Firewall

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 21:08, 8 February 2006 (edit)
Atzekalle (Talk | contribs)
(rvv)
← Previous diff
Current revision (16:51, 19 May 2010) (edit) (undo)
Glenn (Talk | contribs)
(DD-WRT firewall - iptables - small chg)
 
(72 intermediate revisions not shown.)
Line 1: Line 1:
-¿la ayuda previene virus/worm que congestiona el internet...?? pasó a mi red. un pc infectado causa la red entera inaccesible. +The purpose of the '''firewall''' is to moderate traffic and/or log it. Most firewall are made for moderating ip traffic and are called '''ip firewalls'''.
-¿http://wl500g.info/showthread.php?t=2515 http://forum.bsr-clan.de/ftopic1305.html http://forum.bsr-clan.de/ftopic2642.html la http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=8556 cortafuego ayuda??+The simplest ip firewall has two physical interfaces normally referred to as ''inside'' (LAN) and ''outside'' (WAN, the internet). It has two main access control lists (ACL) - e.g. named inside2outside and outside2inside.
 +===Packet filter firewall===
 +The simplest ip firewall - a packet filter firewall - can pass packet by packet or drop them based on:
 +* source ip address
 +* destination ip address
 +* If tcp or udp:
 +** source tcp/udp port
 +** destination tcp/udp port
 +===Statefull firewall===
 +The better ip firewall - a statefull firewall - can pass packet by packet - and if possible (e.g. tcp and udp) track the connection. A statefull firewall can additionally moderate trackable traffic by:
 +* number of connections per (src/dst) ip address
 +* number of connections per interface
 +* number of connections attempt - "SYN"-attacks, packet storms
 +===NAT - Network address Translation===
 +Due to IPv4 address shortage, the internet society began to use NAT, and therefore the firewall also need to be NAT aware.
 +====NAT incompatible protocols====
 +A real problem with NAT is when more than one inside clients (e.g. C1, C2) connect to the same outside server ip address (S) and the traffic is not tcp and udp. When a response outside packet later arrives at the NAT device (firewall), it can not deduce which client to send it to. Here are examples of protocols that has that problem:
 +*[[wikipedia:IPsec|IPsec]] (over [[wikipedia:List_of_IP_protocol_numbers|IP protocol]] 51)
 +*[[wikipedia:PPTP|PPTP]] (over IP protocol 47)
 +*[[wikipedia:Layer 2 Tunneling Protocol|L2TP]] (over IP protocol 50)
 +Even if the traffic is unencrypted it can not be deduced where to NAT a response outside packet, if more than one inside client uses the same protocol to the same outside ip address. UDP and TCP are special because they have 65536 possible src and dst ports that can help connection tracking.
 +===Firewall difficult protocols===
 +Some protocols can in-line signal a port jump and/or create connections one or both ways "at will". A firewall that can moderate that kind of traffic, need to inspect the traffic stream. To do that a firewall must have [[wikipedia:Application_layer_firewall#Network-based_application_firewalls|transparent proxies]] and are then called an [[wikipedia:Application_layer_firewall|application firewall]].
- +Some examples of protocols that can port jump and/or create additional connections are:
-estos gusanos llenan realmente reduciendo la velocidad muchos mi tráfico de la red. +*FTP passive
-después de arreglar un pc, allí venga otro unos... +*FTP active - if you enable proxy support for active FTP, you firewall can be "punctured" from the internet and is therefore almost useless.
-es el trabajo interminable cuando los doesnt de los usuarios saben bloquear esos gusanos que usan el cortafuego... +*Media streams (Media Player, iTunes...):
 +**RTSP
 +**Realmedia
 +**Conferencing
 +**VoIP, IP telephony:
 +***H323
 +***SIP
 +*Some gaming protocols
-así que, i planean hacerlo en el lado de la fresadora. +==DD-WRT firewall - iptables==
-qué está en el linksys y wl500g. +DD-WRT has a packet filtering firewall, statefull firewall, NAT and proxy functionality.
-pero, yo también no soy ningún experto del linux... +The [[default internal device network]] has two networks (non-802.11n example!):
 +*vlan0(built-in hardware switch) software-bridged with eth1(wireless access point) - LAN private ip subnet 192.168.1.0/24 and ip configurations are leased to clients by a DHCP server.
 +*vlan1 - WAN with some ip configuration normally acquired via a DHCP client.
-así, cualquiera por favor la ayuda.. +There is a default ip firewall with NAT between vlan0 and vlan1 (on non-802.11n) network devices.
-cómo hace el juego de i a las reglas como éstos: +
-1. bloquee la conexión todo local (el ie, del ip 192.168.1.100 a 192.168.1.200, etc..) porque es sólo use para internet 2.+See [[internal_device_network#Examples_of_changed_internal_network]] for other firewall examples.
- la única conexión local permite está apagado el curso, entre las fresadoras (el linksys,wl500g,etc..) +===Netfilter iptables architecture===
 +*[http://www.sns.ias.edu/~jns/files/iptables_talk/x14.htm sns.ias.edu: Kernel space structure - simple packet journey through kernel]
