Scribd Logo
Upload

Welcome to Scribd!

  • Building a FREP firewall

    Uploaded by

    nazloen
    4 views17 pages
    ferewel

    Original Title

    Firewall

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ferewel

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views17 pages

    Building a FREP firewall

    Uploaded by

    nazloen
    ferewel

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 17

    building a

    F R E P

    R I F T C E

    L L A EW

    No time...

    Not possible...

    What we can do
    restrict access to the network services limit the number of active connections detect some port-scan atacks drop illegal traffic

    What we can not do


    regain the channel already consumed detect 'smart' attacks look inside the application protocol

    Components of the filter


    protocol classifier invalid packet filter port-scan detector policy classifier application protocol filter TCP-specific filters application protocol specific filters

    sing marks
    !angle has four types of marks may be used for different applications" packet mark # $ueue policies connection mark # protocol policies routing mark # policy routing rules %not used in this setup& To' # (iff'erv service policy transfer %not used in this setup&

    Protocol classifiers
    prerouting mangle packets opening new connections connection mark for TCP and (P) check both) source port %usually) *+,--.//0/& and destination port.

    1nvalid packet filter


    forward filter invalid addresses %local) not registered with 12N2) broadcast) multicast& invalid connection state N2T traversal

    Port-scan detection
    P'( matcher TCP flags for 3mas and Null scans put violators in blocked 1P address list

    Policy classifier
    different customer profiles classify by addresses) then 4ump to separate policy enforcement chains 25P for binding 1P with !2C

    2pplication protocol filter


    choose the protocols allowed drop everything alse 2 T6 %TCP7**0& should be re4ected to avoid slowdown for some programs e8pecting it to be available

    TCP-specific filters

    maybe drop TCP 5'T9

    2pplication-specific filters
    2 T6 # re4ect '!TP # drop the first connection) allow only second connection from a particular source address

    !ore to do
    pro8y everything" NTP) (N') 6TTP filter 6TTP connections to some sites %porn site list was published somewhere on the forum& use a dedicated 1(2 use trusted software protect local traffic outsource

    1f you loose a connection

    T62N: ;< =
    Come to the 'ecurity (iscussion Table) 1 will be waiting 6ave a nice trip back home= >et the firewall configuration script done with this scheme on monday evening at wiki.mikrotik.com

    You might also like