NSM 05

Gheorghe Asachi Technical University of Iasi
Faculty of Automatic Control and Computer Engineering
”Network Service Management”

- Course Notes -
Master Study Programme: Distributed Systems and WEB Technologies
Year of Study: 2022-2023
Cristian-Mihai AMARANDEI
Email: cristian-mihai.amarandei@academic.tuiasi.ro
”Network Service Management” – Course Notes
Lecture #05 – Content

●
Linux firewall
NSM Lecture 5 - Firewall 2/58

OSI model - Security features positioning
From: Kenneth Tam, et. al. - UTM Security with Fortinet, Syngress, 2012
Firewall
●
A network security system that monitors and controls the
incoming and outgoing network traffic based on
predetermined security rules.
●
a hardware or software appliance that can be configured to block
unauthorized access to a network
●
The systems are configured with a set of rules that
determine which traffic is allowed and which is blocked or
denied

Firewall
●
Firewalls cannot protect:
– against malicious insiders – send proprietary information out of the organization or
copy confidential information on a storage device
– connections that do not go through it – like remote dial-up connections
●
must be combined with Antivirus software & IDPS
– The term firewall does not necessarily refer to a single router, computer, VPN
gateway, or software program.
●
Any network firewall is a combination of software and hardware
components:
– the term firewall perimeter might be more descriptive.

Firewall goals
●
All traffic from outside to inside and vice-versa passes
through the firewall.
●
Only authorized traffic, as defined by local security policy,
will be allowed to pass.
●
The firewall itself is immune to penetration.

Firewalls
●
Installing and configuring a firewalls – must be a security
policy
●
Firewall policies
– Permissive versus restrictive policies
●
Permissive: Allows all traffic through the gateway and then blocks
services on case-by-case basis
●
Restrictive: Denies all traffic by default and then allows services on
case-by-case basis
– Enforcement - through setting up packet-filtering rules

Firewalls policy
Picture from: Guide to Network Defense and Countermeasures, 3rd Edition

Firewall
●
Firewall types
– Software-based firewalls
– Hardware-based firewalls
●
Firewall taxonomy
– Traditional packet filters
●
filters often combined with router, creating a firewall
– Stateful filters
– Application gateways
●
Some firewalls are designed for consumers
– Internet security suite from companies like Symantec, Bitdefender, Comodo, etc
– personal firewalls:
●
Establishing rules for blocking traffic are done case-by-case
●
Prompts whether traffic should be allowed or not
●
Often make use of “default settings” - like let the firewall application decide for you, allow known applications ...

Firewall Rule Sets

●
Tells firewalls what to do when a certain kind of traffic attempts to
pass
●
rules should:
– be based on organization’s security policy
– include a firewall policy
– be simple and short as possible.
– restrict access to ports and subnets on the internal network from the Internet
– control Internet services

Firewall policy
●
Firewall policy: describes how firewalls should handle application traffic
●
Risk assessment provides a list of applications
– identify associated threats and vulnerabilities
●
steps to create a firewall policy:
– identify network applications that are needed
– determine methods for securing application traffic
– must balance security, user requirements, and cost
– consider all firewalls in your network
– develop a traffic matrix for each location

Software-Based Firewalls
●
require extensive work to configure the software
– !!!! secure the operating system by patching or removing
vulnerable services
●
Free firewall programs
– simplicity
– logging capabilities are not as robust as some commercial
products
– configuration can be difficult and/or ambiguous

Software-Based Firewalls
●
Personal firewalls
– located between the Ethernet adapter driver and the TCP/IP stack
– inspect traffic going between the driver and the stack
●
Enterprise firewalls
– include centralized management option
– some are capable of installing multiple instances from a centralized
location
– can offer user authentication, NAT

Hardware-based firewalls
●
Advantages
– do not depend on conventional OSs
– more scalable than software firewalls
– can handle more data with faster throughput
●
Disadvantages
– depend on non-conventional OSs
– more expensive than software products