 +**The left and right upper red arrows together, is the input and output of your network device logical [[:Category:Interfaces|network interface]]s (bridges=[[:Category:switch|switches]], - and [[wikipedia:Virtual_LAN|vlans]]). The five blue balls represent the default firewall chains hook points. The "local process" is your network device's [[wikipedia:Process (computing)|service process(es)]] - e.g. remote management ([[WEB server]], [[Telnet/SSH_and_the_Command_Line#Setting_Up|Telnet or SSH server]]), [[:Category:Samba|Samba server]], [[:Category:PPPOE|PPPoE client]], [[:Category:DHCP|DHCP server(s) or client]] and so on.
-3a. permita sólo ciertos puertos al internet (como tejido, apoderado, el correo,: 80,3128,8080,110,25,etc) y bloquea todo el resto OREG?N 3b.+==See also==
 +*[[FirewallExample|DD-WRT Firewall Example]]
 +*[[Iptables_command|iptables commands]] (written for DD-WRT)
 +==External links==
 +*[http://blog.eukhost.com/webhosting/firewall/ Firewall] Generic and short: Purpose and processes.
 +*[http://www.sns.ias.edu/~jns/wp/category/linux/unix-security/iptables/ sns.ias.edu, James Stephens: Iptables]
 +**[http://www.sns.ias.edu/~jns/files/iptables_talk/t1.htm IPTABLES - An Overview] - short and good - overheads.
 +***[http://www.sns.ias.edu/~jns/files/iptables_talk/x14.htm Kernel space structure - simple packet journey through kernel] - Please note that the left and right upper red arrows together, is the input and output of your network device logical [[:Category:Interfaces|network interface]]s.
 +**Comprehensive and well documented NAT-less iptable and startup script:
 +***[http://www.sns.ias.edu/~jns/files/iptables_ruleset Iptables example ruleset]
 +***[http://www.sns.ias.edu/~jns/files/iptables_startup_script A simple accompanying startup script]
 +***[http://www.sns.ias.edu/~jns/files/iptables_ruleset_updated The updated ruleset may be downloaded]
 +*[[wikipedia:Netfilter]]
 +**[http://www.netfilter.org/documentation/ netfilter.org: Documentation about the netfilter/iptables project], [http://lists.netfilter.org/pipermail/netfilter/ lists]
 +**[http://people.netfilter.org/kadlec/nftest.pdf people.netfilter.org: Netfilter Performance Testing]
 +*[http://www.interhack.net/pubs/fwfaq/ interhack.net: Internet Firewalls: Frequently Asked Questions] Good.
 +*Web archive backup (be patient): [http://web.archive.org/web/20040213231735/www.docum.org/stef.coene/qos/kptd/ Kernel Packet Traveling Diagram] Quote: "...On the LARTC mailing list, there was a long discussion about how a packet is handled by the kernel. Finally, there was a post by Leonardo Balliache that I copied onto this page. I hope this helps people to better understand how it all works....", '''Good ASCII drawing of the ethernet/ip packet journey through the Linux Kernel'''. Simplify the drawing for yourself, if you do not use some of the processes.
 +*[http://open-source.arkoon.net/kernel/kernel_net.png Another good drawing of the ethernet/ip packet journey through the Linux Kernel with some actions written]
 +*[http://www.frozentux.net/documents/iptables-tutorial/ Iptables-tutorial] - e.g. on-line:
 +**[http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html Iptables Tutorial, Oskar Andreasson] Good and very thorough.
 +*[http://www.frozentux.net/documents/ipsysctl-tutorial/ Ipsysctl-tutorial] - e.g. on-line:
 +**[http://www.frozentux.net/ipsysctl-tutorial/ipsysctl-tutorial.html Ipsysctl tutorial, Oskar Andreasson], Good and very thorough.
 +*[http://www.sans.org/reading_room/whitepapers/firewalls/ sans.org: SANS InfoSec Reading Room - Firewalls & Perimeter Protection] notably:
 +**[http://www.sans.org/reading_room/whitepapers/firewalls/netfilter-iptables-structural-examination_1392 Netfilter and IPTables: A Structural Examination] Good.
 +*[http://www.commontology.de/security/firewalls/fire0.html My Firewall Page - "A Firewall is a concept..."] Quote: "...Generic Packet-Filter Ruleset...Keep in mind that these hints are for a single workstation-computer connected to the Internet..."
 +*[http://blog.webhosting.uk.com/uk-website-hosting/firewall/ Firewall Knowledgebase] notably:
 +**[http://blog.webhosting.uk.com/web-hosting/some-thing-about-iptables/ Setting up an iptables firewall]
 +**[http://blog.webhosting.uk.com/web-hosting/how-to-set-firewall-for-linux/ how to set firewall for linux]
 +*[http://www.remoteroot.net/category/firewall/ DD-WRT Specific IPTables Info]
 +*[http://garycourt.com/blog/post/openwrt-advanced-firewall/ OpenWRT Advanced Firewall]
- bloquee todos los puertos que son conocidos usados por el worms/virus/etc y permite todo el resto 4.+[[Category:Firewall| ]]
- +
- ¿limite conexión del máximo permitida por la dirección del ip? +
- +
-5. ataque el descubrimiento. si la demasiados conexión viene de un ip, que el ip es el bloque para alguno secunda. si la conexión está en ciertos puertos, ese puerto bloqueó durante los pocos minutos. +
- +
-6. envíe una alarma sobre aquéllos ataque. ¿o a una dirección de correo electrónico y/o usando el precio neto de ventanas envían el protocolo al 'infectó' el ip y el ip de admin nosotros podemos aplicar el tarpit lentamente a abajo estos gusanos?+
- +
- +
- +
- +
-así: +
-http://www.securityfocus.com/infocus/1723+

