User Tools

Site Tools


handbook:handbook:firewall

Firewall

Firewall is the one in charge of the good filtration of data and handling of good traffic over the local network, or workstation, for it it is due to fulfill norms which are applied in the server to have a comfortable one I deal of data and to badly have unable applications or instructions prone to the use of the user or being attacked remotely by algun intruder on the Internet.


Firewall, considered as an application of fire-resistant or protective of attacks in the ports of the system, as the famous attacks, simple but very harmful like, attack Two (Denial of Service), that tries to send massive packages to the system, blocking the bandwidth of our connection to Internet until thus taking control of all the wide one and leaving our modem inactive until it does not respond our signal to the main server and loses the signal, mostrandonos a Ping timeout, like more harmful others like infiltrated malignant codigos in unloadings of software packages free. All that and much more can prevent firewall, that is its main function, blocking the passage of the codes or archives that we do not wish that they happen, or to limit the transference use doing a fire barrage on our system.


Kind of Firewalls:

  • Guarddog: Is one of toomanys Open Source Softwares and one of the most brilliant Firewalls GNU/Linux graphs with a comfortable Gtk Application. Specially for the novices in Security GNU/Linux. The main function of these Firewall is the Generation/Management of the system Linux, is it made basically for KDE, these firewall It allows you to specify which protocols should be allowed to pass through the firewall, and requires no knowledge of port numbers. It generates scripts for ipchains or iptables depending the case of the kernel version.
  • Firestarter: It is another graphical interface very easy to handle, this application software working like the majority Firewalls Linux, enabling also sharing connections to internet, and situable for use desktops, local servers and gate ways, you can setting up all the DHCP for a local network. Having some greatest functions like, kernel tuning features, activing network connections, and real time firewall events to view in your system.
  • IPTables: The most famous and Secure Firewall, i consider put it in here because, iptables works like a firewall but Iptables its more than a firewall is a system of security in linux, working with the Kernels and all the OS GNU/Linux. and all the others firewalls Linux, it is the frontend of Iptables or Ipchains in the old Kernel versions.

The Firewall is the one in charge to control filtrate and exit of data of server local or remote, since he is the one that offers, it denies or it accepts requests from a remote terminal, controlling to if the protocols of the server of the used and usually known ports but of the GNU/Linux system.

Next, I will make a listing of the ports most common and used by a server or some workstation:


Protocol Application:

  • HTTP: (Hyper Text Transfer Protocol), Is based on a Daemon called Apache, this daemon module the HTTP to get work in your server of way that the user consult can see through this daemon your site on your network station.
  • SMTP: (Simple Mail Transfer Protocol), Is based on a Daemon called SMTPD, this daemon module the smtp for work with the mail local station, being able there to have a server of electronic mail on your network statios, sendings mail over the server. text based used for the interchange of messages of electronic mail between computers or different devices like Cellphone, iPOD, PDA, etc.
  • POP3: (Post Office Protocol 3), Is based on a Daemon called POP3, this application was designed with the intention to manage the access and the transference of the messages of the electronic mail between two machines or or until a world-wide server (WAN) called Internet, transferring the data between the same server arriving at his more made a dumb terminal of some user.
  • FTP: (File Transfer Protocol), This protocol works with several demons as they are it, VSFTP, ProFTPD, CrushFTP, SurgeFTP, PureFTPD, Wu-FTPD, etc. the objetive of this server of FTP is to manage the access, transference, and receive of archives in the server from the server to the user or of the user to the server.
    • VSFTP: Very Secure File Transfer Protocol, Simple server and very secure really.
    • ProFTPD: Professional File Transfer Protocol Daemon, unquestionably very good and formable. (recommended)
    • CrushFTP: Crush File Transfer Protocol Server, lets you serve files from your computer, or any other computer on the Internet that's running on FTP server.
    • SurgeFTP: Surge File Transfer Protocol Server, is an FTP server with SSL(Secure Sockets Layers) / TLS(Thread-Local Storage) security, easy management, cross platform support, this server works with, Linux, Solaris and Windows Platforms.
    • PureFTPD: Pure File Transfer Protocol Daemon, is a free (*BSD), secure, production-quality and standard-conformant FTP server based upon Troll-FTPd. It doesn't provide useless bells and whistles, but focuses on efficiency and ease of use. but now it is available to, GNU/Linux.
    • Wu-FTPD: Washington University File Transfer Protocol Daemon, Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University, also works for GNU/Linux and Windows Platforms, unquestionably the most FTPD known by users in the world.
  • TELNET: (Telephone Network), Is based on a Daemon called telnetd, the objective of this application is the access remotely to the terminal user, to be able to operate on the system and to form it remotely, is a little in usuable since it has gotten to replace it the application server SSH(Secure servant Shell) and SSH2(Secure Shell Version 2).
  • SSH: (Secure shell), This protocol has gotten to revolutionize the new one was of the accesses of remote servants, ssh is a dedicated servant as or it mentions to the remote access on a workstation or servant of safe and reliable way for sysadmin.
  • SSL: (Secure Sockets Layers), It is a protocol designed by the company Netscape Communications, of such creative of the Netscape web browser, this protocol allows to crifrar the connection guaranteeing the authentication of the same one, this cradle in asymmetric cryptography and the concept of certificates, a version standardized by IETF(Internet Engineering Task Force) is known like TLS(Thread-Local Storage)
Numer  - NickName - Daemon
 80       HTTP      apache/apache2
 25       STMP      smtpd
 110      POP3      pop3
 21       FTP       *FTPD
 23       TELNET    telnetd
 22       SSH       sshd
 443   	  HTTP with SSL
 992      POP3 With SSL 
 631      CUP's     Printer Linux
 3306     MySql     MySql Server

