Hey Everyone:
>> - All interfaces (any network cards, the localhost
>> interface, etc) on a Linux box have INPUT, OUTPUT,
>> and FORWARD rules.
>>
>So does that mean I have to write -I rules AND -O rules
>for BOTH NIC ???
You don't have to but you won't be securing the Linux box
very well without them.
If you -do- want a good security firewall, you will need
to have both INPUT and OUTPUT rules for EVERY interface
that shows in "ifconfig".
>And you haven't specified what your output rules are. (hint: you
>> go through output rules before you go through forwards rules)
>>
>So you mean Forward rules are Leaded by the Output ones ?
Correct. Traffic would go:
input from
Internet ----> network card ----> INPUT rule on port 23 ----> TELNET server
_____________
|
|
output to |
Internet<---- FORWARD rule <---- OUTPUT rule on some HIGH port <----+
I've, yet again, updated the "how firewalls work" diagram in
TrinityOS [Section 10] to reflect this.
>> If the packet is to be forwarded, it is passed through the
>> FORWARD ruleset.
>I start to be very confused : when do I know
>a packet has to be forwarded ?
A packet only needs to be FORWARDed if it has to go to a DIFFERENT
NETWORK. So, say I have the following:
Internet IP address: 132.241.185.20
Private MASQ IP address: 192.168.0.1
If I have a NT machine on the private MASQ lan, it would have
an IP of say, 192.168.0.10. If this NT machine needs to
get to the Internet, its traffic must somehow get onto
the 132.241.185.x network. Right?
Notice how we are going from one network to the other?
(totally different IP addresses) So, once the 192.168.0.10
traffic is received by the Linux BOX, its FORWARDed to the
132.241.185.20 address (MASQed).
So again, packets are FORWARDed if the packets have
different network addresses. Got it?
>> >From the above, you can see that a packet which is being forwarded
>> through your masq box will be passed by all three rulesets: Through
>> INPUT when it comes in, through FORWARD when it gets forwarded, and
>> through OUTPUT when it goes out.
>Very confused...
>Does that mean the -F rules lead the packets behaviour
>between my 2 NIC in the linux box ??
No. Again.. a packet goes INPUT (always checked), then FORWARD
(OPTIONAL for some packets only if it is going to a different
network), then OUTPUT (always checked).
>- Incoming traffic on the Internal Lan.
> Traffic from private host to the linux box on the internal NIC
> So any traffic from the external NIC with one of my private
> address is IP spoofing.
Correct.
>- Incoming traffic on the External Lan.
> Traffic from the world to the linux box.
> This one is very important in terms of security.
Correct. I filter ALL incoming traffic from the Internet except
for DNS, Sendmail, and some traffic to some explictly allowed
machines out on the Internet.
>- Outgoing traffic on the Internal Lan.
> Traffic from my linux box to the private Lan.
> In the same way, all traffic toward the private Lan
> from the external Nic is spoofing.
Be careful here. There is Outgoing traffic or OUTPUT
rules on both the external AND internal interfaces. Remember,
data flows in BOTH directions and both IPFWADM and IPCHAINS
allows you to control both directions.
So, if you have an extnernal NIC card, and Internal NIC card,
and LOCALHOST on the Linux box itself. Thats:
(3) input rules
(3) output rules
possibly (1) forward rule if you want to MASQ.
>- Outgoing traffic on the External Lan.
> Traffic from the Linux box to the world.
> What do I want my linux box answer to ?
Initially, you usually want ALL internal MASQ traffic to
get OUT to the Internet but -ONLY- allow the return HIGH
ports back -IN- (ie a INPUT rule) to your machine.
Later, if you want specific machines out on the Internet to
access your machine with say TELNET, you need to explictly
configure your firewall to let those packets in (on PORT 23).
Again remeber that most TCP/IP communications comprise of
a low port (say port 80 for WWW) and a return port (say
port 3200 - Determined randomly by the two TCP/IP protocol
stacks on each computer).
>- Forwarding traffic from the Internal Lan.
> ?????????
Like above, your Internal LAN is on a private addressing scheme.
Since you are going from 192.168.x.x to say 132.241.185.x, your
traffic has to be FORWARDed to the other network to get out.
>(and then come the rules for the trusted hosts
>and the ones for portforwarding...)
Exactly.
>> Just to clarify a little - by default TCP/IP uses high ports 1024:65535 when
>> talking to any low port 0:1023. (In practice the linux kernel only uses
>> ports 1k:32k).
>"
>..., I have to enable High ports for Input Rules if I want
>the telnet I do on external box to work
Correct. Though you might let port 23 OUT of your Linux
box, if you don't allow ports 1024-65535 back INTO your
Linux box, TELNET won't work.
Now, I don't want to confuse you more but you might be thinking
that letting in ALL high ports back into your Linux box is
a BAD thing.
You know what?...... YOUR RIGHT! Realistically,
it would be nice to only allow in only the return HIGH ports
that are needed. This is what the "-k" option in IPFWADM
or the "! -y" option is in IPCHAINS is for. The problem is,
IPFWADM and IPCHAINS aren't smart enough to understand all
TCP/IP programs such like TELNET, WWW, SSH, etc. So, some
programs can limit down the allowed return HIGH PORT with
"-k" ir "! -y" while other programs must be configured to
allow in -ALL- high 1024-65535 ports in.
Bummer huh? Just to clarify this a little more, corporations
with firewalls don't have this problem. Why? Because they
use what is called "Statefully Inspected Firewalls" where as
Linux IPFWADM/IPCHAINS are only "packet firewalls".
Stateful firewalls actually listen to ALL network traffic
step-by-step to make sure that everything is going 100%
correctly.
Analogy:
packet firewall: A packet firewall only checks for
source and destination IP addresses
and port numbers. Kinda like
a strainer for different colored
marbles (if one exists).
Stateful Firewall:A stateful firewall not only checks
for source and destination IP addresses
and port numbers, but also LISTENS to
all TCP/IP communications to make sure
that all of the "communications" are
following procedure. Think of it as
a realtime grammer and spell checker for
"languages" like TELNET, WWW, etc.
Hackers try to re-write the "language"
to try to break into things, crash things,
etc. A stateful firewall will see a
given TCP/IP connection doing stuff that
TELNET shouldn't and it then simply drops
that connection. Much better huh?
So your next question should be: "I want a statefully inspected
firewall and NOT a packet firewall. Where do I get one?!?!"
Well.. it doesn't exist... YET. The project has started but
it isn't finished yet. If you want to find out more about
Statefully Inspected firewalls for Linux, check these URLs
out. (from TrinityOS : Section 44 : IP Chains)
--
The beginnings of Stateful Inspection for Linux:
2.0.x kernels
http://www.ifi.unizh.ch/ikm/SINUS/firewall.html
2.1.x kernels
ftp://ftp.interlinx.bc.ca/pub/spf
--
I hope this all helped!
PS. I just added all this to the TrinityOS doc too! :)
--David
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
