans]]). The five blue balls represent the default firewall chains hook points. The "local process" is in your network device's - e.g. remote management ([[WEB server]], [[Telnet/SSH_and_the_Command_Line#Setting_Up|Telnet or SSH server]]), [[:Category:Samba|Samba server]], [[:Category:PPPOE|PPPoE client]], [[:Category:DHCP|DHCP server(s) or client]] and so on. **The left and right upper red arrows together, is the input and output of your network device logical [[:Category:Interfaces|network interface]]s (bridges=[[:Category:switch|switches]] and [[wikipedia:Virtual_LAN|vlans]]). The five blue balls represent the default firewall chains hook points. The "local process" is in your network device's - e.g. remote management ([[WEB server]], [[Telnet/SSH_and_the_Command_Line#Setting_Up|Telnet or SSH server]]), [[:Category:Samba|Samba server]], [[:Category:PPPOE|PPPoE client]], [[:Category:DHCP|DHCP server(s) or client]] and so on.

Revision as of 18:19, 16 May 2010

The purpose of the firewall is to moderate traffic and/or log it. Most firewall are made for moderating ip traffic and are called ip firewalls.

The simplest ip firewall has two physical interfaces normally referred to as inside (LAN) and outside (WAN, the internet). It has two main access control lists e.g. named inside2outside and outside2inside.

Contents

Packet filter firewall

The simplest ip firewall - a packet filter firewall - can pass packet by packet or drop them based on:

  • source ip address
  • destination ip address
  • If tcp or udp:
    • source tcp/udp port
    • destination tcp/udp port

Statefull firewall

The better ip firewall - a statefull firewall - can pass packet by packet - and if possible (e.g. tcp and údp) track the connection. A statefull firewall can additionally moderate trackable traffic by:

  • number of connections per (src/dst) ip address
  • number of connections per interface
  • number of connections attempt - "SYN"-attacks, packet storms

NAT - Network address Translation

Due to IPv4 address shortage, the internet society began to use NAT, and therefore the firewall also need to be NAT aware.

NAT incompatible protocols

A real problem with NAT is when more than one inside clients (e.g. C1, C2) connect to the same outside server ip address (S) and the traffic is not tcp and udp. When an outside packet later arrives at the NAT device it can not deduce which client to send it to. Here are examples of protocols that has that problem:

Even if the traffic is unencrypted it can not be deduced where to NAT an incoming outside packet if more than one inside client uses the same protocol to the same outside ip address. UDP and TCP are special because they have 65536 possible src and dst ports that can help tracking.

Firewall difficult protocols

Some protocols can port jump and create connections one or both ways "at will". A firewall that can moderate that kind of traffic, need to inspect the traffic stream. To do that a firewall must have proxies.

Some examples of protocols that can port jump and create additional connections are:

  • FTP passive
  • FTP active - if you enable proxy support for active FTP, you firewall can be "punctured" from the internet and is therefore almost useless.
  • Media streams (Media Player, iTunes...):
    • RTSP
    • Realmedia
    • Conferencing
    • VoIP, IP telephony:
      • H323
      • SIP
  • Some gaming protocols

DD-WRT

Your network device typically has more than two interfaces. DD-WRT has a statefull firewall, NAT, proxy functionality via netfilter with among others iptables.

The default internal device network has two networks (non-802.11n example!):

  • vlan0(built-in hardware switch) software-bridged with eth1(wireless access point) - LAN private ip subnet 192.168.1.0/24 and ip configurations are leased out by a DHCP server.
  • vlan1 - WAN with some ip address normally acquired via a DHCP client.

There is a default ip firewall with NAT between vlan0 and vlan1 on non-802.11n network devices.

See internal_device_network#Examples_of_changed_internal_network for other firewall examples.

Netfilter iptables architecture

See also

External links