LinuxFirewalls
Download
Report
Transcript LinuxFirewalls
Firewalls in Linux
Rodney Barker
Amanda Bolster
Jennifer Dixon
Overview
START
–
–
–
–
–
–
The Project Objectives
Definitions
What firewall? What technology?
Installation Process
Testing
Problems encountered
END
The Project …
Objectives
– Successfully install a firewall on the Linux-
Mandrake Operating System
– To learn about firewalls
Why?
– We haven’t done it before
– To Have FUN!!!
What is a Firewall?
“A system designed to prevent
unauthorized access to or from a private
network” (www.webopedia.com)
Often used to protect Intranets
Set of security criteria to define access
to a computer or network of computers
Firewalls and Network
Interfaces
Internet
External NIC
Firewall
Intranet
Internal NIC
Firewalls that protect a network from the
Internet have two Network Interfaces, one for
the Internet, one for the Intranet.
Firewall Techniques
Packet Filter
– Based on a set of rules, accept or reject each
packet
Application Gateway
– Place restrictions on specific applications (eg FTP)
Circuit-Level Gateway
– Apply security mechanisms when the connection
between computers is established
Proxy Server
– Hides true network addresses
Protocols Related to Firewall
Security
Different protocols exist at different layers of the OSI
(Open System Interconnection) model.
Application
DNS, FTP, TFTP, BOOTP, SNMP,
RLOGIN, SMTP, MIME, NFS, FINGER,
TELNET, NCP, APPC, AFP, SMB
Presentation
Session
NetBIOS Names Pipes, Mail Slots,
RPC
Transport
TCP, ARP, RARP; SPX, NWLink
NetBIOS / NetBEUI, ATP
Network
IP, ARP, RARP, ICMP, RIP, OSFP,
IGMP, IPX, NWLink, NetBEUI, OSI,
DDP, DECnet
Datalink
802.1 OSI Model, 802.2 Logical Link
Control, 802.3 CSMA/CD (Ethernet)
802.4 Token Bus (ARCnet), 802.5
Token Ring, 802.12 Demand Priority
Physical
IEEE 802, IEEE 802.2, ISO 2110,
ISDN
Firewall Security and the OSI
Model
Because different protocols exist at different levels of
the OSI model, firewalls must also provide security at
different levels.
The lower down the OSI model the firewall can
provide security, the more effective and efficient the
firewall is.
Firewalls provide security at different levels by
establishing IP chain rules for each protocol.
Setting the Firewall Scene…
Where?
– In the Linux Lab (PIII computer, called Linux1)
When?
– On a dark and stormy Sunday
What?
– Linux-Mandrake OS
Who?
– Rodney, Amanda, and Jennifer
Theoretical Firewall Use
Our group selected an installation and configuration
process for setting-up a personal firewall at home,
suitable for:
– Firewall security for a single personal PC; or
– Firewall security for a small network
Therefore, this process is easy for other students and
first-time users to understand.
Choosing a Firewall
Use the Firewall included with LinuxMandrake OS
– Only a personal (not network) firewall
Download free firewall from Internet
– www.freshmeat.net
– www.linux-mandrake.com
Purchase a Firewall
– www.linuxiso.org/
PMFirewall
Features
– Autodetection of the IP Address and
Netmask of each interface.
– Blocking of NetBIOS, NetBUS, Back Orifice
and Samba attacks.
– Protection against IP Spoofing Attacks.
PMFirewall
Features (cont.)
– Logging of DENY packets.
– Masquerading support is decided during
install.
– Custom rules can be added to the
pmfirewall.rules.local file.
PM Firewall Technology
The technology underlying PMFirewall is
known as IP Chain Software.
This is the case for many Firewall packages
designed for Linux operating systems.
The configuration of the PMFirewall package
automatically configures the underlying IP
Chain Software (saving the user from
entering the commands manually).
IP Chain Software Description
IP Chain Software is described by its Author
Paul Russel as:
"...an update to [and hopefully an
improvement upon] the 2.0 Linux packetfiltering code, for the 2.2 Linux kernel…”
IP Chain Software allows for the setting up of
a Firewall as well as providing access for
multiple PCs using a single Internet
connection
IP Chain Software Explained
Inbuilt in the kernel of Linux operating system are IP
packet filtering capabilities.
IP Chain software is a program that makes use of
these facilities.
The program examines the header of a packet to
determine what action is suitable for each packet.
Actions include:
– DENY (discard the packet silently)
– ACCEPT (let the packet through or out)
– REJECT (deny and notify the source of the
packet)
Obtaining IP Chain Software
Most distributions of Linux come with
preinstalled IP Chain Software.
IP Chain Software is also readily
available for free all over the Internet,
below is just one example.
– http://www.rustcorp.com/linux/ipchains/
Incidentally you cannot access this site from
within the Bond Network as ITS classifies it
as Porn!
IP Chains and Kernels
Certain IP Chain Software is not compatible
for certain Linux kernels
(As we found out the IP Chain software used
in the Linux Mandrake 8.0 Kernel is not
compatible with the PMFirewall Package we
were using.)