Comparison 1
Type of firewall Advantages Disadvantages
Software - freeware Small file size; ease of installation Only minimal features are offered; lack
of technical support
Software - personal firewalls Simple to install; economical; Not as full-featured as enterprise

autoconfiguration features help products and not as robust as hardware
novice users yet give advanced users appliances; usually installed on
more fine-tuned control singlecomputer
systems, which reduces security
Software - enterprise firewalls Usually installed on a dedicated host Can be difficult to install and configure;
for maximum security; centralized tend to be more expensive
administration available for large
networks; real-time monitoring and
other administrative features
Hardware appliances More scalable than software firewalls; Can be expensive and difficult to patch if
offer faster throughput bugs or security alerts require it
1
Source: Guide to Network Defense and Countermeasures, 3rd Edition

Packet filtering
●
works by screening traffic that arrives on the network perimeter
●
Stateless packet filters
– determine whether to allow or block packets based on information in protocol headers
– Most often, filtering is based on common features of IP protocol headers:
●
IP address,
●
Ports,
●
TCP flags
– SYN bit set: datagram for connection initiation
– ACK bit set: part of established connection
– vulnerable to IP spoofing attacks, and they have no form of authentication.
●
Stateful Packet Filtering
– Keeps a record of connections a host computer has made with other computers – maintain a state
table
– Allows incoming packets to pass through only from external hosts already connected

Packet Filtering Based on Position

●
Type of filtering a device can do depends on
– Position of the device in the firewall perimeter
– Other hardware or software
●
Packet filter placement
– Between the Internet and a host
●
All inbound and outbound traffic should be accounted for in the packet filter’s
rule base
– Between a proxy server and the Internet
●
Proxy server: handles traffic on behalf of computer on the network it protects
●
Rebuilds requests to hide internal IP address information

Packet filter connecting a proxy server with

the Internet

Packet Filtering Based on Position

●
Packet filter placement
– Place packet-filtering devices at either end of the DMZ
●
Filter on DMZ’s external interface needs to allow Internet users to gain
access to servers on the DMZ but block access to the internal network
●
Filter on DMZ’s internal interface enables internal users to access
servers on DMZ but not connect to Internet
●
Internal users connect to Internet through a proxy server on DMZ

Packet filter routing traffic to and from a

DMZ

ACL – Access Control Lists

●
Each router/firewall interface can have its own ACL
●
Most firewall vendors provide both command-line and graphical configuration
interface
●
Advantages
– one screening router can protect entire network
– efficient if filtering rules are kept simple
– widely available
●
Disadvantages
– can possibly be penetrated
– cannot enforce some policies – i.e. permit certain users
– rules can get complicated and difficult to test

Packet Filtering (netfilter)

●
The Linux kernel provides a packet filtering framework
that allows various networking-related operations to be
implemented in the form of customized handlers
●
incoming packets are filtered by type, source address,
destination address, port
●
From the packet header can be extracted the following
information:
– Source IP address
– Destination IP address
– TCP/UDP source port
– TCP/UDP destination port
– ICMP message type
– Encapsulated protocol information (TCP, UDP, ICMP or IP
tunnel)

Packet Filtering in Linux

●
versions:
– ipchains - kernel 2.2.x (based on ipfw from BSD Unix with the kernel 2.0)
●
Main disadvantage: ports must remain open to accept traffic
– netfilter/iptables (Dynamic Packet Filters or Stateful Packet Filtering) – from kernel 2.4.x
●
Tracks status and context of session
●
Advantages
– traffic management
– Low Overhead / High Throughput.
●
Disadvantages
– No authentication
– allow direct IP connections to the internal network systems
●
Some configuration tools and GUI available
– UFW https://launchpad.net/ufw
– GUFW – http://gufw.org/
– Portmaster - https://safing.io/portmaster/
– Shorewall - https://shorewall.org/
– Firewalld - https://firewalld.org/
– netfilter/nftables - since Linux kernel 3.13
●
available in RHEL7, RHEL8; default in RHEL9 deployments
– RHEL9 provides backward compatibility so that scripts that use iptables commands still work on Red Hat Enterprise Linux.
– For new firewall scripts, Red Hat recommends to use nftables