Protocol Connection:

  • TCP: (Transfer Control Protocol), This protocol is one of the fundamental protocols in Internet many applications within a local area network of computers use TCP to create to create connections between if same through which to be able to send data, protocol TCP is mainly used so that the data arrive without problem from ningun type and in the same sequence in which they are transferred.
  • UPD: (User Datagram Protocol), This protocol of level of transport this based on the interchange of datagrams, that allows envio of datagrams through the network without having an establishment previously one connection, since the own datagram incorporates or adds sufficient information of address in its head to use great amounts of data, like when it is needed to transmit, voice or video, is more important to transmit with speed that the importance so that it completely arrives all the bytes from information.

Protocol Transfer:

  • IP: (Internet Protocol)
    • IPv4: (Internet Protocol Version 4), This was the first version of the protocol which inplement extended, objectively with a design that formed the base of Internet, IPv4 uses directions of 32 bits, limítando to 4.294.967.296 one way street, many of which are dedicated to local networks (LANs). This limitation helped to stimulate the impulse towards IPv6, that this at the moment in first stage of implementation, and hopes that possibly it replaces to IPv4, with an improvement of implementation to directions of 64 bits without ningun problem on the data transfer.
    • IPv6: (Internet Protocol Version 6), IPv6 is destined to replace the IPv4 standard, whose limit in the number of permissible directions of network is beginning to restrict the growth of Internet and its use. But the new standard will improve the service globally, is to say IPv4 supports 4.294.967.296 (4,294×10^9) different directions of network, whereas IPv6 supports 3,4×10^38 (340 undecillón) directions near 4,3×10^20 (430 quintillones) directions by each square inch (6.7×10^17 (670 quadrillions)) direcciones/mm²) of the Earth surface.
  • ICMP: (Internet Control Message Protocol), This protocol is one of the central protocols of Internet is used on operating systems to send messages of error on the network of computers, giving to if an indication to the operator of the system the absence of availability of some application that this available or that algun host cannot be detected by the system.
  • IGMP: (Internet Group Management Protocol), This protocol is used to interchange information of the esteado one of property between enroutadores IP that admit the multidiffusion, hosts individual members inform about the property into hosts ald group into multidiffusion and the enroutadores of multidiffusion that periodically check the state of pertenencía, this protocol actua when we, give, traceroute algun host or IP, giving to if information of the group where is host or IP of its main network giving several terminals of IP, of its network.
  • IPX: (Internetwork Packet Exchange), This protocol is used to transfer data between the servant and the programs of the workstations. The data are transmitted in datagrams. Interchanging packages of internetworks, communication protocol Netware that is used to direct messages from a node to another one.

