User's Login




 


 Log in Problems?
 New User? Sign Up!

Main Menu

Resources

Feeds
As Featured On News Now




Who's Online
There are 26 unlogged users and 1 registered user online.

You can log-in or register for a user account here.

Configuring The Firewall

(7839 total words in this text)
(22728 Reads)  Printer-friendly page

Configuring the firewall can be one of the most confusing aspects of the EN5861, but when you understand the basic operation of the firewall it is fairly easy to configure. This guide will give you a basic understanding of how this works, but a more detailed explanation can be found in the Command Line Interface Guide.

Some basics.

First off it's a good idea to understand how a TCP/IP connection is made:-

Before any data can be passed a connection between to logical ports must be made, this is usually done by what is known as the 3-way handshake, this is more complicated than described below but it's the basic idea which is important.

The client sends a SYN packet to the server, this then replies with a SYN/ACK packet back, the client acknowledges this with an ACK packet and then the connection is made.

So you can see by blocking/accepting the SYN or SYN/ACK packets and on which ports they occur you can determine which connections are made.

Firewall operation.

If the following explanation seems a bit complicated, read it then refer to the example at the end of the page. Having a look at a working example is often the best way to understand any scripting.

The basic structure of a IP filtering rule is

remote ipfilter append <type> <action> [<parameters>] <remoteName>

<type>

Each interface can have up to four of filters associated with it: Input, Receive, Transmit and Output filters, but in practice only Input and Output filters are generally used. The common WAN interface is the remote interface generally named internet.

Input Filters

When a packet arrives at an interface, the router compares the packet to the list of input filters. The first filter that matches the packet determines whether the packet is accepted, dropped, or rejected. If no filter matches the packet, the packet is accepted.
If the packet is accepted, the next step is Network Address Translation, if NAT is enabled for the input interface.

Output Filters

When a packet is sent to the interface the router compares the packet to the list of output filters for this interface. The first filter that matches the packet determines whether the packet is accepted, dropped, or rejected. If no filter matches the packet, the packet is accepted. The packet, if accepted, is then sent out the interface. This is done before Network Address Translation, if NAT is enabled for the Output interface.

<action>

The possible filter actions are:

Accept The router lets the packet proceed for further processing.

Drop The router discards the packet.

Reject The router sends an ICMP REJECT to reject the packet.

<parameters>

The following parameters specify the characteristics that an IP packet must have in order to match the filter. A filter can use any or all of these characteristics.

-p <protocol> | TCP | UDP | ICMP The packet must have the specified protocol. If no protocol is specified, the filter matches every protocol.

-sa <first source ip addr>[:<last source ip addr>] The packet must have a source IP address within the specified address range. If only one address is specified, the packet must have that source IP address. If no source IP address is specified, the filter matches any address in the range 0.0.0.0:255.255.255.255.

-sm <source ip mask>The filter uses the specified mask when comparing the <first source ip addr>...<last source ip addr> with the source IP address in the IP packet. If no source mask is specified, the mask used is 255.255.255.255.

-sp <ICMP type> | <first source port>[:<last source port>] The packet must have a source port that matches the specified ICMP type or that is within the specified port range. If only one port is specified, the packet must have that source port. If no source port is specified, the filter matches any source port in the range 0-65535.

-da <first dest ip addr>[:<last dest ip addr>] The packet must have a destination IP address within the specified address range. If only one address is specified, the packet must have that destination IP address. If no destination IP address is specified, the filter matches any address in the range 0.0.0.0:255.255.255.255.

-dm <dest ip mask> The filter uses the specified mask when comparing the <first dest ip addr>...<last dest ip addr> with the destination IP address in the IP packet. If no destination mask is specified, the mask used is 255.255.255.255.

-dp <ICMP type> | <first dest port>[:<last dest port>] The packet must have a destination port that matches the specified ICMP type or that is within the specified port range. If only one port is specified, the packet must have that destination port. If no destination port is specified, the filter matches any destination port in the range 0-65535.

-tcp syn|ack|noflag

Note: You may specify more than one -tcp option for the IP filter.

The syn, ack, and noflag settings work together as follows:

- Specify -tcp syn if the TCP SYN flag must be set.

- Specify -tcp ack if the TCP ACK flag must be set.

- Specify -tcp noflag if neither the SYN flag nor the ACK flag can be set.

The -tcp rst setting is independent of the others; if you specify -tcp rst for the filter, the filter matches every TCP packet with the TCP RESET flag set, regardless of the other flag settings. For example, for the filter to match packets for "established" connections, you would specify both -tcp rst and -tcp ack so that the filter is applied to every TCP packet that has either the RESET flag or the ACK flag set.

The router works down the firewall script with each packet it has captured and compares it to each rule of the script, if it matches a rule then the designated action is carried out.

i.e. If a TCP SYN packet has originated from port 25 and the action of that rule is to drop SYN packets from port 25 then it will be dropped.