Current revision

The purpose of the firewall is to moderate traffic and/or log it. Most firewall are made for moderating ip traffic and are called ip firewalls.

The simplest ip firewall has two physical interfaces normally referred to as inside (LAN) and outside (WAN, the internet). It has two main access control lists (ACL) - e.g. named inside2outside and outside2inside.

Contents

[edit] Packet filter firewall

The simplest ip firewall - a packet filter firewall - can pass packet by packet or drop them based on:

  • source ip address
  • destination ip address
  • If tcp or udp:
    • source tcp/udp port
    • destination tcp/udp port

[edit] Statefull firewall

The better ip firewall - a statefull firewall - can pass packet by packet - and if possible (e.g. tcp and udp) track the connection. A statefull firewall can additionally moderate trackable traffic by:

  • number of connections per (src/dst) ip address
  • number of connections per interface
  • number of connections attempt - "SYN"-attacks, packet storms

[edit] NAT - Network address Translation

Due to IPv4 address shortage, the internet society began to use NAT, and therefore the firewall also need to be NAT aware.

[edit] NAT incompatible protocols

A real problem with NAT is when more than one inside clients (e.g. C1, C2) connect to the same outside server ip address (S) and the traffic is not tcp and udp. When a response outside packet later arrives at the NAT device (firewall), it can not deduce which client to send it to. Here are examples of protocols that has that problem:

Even if the traffic is unencrypted it can not be deduced where to NAT a response outside packet, if more than one inside client uses the same protocol to the same outside ip address. UDP and TCP are special because they have 65536 possible src and dst ports that can help connection tracking.

[edit] Firewall difficult protocols

Some protocols can in-line signal a port jump and/or create connections one or both ways "at will". A firewall that can moderate that kind of traffic, need to inspect the traffic stream. To do that a firewall must have transparent proxies and are then called an application firewall.

Some examples of protocols that can port jump and/or create additional connections are:

  • FTP passive
  • FTP active - if you enable proxy support for active FTP, you firewall can be "punctured" from the internet and is therefore almost useless.
  • Media streams (Media Player, iTunes...):
    • RTSP
    • Realmedia
    • Conferencing
    • VoIP, IP telephony:
      • H323
      • SIP
  • Some gaming protocols

[edit] DD-WRT firewall - iptables

DD-WRT has a packet filtering firewall, statefull firewall, NAT and proxy functionality.

The default internal device network has two networks (non-802.11n example!):

  • vlan0(built-in hardware switch) software-bridged with eth1(wireless access point) - LAN private ip subnet 192.168.1.0/24 and ip configurations are leased to clients by a DHCP server.
  • vlan1 - WAN with some ip configuration normally acquired via a DHCP client.

There is a default ip firewall with NAT between vlan0 and vlan1 (on non-802.11n) network devices.

See internal_device_network#Examples_of_changed_internal_network for other firewall examples.

[edit] Netfilter iptables architecture

[edit] See also

[edit] External links