Network Firewall Security Policy

●
General firewall policy:
– What is not explicitly allowed is prohibited
●
Block all traffic between two networks except for services/applications allowed
●
Rules must be written for each application/service
●
It is the safest method: blocking access to services are not explicitly allowed
●
Restrictive for users
– What is not explicitly forbidden is allowed
●
Allow traffic between two networks except for services/applications blocked
●
Any unwanted application/service must be blocked
●
Convenient for users but creates large security issues
●
!! Not recommended
Demilitarized Zone (DMZ)

●
is a physical or logical subnetwork that contains and
exposes an organization's external-facing services to a
larger and untrusted network, usually the Internet
●
The area between the router and firewall for internal
network
●
Minimize internal network to external connections from the
Internet

Firewall Glossary
●
Drop/Deny – packets are deleted and not performing other actions.
There is nothing transmitted to the source. The packet simply
disappears.
●
Reject – the same idea as drop/deny except that the source is notified.
●
State – a specific state of a packet in comparison with a stream of
packets.
– When a packet arrives first at a firewall is considered NEW; if part of an
already established connection which firewall is aware of, is considered
ESTABLISHED;
– The status is known through the connection tracking system (monitors all
sessions).

Firewall Glossary
●
Chain – A chain contains a set of rules that are applied to packets.
Each chain has a specific goal (what a chain can do) and a specific
set of actions (just redirect packets or only packets destined for a
particular host).
●
Table – Each table has a specific goal (there are 4 table in iptables).
Table Filter is designed specifically for packet filtering.
●
Match - some type of header matches some information.
●
Example: --source means that the source address can be a specific network, or it
can be a particular IP address
– If a packet matches all the rules, the processing then jumps to a particular
rule (example: the packet can be rejected)

Firewall Glossary
●
Target – There is a destination for each rule in the set. If there is a full rule
match, then the specified destination indicates what happens with that packet.
●
Rule – a rule is a set of one or more match to a single destination in iptables.
●
Ruleset – a complete set of rules that are passed to implement packet filter.
●
Jump – a jump instruction is closely related to the destination. A jump instruction
is written exactly as a destination in iptables, except that the destination is the
name of another chain. If a match is made, then the packet will be sent to
another chain where it will be processed.
●
Connection tracking – A firewall which implements connection tracking is able
to track connections and packet flows impacting memory consumption and CPU.

Firewall Glossary
●
Accept – accepting a packet; allows it to pass through the firewall rules. It
is the opposite of Drop/Deny or Reject.
●
Policy – There are two policies to be discussed when trying to implement
a firewall.
●
Chain policy – defines the default behavior of the firewall when it receives
a packet, be heated in not making any matching on existing rules.
●
Security policy – represents the security policy according to written
specifications. Security Policies are documents that need to be studied
before deploying a firewall.

Netfilter – iptables
●
Rules are grouped in chains
– Each chain is a list of rules
– Six chains
●
predefined: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
●
user-defined chain
●
Chains are grouped in tables
– Each table is associated with a different type of packets processing.
– 3 predefined tables:
●
filter — this is the default table.
●
nat — when a packet creates a new connection this is the table that is used.
●
mangle — is used for special altering of packets

Packets processing with netfilter

How a packet traverses the kernel netfilter tables/chains?
Source: http://en.wikibooks.org/wiki/Communication_Networks/IP_Tables
Filter table - built-in chains

●
INPUT - is for packets going to local sockets
●
FORWARD - is for packets routed through the server from
one interface to another
●
OUTPUT - is for locally-generated packets

Nat table - built-in chains

●
PREROUTING - is for packets when they come in
●
OUTPUT - is for locally-generated packets before routing
takes place
●
POSTROUTING - is for altering packets on the way out

Mangle table - built-in chains

●
PREROUTING - is for incoming packets
●
POSTROUTING - is for packets going out
●
OUTPUT - is for locally generated packets that are being
altered.
●
INPUT - is for packets coming directly into the server
●
FORWARD - is for packets being routed through the
server

Iptables
●
All tables have predefined targets:
– <user-defined-chain> — user-defined chain. The name must be unique. Intended send the
package specified chain.
– ACCEPT – the packet is accepted (default policy for INPUT, OUTPUT and FORWARD)
– DROP – reject the package without sending any message back
– QUEUE – used to queue packets to User-land programs and applications; It is used in
conjunction with programs or utilities that are extraneous to iptables and may be used, for
example, with network accounting
– RETURN – will cause the current packet to stop traveling through the chain where it hit the rule.
– REJECT – basically the same as the DROP target, but it also sends back an error message to
the host sending the packet that was blocked (i.e. “destination unreachable”)
– LOG – logs the packet (usually to syslog)

