Professional Documents
Culture Documents
Module 6
2013-01-01 1
Firewall Principles
2013-01-01 2
Firewall
3
Firewall Types
• Firewalls come in two basic flavors, statefull and
stateless
• Stateless firewalls are simplistic, filter rules
based on source or destination IP address and
port, accept or block
• Statefull rules understand the state of
connections through the firewall, much more
robust, more flexible, easier to implement
• We will learn here to use a combination of both
techniques starting with stateless
4
Firewall Facility - Exploring
the Tabs
5
Firewall Filter
6
Firewall Filter
• Two tabs are
required for a
basic filter rule -
General and
Action
• General : Packet
matcher
• Action: What we
are going to do
to those packets
7
Filter Chains
• Chains are a strange way to say “places
where we can look at and act on traffic”
Forward
Input Output
8
Firewall Chains
9
Firewall Chains
Output
Input Ping from Router
Winbox
Forward
WWW E-Mail
10
Which Chain?
• If a packet has a destination address on the
router itself (local address), it hits the
INPUT chain
• If a packet has an address for which we have
a route (but not a local address), it hits the
FORWARD chain
• If a packet is generated by the router itself
(you on the terminal pinging a host) it hits
the OUTPUT chain
11
Is the address
local?
No
Yes
12
Input
13
Input
Add an accept
rule for your
Laptop IP
address
Your IP is
192.168.X.254
14
Input
15
Invalid Rules
16
Address-List
17
Address-List
• Create different lists
• Subnets, separates ranges, one host
addresses are supported
18
Address-List in Firewall
• Ability to block
by source and
destination
addresses
19
Forward
20
Forward
• Create a rule
that will block
TCP port 80
(web browsing)
• Must select
protocol to
block ports
21
Rule Actions Besides
Accept and Drop
22
Add to Address-List
• Address lists can
be created
manually or
automatically by
firewall rules
• Add specific
host to address-
list
• Specify timeout
for temporary
addition 23
P2P - Peer to Peer
Create a rule that will
block client’s p2p
traffic
24
Firewall Logging
• Let’s log client
pings to the router
• Log rule should be
added before
other action
25
Firewall Log
26
Custom chains
27
Firewall chains in Action
• Sequence of
the firewall
custom
chains
• Custom
chains can be
for viruses,
TCP, UDP
protocols,
etc.
28
29
Connections - Packet
Types Note:
Invalid - Not a part of a previous known
connection but not a SYN packet so it can’t
start a new connection.
30
What If We Only Had
Stateless Rules?
• We would need a specific rule for every
protocol and port we wanted to allow, high
degree of administrative effort, constant
adjustment
• Using state full rules (connection states) we
can create a simpler, more flexible firewall
• Assume that anything that initiates from the
LAN is good and that anything initiated
from the WAN is bad
31
Connection State
• In the forward chain, firewalls should allow
only new connections that initiate from the
LAN, established or related connections and
drop invalid
• Filter rules have the “connection state”
matcher for this purpose
• Using connection state is an easy way to only
allow traffic initiated by your clients to pass
through firewall
32
Tying It All Together
•Firewalls are built according to purpose,
backbone router or internet router are two
broad categories
•Firewalls use a combination of rules:
•Rules to protect router
•Rules to protect clients
•Connection rules to allow clients to access
internet
33
Source NAT
2013-01-01 35
NAT
• Network Address Translation (NAT) allows
hosts to use one set of IP addresses on the
LAN side and an other set of IP addresses
when accessing external networks.
• Source NAT translates private IP addresses
(on the LAN) to public IP addresses when
accessing the Internet. The reverse is done for
return traffic. It's sometimes referred to as
"hiding" your address space (your network)
behind the ISP supplied address.
2013-01-01 36
Masquerade and src-nat action
• The first chain for NATing is "srcnat". It's used by
traffic leaving the router.
• Much like firewall filters, NAT rules have many
properties and actions (13 actions!).
• The first, and most basic of NAT rules, only uses
the "masquerade" action.
• Masquerade replaces the source IP address in
packets by one determined by the routing facility.
− Typically, the source IP address of packets going to the
Internet will be replaced by the address of the outside
(WAN) interface. This is required for return traffic to "find
it's way home".
2013-01-01 37
Masquerade and src-nat action
2013-01-01 38
Destination NAT
2013-01-01 39
Dst-nat and redirection action
2013-01-01 40
Dst-nat and redirection action
2013-01-01 41
NAT Syntax
• Source NAT (from /ip firewall nat)
− Add the masquerade rule
● add action=masquerade chain=srcnat
− Change the source IP address
● add chain=srcnat src-address=192.168.0.109 action=src-nat to-
addresses=10.5.8.200
• Destination NAT
− Redirect all web traffic (TCP, port 80) to the router's web proxy on port 8080
● add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080
2013-01-01 42
42
Laboratory : Setup
2013-01-01 46
Laboratory : step 1
• Before going ahead with firewall rules, we'll test a
NAT rule : Masquerading
− Look into your settings to see if you have a "masquerading"
NAT rule. Create one if you don't BUT leave it disabled. If
you have one make sure that it's disabled
− Launch Winbox and connect to a neighbour pod.
− In the IP FIREWALL CONNECTION section, look at
active connections. What do you see? Why?
− Set the configuration option that will let you track
connections. Check the results.
− Enable the masquerade NAT rule and check connection
tracking again.
2013-01-01 47
Laboratory : step 2
• Use the following slide to create a firewall
for a backbone router.
• Use the following slide to create a firewall
for an internet router.
• Optionally create a custom chain with a
jump rule in the forward chain for
destination address list “Servers”
• Discuss
2013-01-01 48
46
Laboratory : step 3
2013-01-01 49
Laboratory : step 4
2013-01-01 50
Laboratory : step 5
• Pods should be matched in pairs for the
following tests
• Close your WinBox window and reopen it,
connecting to your peer pod. What's
happening?
• With one filter rule ONLY, allow all IP
addresses from you peer pod to connect to your
router with WinBox (TCP, 8291)
− Make sure that it's in the right spot so that it works
− And DON'T forget comments!
2013-01-01 52
Laboratory : step 6
2013-01-01 51
Laboratory : step 7
• Close and reopen the WinBox interface
without adding any special parameters. What
result do you get?
• Log into the WinBox using port 8111.
• Create a dst-nat rule with a redirect action to
port 8111 on all TCP port 8291 traffic.
• Close and reopen WinBox without the port
after the IP address. Does it work now?
• Log into you peer pod's router. What's
happening?
2013-01-01 55
Laboratory : step 8
2013-01-01 53
Laboratory : step 9
2013-01-01 54
Laboratory : step 10
2013-01-01 56
End of Laboratory 6
2013-01-01 57