Setting up IP Chain Software on older Linux
Kernels (earlier that 2.2) may require Kernel
manipulation and extra configuration.
IP Chains and Kernels
Some newer Linux distributions still
require the Kernel to be changed to
allow IP Masquerading (e.g SuSe)
This requires changing and recompiling
the Kernel source code (!Danger).
This is not required when installing
PMFirewall on Linux-Mandrake.
IP Chain Syntax (Briefly)
The Configuration of the PM Firewall does not require
knowledge of IP Chain Software. However, for
interests, this has been included.
General Format:
ipchains <command> <chain> [<options>]
Switches
- F : flush a chain so it starts fresh
- P : sets default handling
- A : adds conditions or rules
- L : view all rules
-
E.g. ipchains -L
IP Chain Syntax
The rule can apply to
– Input (incoming traffic)
– Output (outgoing traffic)
– Forward (forwarding traffic)
More switches
– i : Specify Network Card
– s: Source Address
– d: Destination Address
– j: Jump - Specify Action
IP Chain Syntax
The jump switch allows us to specify the
action to take with the packet (accept,
reject, deny).
If the Firewall is responsible for
masquerading an option for this switch
can be MASQ. In which case the
packet’s IP and port address will be
modified.
IP Chains Example
ipchains -A input -i eth0 -s 10.2.0.0/16
-d 0.0.0.0/0 -j REJECT
This command adds a rule to REJECT all
INCOMING packets to eth0 from the
SOURCE address 10.2.x.x going to any
DESTINATION address.
All IP Chains rules for the PMFirewall
package are automatically generated to
avoid doing this.
IP Chains Example
Specify network card
Specify source address
ipchains -A input -i eth0 -s 10.2.0.0/16 -d
0.0.0.0/0 -j REJECT
Incoming packets
Adds a rule
Specify destination address
Specify action to take
Installation Process
Downloading PMFirewall
We downloaded PMFirewall from:
– www.pmfirewall.com/PMFirewall/
The package was then transferred to the Linux lab in
the school of IT.
The package was unzipped into amanda’s home
directory.
Configuring and Starting the
Firewall
Our initial configuration and starting of the firewall failed. The
error message displayed informed us that the IP Chains in use
were incompatible with the kernel.
The package we had selected was compatible with the Linux
kernel 2.2 (Linux-Mandrake 7.2). We had assumed that it was
compatible with the Linux kernel 2.4 (Linux-Mandrake 8.0). This
assumption was wrong.
As a solution we moved to a machine running Linux-Mandrake
7.2, and ensured it was correctly connected to the network.
Configuration Interface
The configuration offered by PMFirewall was
command driven. No GUI facilities were offered.
Configuration started by typing sh install.sh in a
console window, ensuring we were in the directory of
the unpacked Firewall.
Configuration was in a clear question-answer format.
Phases of Configuration
Configuration consisted of three phases:
Phase 1: IP blocking and permitting
Phase 2: Setting up underlying IP Chains
Phase 3: Preparing the Linux kernel
Phase 1: IP blocking and
permitting
Consisted of a set of questions asking us
1.
To specify the IP Address of any machine we
wished to block from all services permanently.
As we yet knew no hostile IP addresses, we
answered NO to this.
2.
To specify the IP Address of any machine we
wished to grant full access to all services
permanently. Again, we answered NO to this.
Phase 1 Continued
3. If we wanted our firewall to start on boot-up. For
security reasons we answered yes to this.
4. To specify the IP addresses of the internal
network card eth0 and the external network card
eth1.
Address Assignment Via
DHCP
During phase 1 we were asked if our external IP address or our
internal IP address was assigned via DHCP.
Dynamic Host Configuration Protocol is a protocol that lets
network administrators or ISP’s centrally manage and automate
the assignment of IP addresses.
Each time a computer connects to the Internet (or network) the
host sends a request to the ISP (or administrator) for an IP
address, the ISP (or administrator) automatically checks which
addresses are available and replies with the relevant address.
DHCP Continued
As Linux1 has a permanent IP address within
the Linux Lab (not assigned with DHCP), we
answered NO to this question.
If we were connecting to the Internet through
an ISP such as Bigpond, we would answer
YES to this question.
Phase 2: Setting up IP Chains
Consisted of a set of questions asking us to
specify which protocols we wished our
Firewalls to allow.
The package used these question to set up
the IP Chains for the Firewall.
IP Chains
We were later able to view the IP Chains list
to see how these questions were turned into
rules.
This was done by going to the /sbin directory
and typing the command
– ipchains -L
Phase 3
Consisted of some questions asking if we
wished our Firewall to contain, for example:
– Masquerading
Masquerading allows outgoing packets
from internal hosts to be given the source
address of the firewall, rather than their
internal IP addresses.
Original Firewall Configuration
The first time we configured our Firewall we
disallowed everything
To test if the Firewall was functioning properly we had
to test if anything would be allowed by the firewall
In order to do this, the following servers had to be
installed on our Firewall: Apache Server, SSH Server,
FTP, Finger
We then tested if the Firewall would successfully
block these services
Apache Server
Apache is a Web Server Software
Application
– Delivers (serves) web pages on the
Internet
SSH Server
Secure Shell
– A program that allows a user to log into
another computer over a network
– It provides secure communication with
encryption
FTP
File Transfer Protocol
– A protocol that is used on the Internet for
sending/transferring files
Finger
This is a program in UNIX that takes
and e-mail address and returns
information about the user of that e-mail
address, such as;
– Is that user currently logged on?