Iptables
●
The connection-tracking system (--state option in your rules)
– Available options for --state:
●
NEW: for an incoming or outgoing packet, which creates a new
connection
●
ESTABLISHED: for an incoming or outgoing packet, which belongs to an
existing connection.
●
RELATED: for an incoming or outgoing packet, which is related to, but no
part of, an existing connection.
●
INVALID: for an incoming or outgoing packet, which could not be
identified for some reason.

Iptables command
iptables <table> <command> <chain> <command options>
iptables -t tabletype <action/direction> <packet pattern> -j <what to do>
●
Iptables default table is filter
– iptables -t filter -L
– iptables -t filter -L -n
– iptables -t nat -L OUTPUT -v
– iptables -t mangle -L OUTPUT -v -n --line-number

Iptables command
●
Flushing rules
– iptables -t filter -F
– iptables -t nat -F PREROUTING
●
Default table policy
– iptables -t filter -P INPUT DROP
●
a new chain (create, delete, rename)
– iptables -N mychain
– iptables -X
– iptables -X mychain
– iptables -E mychain mynewchain

Actions associated with iptables rules

●
-A (--append) Appends a rule to the end of a chain.
●
-D (--delete) Deletes a rule from a chain. Specify the rule
by the number or the packet pattern.
●
-L (--list) Lists the currently configured rules in the chain.
●
-F (--flush) Flushes all of the rules in the current iptables
chain

Iptables
Filtering by source/destination
●
-s ip_address All packets are checked for a specific source IP
address.
●
-d ip_address All packets are checked for a specific destination IP
address.
iptables -A INPUT -s 192.168.75.0/24 -j REJECT
●
send “destination unreachable”
iptables -A INPUT -s 192.168.25.200 -p icmp -j DROP

iptables -A INPUT -s !192.168.1.0/24 -p tcp -j DROP

Iptables
●
On EL5 and EL6
– service iptables save
●
Save rules in /etc/sysconfig/iptables file (EL6 only)
– Starting the iptables service
# chkconfig --level 2345 iptables on
# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
●
On EL7
– systemctl enable iptables
– systemctl start/stop/restart iptables
– iptables-save > /etc/sysconfig/iptables
●
Save rules in /etc/sysconfig/iptables file
●
GUI
– system-config-securitylevel (el5)
– system-config-firewall (el6)

IP Forwarding
●
also referred as routing
●
To allow Linux to function as a router, IP forwarding must
be activated
– Located in /etc/sysctl.conf:
net.ipv4.ip_forward = 1

NAT (network address translation)

●
NAT is a methodology of remapping one IP address space into another
by modifying network address information in IP datagram packet
headers while they are in transit across a traffic routing device.
●
SNAT (Source Network Address Translation)
– LAN addresses are translated to addresses in the WAN
●
DNAT (Destination Network Address Translations)
– maps a public IP address to a private IP address
●
Commonly used in conjunction with IP masquerading
– in iptables is used when using DHCP to obtain external IP address

Network Address Translation (NAT)

●
– Originally designed to help conserve public IP addresses
– Receives requests at its own IP address and forwards them to the correct IP address
●
Depending on the level of the OSI stack on which it operates are two types of
translation:
– NAT (Network Address Translation) – layer 3
– PAT (Port Address Translation) – layer 4
●
Allows administrators to assign private IP address ranges in the internal
network
– NAT device is assigned a public IP address

NAT Example
Picture from: https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html


●
NAT types
– depending on the direction in which the translation is made:
– Inside NAT – LAN addresses are translated to addresses in the
WAN
– Outside NAT – addresses from the WAN are translated to
addresses in the LAN


●
NAT types
– One-to-one (1:1)
●
translate one private IP address into one public IP address
– One-to-many (1:Many)
●
one private IP address is translated into many public IP addresses.
●
for each connection the private device initiates with a host on the Internet, the NAT router
chooses a public IP address from a range to translate the private IP address into it.
– Many-to-one (Many:1)
●
many private IP addresses are translated into one public IP address
●
if the public IP address belongs to the router, this is also known as masquerading
– Many-to-many (Many:Many)
●
many private IP addresses are translated using a range of public IP addresses.

