Firewall Basics

Everything youve ever wanted to know about a firewall but

didnt have the time to ask.
(Well, almost everything)

Credits: PowerPoint in its entirety created by Ken Diliberto,

Network Analyst
I&IT Networks, Cal Poly Pomona
1

Disclaimer:
The following presentation represents a compilation
of obscure bits of information known by the author
(me). No representation of accuracy, applicability,
usefulness or anything else you can think of is
implied.
Batteries not included, some assembly required, dont operate heavy equipment while reading this, not
all buyers will qualify, must take delivery before 1/1/1980, your mileage may vary, no user serviceable
parts inside, big brother may be watching.

Goals

(Besides killing an hour and a half)

Gain

a better understanding of what a firewall is.

Understand different firewall types.
Understand where firewalls fit.

What is a firewall?
A firewall is a device (or software feature) designed to
control the flow of traffic into and out-of a network.
In general, firewalls are installed to prevent attacks.

What is an attack?
1.
2.
3.
4.

Attack covers many things:

Someone probing a network for computers.
Someone attempting to crash services on a computer.
Someone attempting to crash a computer
(Win nuke).
Someone attempting to gain access to a computer to use
resources or information.

Edge Firewall
An edge firewall is usually software running on a
server or workstation. An edge firewall protects a
single computer from attacks directed against it.
Examples of these firewalls are:
ZoneAlarm
BlackIce
IPFW on OSX
6

Firewall Appliance
An appliance firewall is a device whose sole
function is to act as a firewall. Examples of these
firewalls are:
Cisco PIX.
Netscreen series.

Network Firewall

Router/Bridge based Firewall

Computer-based Network Firewall

A firewall running on a bridge or a router protects from a group of

devices to an entire network. Cisco has firewall feature sets in
their IOS operating system.
A network firewall runs on a computer (such as a PC or Unix
computer). These firewalls are some of the most flexible. Many
free products are available including IPFilter (the first package we
tried), PF (the current package we are using found on OpenBSD
3.0 and later) and IPTables (found on Linux). Commercial
products include: Checkpoint Firewall-1. Apple OSX includes
IPFW (included in an operating system you gotta purchase).

Why use a firewall?

Protect

a wide range of machines from general

probes and many attacks.
Provides some protection for machines lacking in
security.

Great first line of defense.

Having

a firewall is a necessary evil. Its like

living in a gated community. The gate may stop
99% of unwanted visitors. The locks on your
doors stop the remaining 1% (maybe, but you get
the idea).
Dont let the firewall give you a false sense of
security. Harden your machines by turning off
services you dont need.
10

How does a firewall work?

Blocks packets based on:
Source IP Address or range of addresses.
Source IP Port
Destination IP Address or range of addresses.
Destination IP Port
Some allow higher layers up the OSI model.
Other protocols (How would you filter DecNET anyway?).

Common ports
80 HTTP
443 HTTPS
20 & 21
FTP (didnt know 20 was for FTP, did you?)
23 Telnet
22 SSH
25 SMTP

11

Sample firewall rules

Protected server:
134.71.1.25
Protected subnet:
134.71.1.0/24
$internal refers to the internal network interface on
the firewall.
$external refers to the external network interface on
the firewall.

12

Sample rules:
Can you find the problem?

(For this example, when a packet matches a rule, rule processing stops.)

Pass in on $external from any proto tcp to 134.71.1.25 port = 80

Pass in on $external from any proto tcp to 134.71.1.25 port = 53
Pass in on $external from any proto udp to 134.71.1.25 port = 53
Pass in on $external from any proto tcp to 134.71.1.25 port = 25
Block in log on $external from any to 134.71.1.25
Block in on $external from any to 134.71.1.0/24
Pass in on $external from any proto tcp to 134.71.1.25 port = 22
Pass out on $internal from 134.71.1.0/24 to any keep state

13

Sample rules:
Can you find the problem?

(For this example, when a rules matches a packet, rule processing stops.)

Pass in on $external from any proto tcp to 134.71.1.25 port = 80

Pass in on $external from any proto tcp to 134.71.1.25 port = 53
Pass in on $external from any proto udp to 134.71.1.25 port = 53
Pass in on $external from any proto tcp to 134.71.1.25 port = 25
Block in log on $external from any to 134.71.1.25
Block in on $external from any to 134.71.1.0/24
Pass in on $external from any proto tcp to 134.71.1.25 port = 22
Pass out on $internal from 134.71.1.0/24 to any keep state
The SSH rule would never have a chance to be evaluated. All traffic to
134.71.1.25 is blocked with the previous two rules.