Protocol Network:

  • Eth: (Ethernet), It determines the form in that the ports of the network send and receive on an average fisico shared, behaves like a logical bus, independently of its physical configuration, that originally was designed to send data to 10Mbps. the Ethernet works of electronic way the data that are in machine machine lenguaje(binary) turns them to analogous form, to send the data from the computer to the Internet and it makes Inversely to receive data that this done by free and hollow electrons on atoms of a semiconductor.
  • Fast-Eth: (Fast Ethernet), Fast Ethernet of high speed (100 Mbps, to differentiate from the regular Ethernet of 10 Mbps). Two competing technologies exist that arise from the IEEE. The first method is IEEE 802,3 100BaseT, that uses the access method CSMA/CD with some degree of modification, the second, is IEEE 802,12 100BaseVG, adapted of 100VG-AnyLAN of HP. It uses a method of priority of demands instead of the CSMA/CD. For example, to the voice and video of real time they could give it them greater priority than to other data. This physical device Fast-Ethernet I get to replace to its old development, Ethernet, obtaining to if to develop its capacity of 100Mbps 1Gbps.
  • Ppp: (Point to Point Protocol), This device was designed to make the first local networks and connection to Internet possible that were standardized by telephone modems, of very low capasidad from 12.2Kbps to 56Kbps, being to if the first device of used to generate networks of computers.
  • Wi-Fi: (Wireless Fidelity), This device it is a set of estandares for wireless networks based on the specifications IEEE 802.11. Wi-Fi was created to be used in wireless local networks, but he is frequent that at the present time also are used for access to Internet. Since it has revolutionized the local networks, now this being applied on the networks of Internet, this achieving great success.

These protocols are the reason by which works a firewall for a good of data transfer and to avoid malignant data that can damage the system on a transference of the peripherals of a local server.

Now we will to explain practically this happens, with some demostration from console GNU/Linux.

gin@gin:~$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 localhost.localdoma:ipp *:*                     LISTEN
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN
tcp6       0      0 *:81                    *:*                     LISTEN
tcp6       0      0 *:ssh                   *:*                     LISTEN
tcp6       0      0 ip6-localhost:smtp      *:*                     LISTEN
udp        0      0 *:bootpc                *:*
udp        0      0 *:sunrpc                *:*

Here we can see that the Protocols are, TCP TCP6 (New version) and UDP, The protocols are serving to Servers Daemons, *:ftp (ProFTPD), *:81 (Http/Apache Server “Port default is 80, but i did some change :) ), *:ssh (Secure Shell Server), localhost.localdom:stmp (SMTPD “Simple Mail”), and another one services, all of them are “LISTEN” the port, but not udp is listening, becaus the firewall Iptables puts as default not run, upd protocols by security of the system, and apart that can't LISTEN because are aplication for personal use to the system. And we can see also that Apache, SSH and Stmp, are on TCP6 protocols, thats why are the servers like default in the new tcp version.

To continue we will check, how works the statis in the server.

gin@gin:~$ netstat -s
Ip:
    3895922 total packets received
    0 forwarded
    0 incoming packets discarded
    3895920 incoming packets delivered
    3887058 requests sent out
Icmp:
    478 ICMP messages received
    15 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 438
        timeout in transit: 15
        echo requests: 22
        echo replies: 3
    3059 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 3037
        echo replies: 22
Tcp:
    3850 active connections openings
    6015 passive connection openings
    0 failed connection attempts
    72 connection resets received
    4 connections established
    3867894 segments received
    3869722 segments send out
    4457 segments retransmited
    0 bad segments received.
    11432 resets sent
Udp:
    24511 packets received
    3037 packets to unknown port received.
    0 packet receive errors
    14283 packets sent
TcpExt:
    3 resets received for embryonic SYN_RECV sockets
    438 ICMP packets dropped because they were out-of-window
    1065 TCP sockets finished time wait in fast timer
    181904 delayed acks sent
    1 delayed acks further delayed because of locked socket
    Quick ack mode was activated 107 times
    1740027 packets directly queued to recvmsg prequeue.
    20258879 of bytes directly received from backlog
    180669753 of bytes directly received from prequeue
    288989 packet headers predicted
    1567652 packets header predicted and directly queued to user
    21106 acknowledgments not containing data received
    1714731 predicted acknowledgments
    16 times recovered from packet loss due to SACK data
    Detected reordering 4 times using FACK
    1 congestion windows partially recovered using Hoe heuristic
    93 congestion windows recovered after partial ack
    4 TCP data loss events
    3 timeouts after reno fast retransmit
    14 timeouts after SACK recovery
    7 timeouts in loss state
    29 fast retransmits
    14 forward retransmits
    35 retransmits in slow start
    1698 other TCP timeouts
    3 sack retransmits failed
    68 times receiver scheduled too late for direct processing
    52 DSACKs sent for old packets
    67 DSACKs received
    27 connections reset due to unexpected data
    42 connections reset due to early user close
    2 connections aborted due to timeout

Now you can note, the statics of the server in saving in a log by default on the system. like, Ip, Icmp, Tcp, Udp,TcpExt, all of them are having considerably a good trafic as minimal.