SANT / DNAT / Masquerade

●
SNAT (Source Network Address Translation) = Inside NAT
– LAN addresses are translated to addresses in the WAN
– static SNAT
●
one or many hosts behind NAT are translated into only one public IP address
– dynamic SNAT
●
one or many hosts behind NAT are translated into several public IP addresses
– Masquerade (MASQ)
●
works exactly like static SNAT does, except that you cannot specify the public IP address to be used.
●
automatically use the IP address of the outgoing interface of the NAT router (i.e: router use DHCP protocol to obtain external
address)
●
DNAT (Destination Network Address Translations) = port-forwarding/port-redirection
– maps a public IP address to a private IP address
– is the reverse of SNAT
– used when you have servers behind NAT, so the same public IP address is mapped to different private IP
addresses depending on ports or protocols

Port Address Translation (PAT)

●
PAT - translate many private addresses, using a single public
address
– Because it can not be mapped 1-1 on level 3 it is done on level 4
– Each pair (internal_IP, internal_port) is mapped to (external_IP,
external_port)
– By default the PAT will attempt to map internal port on the same external
port
●
if the external port was mapped to a previous translation, can be mapped on a
random port
– PAT mappings are retained in memory firewall and are used to identify traffic
back and translate it back
●
Linux: - connection tracking
Transparent Firewall
●
Traditionally, a firewall is a routed hop and acts as a
default gateway for hosts that connect to one of its
screened subnets.
●
A transparent firewall is a Layer 2 firewall that acts like a
“bump in the wire” or a “stealth firewall” and is not seen as
a router hop to connected devices. 1
1
https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-firewall-services-module/100773-transparent-firewall.html

Transparent Firewall Network
Picture from: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html

Iptables - IP Masquerading
●
masquerading – is a technique that hides an entire IP
address space behind a single IP address in another,
usually public address space
– Eth1 – external interface (IP address obtained via dhcp)
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
– Eth1 – external interface (static IP address 1.2.3.4)

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4

SNAT Example
●
Change source addresses to 1.2.3.4.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
●
Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
●
Change source addresses to 1.2.3.4, ports 1-1023
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

DNAT Example
●
Change destination addresses to 5.6.7.8
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8
●
Change destination addresses to 5.6.7.8, 5.6.7.9 or
5.6.7.10.
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
●
Change destination addresses of web traffic to 5.6.7.8,
port 8080.
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 5.6.7.8:8080

FirewallD
●
Just for reference – we are using iptables !!!
– see lab instruction on how to install and enable iptables on your VMs
●
The new userland interface to netfilter in RHEL/CentOS
●
provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network
and its associated connections, interfaces or sources.
●
Resources:
– https://firewalld.org/documentation/
– Red Hat Enterprise Linux 7 Security Guide – Chapter 5
●
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/security_guide/Red_Hat_Enterprise_Linux-7-Security_Guide-en-US.pdf
– Firewalld HowTo:
●
https://people.redhat.com/pladd/Firewalld_NYRHUG-2015-12.pdf
– CentOS / RHEL 7 : Beginners guide to firewalld
●
https://www.thegeekdiary.com/centos-rhel-7-beginners-guide-to-firewalld/
– RHEL7: How to get started with Firewalld.
●
https://www.certdepot.net/rhel7-get-started-firewalld/
– An Introduction to Firewalld
●
https://www.liquidweb.com/kb/an-introduction-to-firewalld/

Reading assignment
●
Securing & Optimizing Linux: The Hacking Solution (v.3.0)
http://www.openna.com/pdfs/Securing-Optimizing-Linux-The-Hacking-Solution-v3.0.pdf
– Chapters 9 and 10
●
Securing & Optimizing Linux: The Ultimate Solution (v.2.0)
http://www.openna.com/pdfs/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf
– Chapters 7,8 and 9
●
Red Hat Enterprise Linux 5 Deployment Guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/pdf/Deployment_Guide/Red_Hat_Enterprise_L
inux-5-Deployment_Guide-en-US.pdf
– Chapter 48.8 (Firewalls)
●
Red Hat Enterprise Linux 6 Security Guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linu
x-6-Security_Guide-en-US.pdf
– Chapter 2.8 (Firewalls)