14

To log or not to log

Logging is both good and bad.
If you set your rules to log too much, your logs will
not be examined. If you log too little, you wont see
things you need. If you dont log, you have no
information on how your firewall is operating.

15

Sample log file

Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul

16

31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31

11:00:06
11:00:07
11:00:08
11:00:10
11:00:15
11:50:02
11:50:02
11:50:02
11:50:05
11:50:17
11:50:20
11:50:20
11:50:24
11:50:24
11:50:27
11:50:27
11:50:30
11:50:30
11:52:48
11:52:51
11:52:54
11:52:56
11:52:57
11:53:00
12:00:24
12:00:26
12:00:28
12:00:34
12:00:46

kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2

ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:

11:00:06.786765
11:00:07.366515
11:00:08.526751
11:00:10.856705
11:00:15.515785
11:50:02.619311
11:50:02.629271
11:50:02.642610
11:50:05.633338
11:50:16.882433
11:50:20.401561
11:50:20.414682
11:50:24.127364
11:50:24.144581
11:50:27.761458
11:50:27.778617
11:50:30.771581
11:50:30.772833
11:52:47.511993
11:52:50.501969
11:52:53.501498
11:52:55.703527
11:52:56.500682
11:52:59.500694
12:00:24.220209
12:00:26.040009
12:00:28.794944
12:00:34.302899
12:00:45.284181

xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0
xl0

@1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN

@1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
@1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
@1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
@1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN
@0:3 b 213.244.12.136,4588 -> 134.71.202.37,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,4597 -> 134.71.202.44,80 PR tcp len 20 44 -S IN
@1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN
@1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,1406 -> 134.71.203.35,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,1688 -> 134.71.203.47,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,1701 -> 134.71.203.60,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,1944 -> 134.71.203.103,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,1957 -> 134.71.203.108,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN
@0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN
@1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
@1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
@1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
@1:10 b 142.163.9.225,6346 -> 134.71.202.57,3343 PR tcp len 20 40 -A IN
@1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
@1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN
@1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
@1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
@1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
@1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
@1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN

Had enough yet?

Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul

17

31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31
31

12:00:58
12:01:01
12:01:01
12:01:03
12:01:03
12:01:05
12:01:05
12:01:06
12:01:07
12:01:07
12:01:08
12:01:08
12:01:09
12:01:09
12:01:12
12:01:14
12:01:14
12:01:28
12:01:29
12:01:36
12:01:39
12:02:02
12:02:05
12:02:10
12:02:11
12:02:13
12:02:14
12:02:20
12:07:59
12:33:33

kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2
kd2

ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:
ipmon[14110]:

12:00:58.200613
12:01:00.236672
12:01:01.192960
12:01:02.868846
12:01:03.161480
12:01:05.010881
12:01:05.282234
12:01:05.796431
12:01:07.240923
12:01:07.251735
12:01:07.963357
12:01:08.229151
12:01:09.209297
12:01:09.212097
12:01:11.704343
12:01:13.969454
12:01:14.230632
12:01:28.256761
12:01:29.105610
12:01:36.257674
12:01:39.338642
12:02:02.588716
12:02:05.555511
12:02:10.610751
12:02:11.565107
12:02:13.530261
12:02:14.729242
12:02:19.529568
12:07:58.606378
12:33:32.920644

xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN

xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 65 -R IN
xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 134.71.204.115,3792 -> 134.71.202.57,1065 PR udp len 20 36 IN
xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
2x xl0 @0:3 b 134.71.203.92,138 -> 134.71.203.255,138 PR udp len 20 269 IN
xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN
xl0 @1:10 b 65.80.163.98,60325 -> 134.71.202.57,9074 PR tcp len 20 48 -S IN
xl0 @0:3 b 80.145.78.83,4286 -> 134.71.202.47,80 PR tcp len 20 48 -S IN

What is a state?
When your computer makes a connection with another
computer on the network, several things are exchanged
including the source and destination ports. In a standard
firewall configuration, most inbound ports are blocked. This
would normally cause a problem with return traffic since the
source port is randomly assigned (different from the destination
port).
A state is a dynamic rule created by the firewall containing the
source-destination port combination, allowing the desired
return traffic to pass the firewall.
18

How many states can a computer have?

A single computer could have hundreds of states
depending on the number of established
connections. Consider a server supporting POP3,
FTP, WWW and Telnet/SSH access. It could have
thousands of states.

19

What happens without state?

Without state, your request for traffic would leave
the firewall but the reply would be blocked.