Now its the time to demostrate How we can config us firewall suitably for a good traffic of dates in the protocols, and it will be demonstrated with IPTables. We will to be use of the commands logically, if you do not understand very good the comamnds you will know in the section Linux Iptables.

gin@gin:~$ /sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -j ACCEPT
FATAL: Error inserting ip_tables (/lib/modules/2.6.10-5-k7/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted
iptables v1.2.11: can't initialize iptables table `filter': Permission denied (you must be root)
 
"Firts you should be sure that you're super user(root) :)"
 
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -j ACCEPT
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 81 -j ACCEPT
root@gin:~ #

Ready, Now we can see that, I Accept the Input, to whatever IP, because i didn't put the ip specific to access to the web, with sport(origin) and dport(destiny) port “80”, Ethernet “eth0” (Main Board), Protocol TCP . http://giin.us to verify.

root@gin:~ # ssh -l gin pc.giin.us
 
The authenticity of host 'pc.giin.us (200.66.2.89)' can't be established'.
RSA key fingerprint is a9:9f:b0:9a:ba:9d:f2:29:8a:88:38:5f:f6:27:e4:80.
Are you sure you want to continue connecting (yes/no)?
 
"Until now it works, before the command"
 
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport ssh -j DROP
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport ssh -j DROP
 
"This was tested to a remote user."
 
uclagyl@0[~]$ ssh -l david pc.giin.us
ssh: connect to host pc.giin.us port 22: Connection timed out
uclagyl@0[~]$

In this case, Was used the sentence DROP, this means deny. It is verify that the commands of IPTables, Firewall works and we can determinate the security of that Application (IPTables).

Now, we will test with port 25 SMTP (Simple Mail Transfer Protocol).

gin@gin:~$ telnet pc.giin.us 25
Trying 200.66.2.89...
Connected to pc.giin.us.
Escape character is '^]'.
220 pc.giin.us ESMTP Postfix (Debian)
 
"Before the Command"
 
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP 
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport 25 -j DROP
root@gin:~ # /sbin/iptables -A OUTPUT -p tcp --sport 25 -j DROP
root@gin:~ # /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
 
root@gin:~ # telnet pc.giin.us 25
Trying 200.66.2.89...
telnet: Unable to connect to remote host: Connection timed out
root@gin:~ #

Here you can note, that the OUTPUT Does not accept, ”-i eth0“ for declare deny to one port. Its because the “eth0” not work like OUTPUT just like, INPUT, so the OUTPUT its for deny, to the user that oper localy the server.

Now, we'll make it enabled.

root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport 25 -j ACCEPT
 
"Now look the result"
 
root@gin:~ # telnet pc.giin.us 25
Trying 200.66.2.89...
Connected to pc.giin.us.
Escape character is '^]'.
220 pc.giin.us ESMTP Postfix (Debian)

And now look with ssh;

root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport ssh -j ACCEPT
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
 
"The testing. :)"
 
root@gin:~ # ssh -l pc.giin.us
The authenticity of host 'pc.giin.us (200.66.2.89)' can't be established'.
RSA key fingerprint is a9:9f:b0:9a:ba:9d:f2:29:8a:88:38:5f:f6:27:e4:80.
Are you sure you want to continue connecting (yes/no)?

Now you can note that it works perfectly the commands with IPTables.


There is as one demonstrates basically as we can deny ports and accept for, to be able to allow I deal weighs on our servant, to the equal one also to deny certain ip's with iptables to deny the acceptance of packages that can be corrupt and massive for our servant, with this avoiding to be attacked by algun Two (Denial of Service) or to deny the certain access to ips, ah our ports of acesso and to give single to which we ask for the power to accesar to our server.

If we could suggest good firewall without a doubt we would advise by IPTables, due to its great work with the operating system and interaction with in kernel, we can say that is the firewall most complete that exists on the platform of any operating system, those of firewall's more graphical and console are front-end the IPTables, is for that true nondescendent reason that we suggested pure IPTables and of the same one..

Ready!

If you want learn more about IPTables Firewall. Go to Linux IPTables, Section.

All the test was verify in Debian GNU/Linux.

Jesus Lugo 2005/11/17 10:04

handbook/handbook/firewall.txt · Last modified: 2010/04/15 21:18 (external edit)