– User’s full name
– User’s Address
– User’s Telephone Number
Testing
Testing
Test to see if firewall denied the packets
on the ports that were closed
To see if the packets were accepted on
the ports that were allowed.
Order
First ping to see if the computer is
responding
– Ping (Packet Internet Groper) – determines
whether an IP Address is accessible by
sending a packet to the specified address
and waiting for a reply
Test ports to see if the client could
access the server
Method
First disallowed access to the server on all
ports, except control packets
– eg ICMP (Internet Control Message Protocol) –
supports packets that contain error, control, and
informational messages. ICMP is used by Ping.
Allow one service to clients
Allow multiple services to clients
Linux Ping
Windows Ping
Deny All Services: Web
Server
Under Windows the following error
message appeared:
Deny All Services: SSH
Server
On another Linux box tried to connect
via SSH to the server
Reconfiguring Order
When we changed the firewall to a
new configuration we needed to:
1. Reconfigure the firewall
2. Restart the network
3. Restart the firewall
Restarting Process
Command Line
– /usr/local/pmfirewall/pmfirewall start
GUI
– DrakConf LinuxConf Control Panel
Control Services pmfirewall
Allow Only Web Server
Allow client to connect to the web server
only
Only Web Server Cont.
The SSH client could still not connect to
the SSH server
All other services that attempted to
connect to the server also failed
Allow Only SSH
All other ports were denied
– Eg: As before the web server was not
allowed to be accessed, the same error
message appeared in the browser
SSH Cont.
The view from the Linux console when
the client could connect to the SSH
server
Multiple Services Allowed
Allowed the SSH and Web server to be
accessed from a client
Both were allowed through with no
problems
All others were still denied
Kernel Log File
Logs network activities
Displays only the denial of ports
– No accepts are shown
Records when the firewall was
configured and restarted
Records when the network was
restarted
Log File Layout
For each denial of service entry in log file
Date and time
Name of the computer
The interface card
IP and port of the client
IP and port of the server that is trying to
be accessed
Problems
Testing the Network
Originally, work began on the nofriends computer
To ensure our computer was correctly connected to
the network, we logged into three neighboring dualboot computers in an attempt to:
– View the computer through Windows NT’s
network neighborhood.
–
Ping the computer from both Windows NT and
Linux-Mandrake with 0% packet loss.
Initial Network Problems
Initially there were two network problems:
1. nofriends could only be accessed through
network neighborhood on neighboring machines
when nofriends was running NT.
2. nofriends could only successfully be pinged from
neighboring machines when nofriends was
running NT.
When nofriends was running Linux-Mandrake, the
machine was obviously not correctly connecting to
the network.
Locating Initial Network
Problems
Through comparison of our network settings
both under Linux-Mandrake and Windows NT,
it was discovered that:
– Our primary network card eth1 was configured
differently under Linux-Mandrake. Under windows
this card had been set to type 3c905c-TX, in
Linux-Mandrake this was not the case.
Solving Initial Network
Problems
Our group solved these problems by:
– Resetting the card type of eth1 under
Linux-Mandrake to ensure that is was
identical to what it was under Windows NT.
– Disabling eth0
Conflict between FTP and
Apache
Our group found we could successfully install
Apache on our machine but as soon as the
FTP server was installed then neither FTP
nor Apache server would function properly,
regardless of the Firewall configuration.
This problem was not present on the LinuxMandrake 8.0 operating system.
Linux-Mandrake 8.0
Compatible Firewall
Mandrake 8.0
A firewall that could be used for Mandrake 8.0
is Single Network Firewall 7.2 (SNL)
The product is available for free for linuxmandrake.com
We did not use this package because the size
of it is 250 Mbytes.
– Too big for a floppy
– No Internet connection in lab
SNL Features
Secure web interface to configure
remotely over the web
DHCP server for the internal network
Integrated proxy server
URL / content filtering to restrict web
pages and banners not wanted to be
visible inside the network
SNL Features
Monitoring tools display detailed
information about network activity,
system, logs, Intrusion detection, DHCP
and URL reports
Intrusion detection systems to alert
administrator of hostile attacks
SNL Features
Bastille is a powerful "hardening"
system that provides extra protection
against IP Spoofing attacks.
Filtering rules can be created at the
user level to control information entering
and leaving a network or a subgroup of
a network.
SNL Requirements
Pentium Processor or compatible.
CD ROM drive.
250 MB disk space (minimum).
At least 32 MB of RAM (64 MB
recommended).
VESA 2.0 compliant graphics card.
Ethernet Network Card.
Internet connection
A Web Browser.
Resources
http://www.linuxplanet.com
http://www.yolinux.com
http://www.linuxdoc.org
http://www.linuxgazette.com
http://www.webopedia.com
http://www.linux-mandrake.com
http://www.freshmeat.net
The End