20

Sample state table.

kd2.ec.csupomona.edu - IP Filter: v3.4.28 Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any
Source IP
Destination IP
134.71.202.57,4738
64.160.215.222,1677
134.71.202.57,4744
64.160.215.222,1677
134.71.202.57,1039
134.71.204.115,1410
134.71.203.168,138
134.71.203.255,138
134.71.202.57,4727
64.160.215.222,1677
134.71.203.168,137
134.71.203.255,137
134.71.202.57
239.255.255.250
134.71.202.57,137
134.71.203.255,137
134.71.202.57,1028
134.71.4.100,53
134.71.202.57,1038
216.136.175.142,5050
134.71.202.57,138
134.71.203.255,138
134.71.203.168,138
134.71.203.255,138
134.71.203.168,137
134.71.203.255,137
134.71.202.57,1036
239.255.255.250,1900
134.71.202.57
239.255.255.250
134.71.202.57,4727
64.160.215.222,1677
134.71.202.57,1031
134.71.184.58,445
134.71.202.57,1033
134.71.184.58,445

21

state top
Sorted by = # bytes
ST
PR
#pkts
#bytes
ttl
4/4 tcp
551
368024 119:59:56
4/4 tcp
399
258160 119:59:59
4/4 tcp
33
6872 119:59:16
0/0 udp
2
458
0:06
0/6 tcp
5
200
1:58:03
0/0 udp
2
156
0:13
0/0 igmp
1
32
1:20
0/0 udp
62
5844
1:51
0/0 udp
35
4910
0:11
4/4 tcp
35
4208 119:59:59
0/0 udp
16
3520
1:49
0/0 udp
14
3026
2:00
0/0 udp
16
1536
1:59
0/0 udp
7
1127
1:58
0/0 igmp
10
320
1:54
0/6 tcp
5
200
1:53:26
2/0 tcp
3
128
0:47
2/0 tcp
3
128
0:48

07:50:50

Where does a firewall fit in the security

model?
The firewall is the first layer of defense in any
security model. It should not be the only layer. A
firewall can stop many attacks from reaching target
machines. If an attack cant reach its target, the
attack is defeated.

22

Ruleset design
Two main approaches to designing a ruleset are:
1.
2.

23

Block everything then open holes.

Block nothing then close holes.

Ruleset design Block Everything

Blocking everything provides the strongest security
but the most inconvenience. Things break and
people complain.
The block everything method covers all bases but
creates more work in figuring out how to make
some applications work then opening holes.
24

Ruleset design Block Nothing

Blocking nothing provides minimal security by only
closing holes you can identify. Blocking
nothing provides the least inconvenience to our
users.
Blocking nothing means you must spend time
figuring out what you want to protect yourself
from then closing each hole.
25

What is IDS?
IDS is an Intrusion Detection System.
IDS can identify many attacks and traffic patterns
crossing a border device.

26

An IDS sounds good. Is it?

Yes and no.
An IDS can identify port scans, different web
attacks, known buffer overflow attacks, etc. An IDS
can also produce many false positive hits. AOL
Instant Messenger triggers port scan hits because it
talks to several AOL Ad servers within a few
seconds. An IDS can create more information on a
small network than a network administrator can deal
with.
27

Filtering bad traffic

(RFC 1918, bad headers, options, etc.)

Sending bad traffic or malformed packets is a form

of attack easily blocked at a firewall. The firewall
inspects every packet and rejects those that are not
properly formed or are intentionally malformed,
protecting devices that may be succeptible.

28

Filtering bad traffic

(RFC 1918, bad headers, options, etc.)

Private IP address traffic should never be seen on

the IT.UU.SE network.
Private IP address blocks (RFC 1918):

29

10.0.0.0 10.255.255.255 (255.0.0.0 mask)

172.16.0.0 172.240.0.0 (255.240.0.0 mask)
192.168.0.0 192.168.255.255 (255.255.0.0 mask)

Black hole or Return-RST

(or how to respond to things you dont want.)

Should you tell a sending machine that their traffic

was blocked or let them wait until they timeout?
For some traffic, its better to let the sending
machine wait. This slows down the rate of attack.
For other traffic (such as SMTP) it may be nice to
tell the sender that the SMTP port is closed.

30

Poking holes

How to allow traffic and expose yourself.

OK. Youve decided to block traffic. Do you have

to block all traffic? No. You can allow select traffic
in. The criteria for allowing traffic are the same as
blocking traffic.

31

Compromised Machines
Just a note about compromised machines:
When a machine is compromised, you have no
way to determine exactly what was hacked.
Cleaning what you think is the problem may not
rid yourself of everything. Most instances
require a reformat and reinstall of the operating
system for proper cleaning.

32