Page 146 / 351
Scroll up to view Page 141 - 145
146
Firewall Tutorial
General firewall terms
☛
Note:
Breakwater Basic Firewall
(see
“BreakWater Basic Firewall” on page 125
)
does not make use of the packet filter support and can be used in addition to
filtersets
Filter rule:
A filter set is comprised of individual filter rules.
Filter set:
A grouping of individual filter rules.
Firewall:
A component or set of components that restrict access between a protected net-
work and the Internet, or between two networks.
Host:
A workstation on the network.
Packet:
Unit of communication on the Internet.
Packet filter:
Packet filters allow or deny packets based on source or destination IP
addresses, TCP or UDP ports.
Port:
A number that defines a particular type of service.
Basic IP packet components
All IP packets contain the same basic header information, as follows:
Source IP Address
163.176.132.18
Destination IP Address
163.176.4.27
Source Port
2541
Destination Port
80
Page 147 / 351
147
Firewall Tutorial
This header information is what the packet filter uses to make filtering decisions. It is
important to note that a packet filter does not look into the IP data stream (the User Data
from above) to make filtering decisions.
Basic protocol types
TCP:
Transmission Control Protocol. TCP provides reliable packet delivery and has a
retransmission mechanism (so packets are not lost). RFC 793 is the specification for TCP.
UDP:
User Datagram Protocol. Unlike TCP, UDP does not guarantee reliable, sequenced
packet delivery. If data does not reach its destination, UDP does not retransmit the data.
RFC 768 is the specification for UDP.
There are many more ports defined in the Assigned Addresses RFC. The table that follows
shows some of these port assignments.
Protocol
TCP
DATA
User Data
Page 148 / 351
148
Example TCP/UDP Ports
Firewall design rules
There are two basic rules to firewall design:
•
“What is not explicitly allowed is denied.”
and
•
“What is not explicitly denied is allowed.”
The first rule is far more secure, and is the best approach to firewall design. It is far easier
(and more secure) to allow in or out only certain services and deny anything else. If the
other rule is used, you would have to figure out everything that you want to disallow, now
and in the future.
Firewall Logic
Firewall design is a test of logic, and filter rule ordering is critical. If a packet is forwarded
through a series of filter rules and then the packet matches a rule, the appropriate action
is taken. The packet will not forward through the remainder of the filter rules.
For example, if you had the following filter set...
Allow WWW access;
Allow FTP access;
Allow SMTP access;
Deny all other packets.
TCP Port
Service
UDP Port
Service
20/21
FTP
161
SNMP
23
Telnet
69
TFTP
25
SMTP
80
WWW
144
News
Page 149 / 351
149
Firewall Tutorial
and a packet goes through these rules destined for FTP, the packet would forward through
the first rule (WWW), go through the second rule (FTP), and match this rule; the packet is
allowed through.
If you had this filter set for example
....
Allow WWW access;
Allow FTP access;
Deny FTP access;
Deny all other packets.
and a packet goes through these rules destined for FTP, the packet would forward through
the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through.
Even though the next rule is to deny all FTP traffic, the FTP packet will never make it to this
rule.
Implied rules
With a given set of filter rules, there is an Implied rule that may or may not be shown to the
user. The implied rule tells the filter set what to do with a packet that does not match any
of the filter rules. An example of implied rules is as follows:
Implied
Meaning
Y+Y+Y=N
If all filter rules are YES, the implied rule is NO.
N+N+N=Y
If all filter rules are NO, the implied rule is YES.
Y+N+Y=N
If a mix of YES and NO filters, the implied rule is NO.
Page 150 / 351
150
Example filter set page
This is an example of the Netopia filter set page:
19216811.live