After a packet matches a rule it is executed and no more inspection of that packet is carried out. If a packet reaches the end of the script and has not matched any of the rules it is accepted, that is why the last rule is usually to drop all packets.

Example

The example below is a basic script which will allow FTP server on port 21, and be downloaded. The text in red is just the description and is not part of the script. You can add comments after the # symbol.

# Minimum firewall script - 1/11/02
# for Efficient 5861 router
# Inbound - no syn or udp (53 ok) below 1024, allow ping
# Outbound - no private IPs, no syn/ack or udp below 1024, allow ping
# Allow FTP server on ports 20 and 21
#---------------------------------------------------------------------
# Flush all existing filters before applying new settings
#---------------------------------------------------------------------
# Flush all existing filters

remote ipfilter flush input internet
remote ipfilter flush output internet
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
Flush/clear the remote (WAN) filters

eth ip filter flush input
eth ip filter flush output
eth ip filter flush transmit
eth ip filter flush receive
Flush/clear the ethernet(LAN) filters

#---------------------------------------------------------------------
# Begin rules for input list
#---------------------------------------------------------------------
remote ipfilter flush input internet

remote ipfilter append input accept -p icmp -dp 0 internet
Allow ICMP (ping/tracert etc) to port 0

remote ipfilter append input drop -p icmp internet
Drop all ICMP to all ports

remote ipfilter append input accept -p udp -dp 53 internet
Allow UDP to port 53 (for DNS lookups)

remote ipfilter append input accept -p udp -dp 1024:4999 internet
remote ipfilter append input accept -p udp -dp 5001:65535 internet
Accept UDP to ports 1024-499 and 5001-65535

remote ipfilter append input drop -p udp internet
Drop all UDP in on all ports

remote ipfilter append input accept -tcp ack internet
Accept all TCP ACK packets to all ports

remote ipfilter append input accept -tcp syn -tcp ack internet
Accept all TCP SYN/ACK packets to all ports

#---------------------------------------------------------------------
#Begin rules for inbound ports open
#---------------------------------------------------------------------

remote ipfilter append input accept -tcp syn -dp 20:21 internet
Allow TCP SYN packets to ports 20-21

remote ipfilter append input accept -tcp rst -dp 20:21 internet
Allow TCP RST packets to ports 20-21

#---------------------------------------------------------------------

remote ipfilter append input drop internet
Drop all packets in to all ports

# End rules for input list
# Begin rules for receive list
remote ipfilter flush receive internet
# End rules for receive list
# Begin rules for transmit list
remote ipfilter flush transmit internet
# End rules for transmit list
#---------------------------------------------------------------------
# Begin rules for output list
#---------------------------------------------------------------------
remote ipfilter flush output internet

remote ipfilter append output drop -da 10.0.0.0:10.255.255.255 internet
remote ipfilter append output drop -da 172.16.0.0:172.31.255.255 internet
remote ipfilter append output drop -da 192.168.0.0:192.168.255.255 internet
Drop LAN IP packets (i.e. local IP addresses) out of the interface

remote ipfilter append output accept -p icmp -sp 0 internet
Allow ICMP from port 0

remote ipfilter append output accept -p icmp -sp 8 internet
Allow ICMP from port 8

remote ipfilter append output drop -p icmp internet
Drop all ICMP packets from all ports

remote ipfilter append output accept -p udp -sp 1024:4999 internet
remote ipfilter append output accept -p udp -sp 5001:65535 internet
Accept UDP from ports 1024-4999 and 5001-65535

remote ipfilter append output drop -p udp internet
Drop all UDP out from all ports

remote ipfilter append output accept -tcp ack internet
Allow TCP ACK packets out on all ports

remote ipfilter append output accept -tcp syn internet
Allow TCP SYN packets out on all ports

#---------------------------------------------------------------------
#Begin rules for inbound ports open
#---------------------------------------------------------------------

remote ipfilter append output accept -tcp syn -tcp ack -sp 20:21 internet
Allow TCP SYN/ACK packets out from ports 20-21

remote ipfilter append output accept -tcp rst -sp 20:21 internet
Allow TCP RST packets out from ports 20-21

#---------------------------------------------------------------------

remote ipfilter append output accept -tcp rst -sp 1024:4999 internet
remote ipfilter append output accept -tcp rst -sp 5001:65535 internet
Allow TCP RST packets out from ports 1024-4999 and 5001-65535

remote ipfilter append output drop internet
Drop all packets out on all ports

# End rules for output list
# Print out whats happening in terminal window
remote ipfilter watch on internet
save
# End of script
Compare Broadband
Need broadband? Ready to switch?
Broadband comparison & guides

Broadband Comparison

50+ Broadband Offers.
Deals From £7.99.

Compare Broadband » Top 10 Broadband

Compare Cheap Broadband Providers

THE Price Comparison Site
 

Broadband UK

Find the cheapest, fastest broadband where you live

Other Stories