References
This presentation is intended for lecturing purposes only and it is based on the references listed below. Therefore, the students are encouraged to (and they should) read
thoroughly the original documents listed below in order to improve their skills.
1. http://www.netfilter.org/
2. http://en.wikipedia.org/wiki/Iptables
3. http://en.wikipedia.org/wiki/Netfilter
4. http://en.wikipedia.org/wiki/Network_address_translation
5. Kernel Packet Traveling Diagram http://www.docum.org/docum.org/kptd/
6. Detecting and deceiving network scans http://inai.de/documents/Chaostables.pdf
7. Application Layer Packet Classifier for Linux http://l7-filter.sourceforge.net/
8. conntrack-tools: Netfilter's connection tracking userspace tools - http://conntrack-tools.netfilter.org/
9. ebtables – Linux Ethernet bridge firewalling http://ebtables.sourceforge.net/
10. IPTables Applicable to Centos http://centoshelp.org/networking/iptables-advanced/
11. Netfilter Packet Traversal
● http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
● http://linux-ip.net/nf/nfk-traversal.pdf
12. http://www.danielmiessler.com/study/iptables/
13. https://iximiuz.com/en/posts/laymans-iptables-101/

NSM 05

Uploaded by

Copyright:

Available Formats

You might also like

NSM 05

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSM 05

Uploaded by

Copyright:

Available Formats

Gheorghe Asachi Technical University of Iasi

Faculty of Automatic Control and Computer Engineering

”Network Service Management”

Year of Study: 2022-2023

Lecture #05 – Content

NSM Lecture 5 - Firewall 2/58

OSI model - Security features positioning

NSM Lecture 5 - Firewall 4/58

NSM Lecture 5 - Firewall 5/58

NSM Lecture 5 - Firewall 6/58

NSM Lecture 5 - Firewall 7/58

Picture from: Guide to Network Defense and Countermeasures, 3rd Edition

NSM Lecture 5 - Firewall 8/58

NSM Lecture 5 - Firewall 9/58

Firewall Rule Sets

NSM Lecture 5 - Firewall 10/58

NSM Lecture 5 - Firewall 11/58

NSM Lecture 5 - Firewall 12/58

NSM Lecture 5 - Firewall 13/58

NSM Lecture 5 - Firewall 14/58

Type of firewall Advantages Disadvantages

Software - personal firewalls Simple to install; economical; Not as full-featured as enterprise

NSM Lecture 5 - Firewall 15/58

NSM Lecture 5 - Firewall 16/58

Packet Filtering Based on Position

NSM Lecture 5 - Firewall 17/58

Packet filter connecting a proxy server with

NSM Lecture 5 - Firewall 18/58

Packet Filtering Based on Position

NSM Lecture 5 - Firewall 19/58

Packet filter routing traffic to and from a

NSM Lecture 5 - Firewall 20/58

ACL – Access Control Lists

NSM Lecture 5 - Firewall 21/58

Packet Filtering (netfilter)

NSM Lecture 5 - Firewall 22/58

Packet Filtering in Linux

NSM Lecture 5 - Firewall 23/58

Network Firewall Security Policy

Demilitarized Zone (DMZ)

NSM Lecture 5 - Firewall 25/58

NSM Lecture 5 - Firewall 26/58

NSM Lecture 5 - Firewall 27/58

NSM Lecture 5 - Firewall 28/58

NSM Lecture 5 - Firewall 29/58

NSM Lecture 5 - Firewall 30/58

Packets processing with netfilter

NSM Lecture 5 - Firewall 31/58

How a packet traverses the kernel netfilter tables/chains?

Filter table - built-in chains

NSM Lecture 5 - Firewall 33/58

Nat table - built-in chains

NSM Lecture 5 - Firewall 34/58

Mangle table - built-in chains

NSM Lecture 5 - Firewall 35/58

NSM Lecture 5 - Firewall 36/58

NSM Lecture 5 - Firewall 37/58