Previous Table of Contents Next Packet-Filtering Routers A packet-filtering router usually depends on access rules-that is, rules you set up within the router software itself. A packet filter usually has a rule set that starts with least common and works its way up to most common. What's a rule set? Typically, a rule set looks something like a routing table but includes sockets as well as addresses. Any packet that comes in is compared against rule 1, then rule 2, all the way to the end. If at any time it matches up against a rule, processing stops. For example, for my 192.168.1.0 network, the rules might be as follows: o Allow 192.168.1.0:any on if 0 to connect to all:any. o Deny all:any to connect to all:any. This means that anybody within my 192.168.1.0 network (provided they come in on router interface 0) can connect to anything they darn well please. If condition 1 was not true, then condition 2 would apply, which denies everything. This is probably the most common firewall configuration: Allow certain sockets (or all sockets) from the inside to go to the outside and disallow all other connections (for example, connections from the outside). ______________________________________________________________ The most effective packet-filtering routers will have a filter on "which interface" the packet comes in on, in addition to what IP address the packet is from. This helps eliminate packet spoofing, where a packet claims to be from a certain network, but actually is not. ______________________________________________________________ ______________________________________________________________ A complex rule set results in confusion and possible misconfiguration. If you're configuring a rule set, you should keep it simple. ______________________________________________________________ ______________________________________________________________ You should know that certain applications (such as active FTP) will ask the destination station to initiate a connection back to the requesting workstation, even though it's a TCP application. It's sort of like "Hey Fred, find out when the movie is, then call me back." Under many firewall configurations, this is prohibited, because it means the firewall has to be configured so that a random workstation from the outside can initiate a connection to a random workstation on the inside. Might as well use a colander rather than a firewall! You can usually get around this type of application problem by using a different mode of the application-for instance, passive FTP, where only the requesting workstation makes connections. Most browsers default to passive FTP, but not all standalone FTP clients do. ______________________________________________________________ There's usually no logging or accounting on a packet-filtering firewall, although most firewalls will record errors. Here, troubleshooting is very similar to router troubleshooting, with ping, traceroute, and lists of the routing tables and rule sets being your best friends. As with routing problems, symptoms of packet-filtering firewall problems include the inability to reach a host on the other side; unlike a router, though, the symptom of a packet-filtering firewall problem might be the inability to reach a service on the other side. Packet Filter Improvements Newer firewalls that don't care whether they're good routers-that are more interested in being bang-up firewalls-will do all sorts of new tricks. Some of them will perform network address translations (NATs), which enable you to tell the outside world that you're a different address than you really are. This means that if you change Internet Service Providers, you don't have to change your IP numbers, which is nifty. (It used to be that only proxy servers were good for this, because they use two different routing domains anyway, but the firewall vendors have caught up.) Stateful Multi-Level Inspection is a really neat technology, too. It allows UDP sockets in on a contextual basis-that is, it reads your note to Jenny and then accepts a note back from Jenny only if it seems as though the contents of that note are relevant to what you sent. This requires a very specialized firewall and is very application specific. If the firewall doesn't "know" Jenny, it can't determine whether the note she sent back to you is real. These firewalls typically come preconfigured with rules for common applications such as Telnet, email, FTP, and so on. If you're having problems using an unusual application through an SMLI firewall, check with the firewall vendor to see how to get support. Proxy Moxie Let's dig a little deeper into the theory behind a proxy server. Think of the proxy server as a receptionist for a spy organization that has two sets of phones: the internal organization telephone (the "red phone") and the outside world's phone system. The outside phone system is not directly usable by any of the other agents in the spy agency; they must give a message to the receptionist, who will order out for pizza, arrange for third-party hit men, and so on. The spy organization has it this way so that its circuits are not directly connected to the public telephone network-and a good thing, too! It doesn't mean the receptionist is incorruptible, but at least he's within the organization, fairly trustable, very accountable for his actions, and, of course, easily monitored, because he's the only point of communication between the organization and the outside world. The important thing to remember is that there are two different types of phone calls, because the receptionist hangs up one line (the red phone) and picks up the outside phone to relay the information on a different call. As such, there are two different routing domains (the two phone systems) involved. Though this sounds mysterious, it really isn't-all it means is that two sets of networks (the red phone and the outside world's phone system) are prevented from talking to each other because the router doesn't share a common network between the two networks (see Figure 15.1). [15-01t.jpg] Figure 15.1 A typical proxy server setup. Are there still rules involved as to who may call in or out? Definitely. Similar to a packet-filtering firewall, proxy servers typically have a default policy of "deny everything but the following," and you define what is allowed. For example, let's say the company executives all reside on network 4 in Figure 15.1. They have ruled that only they may have Internet access, so the only explicit rule that you would set would be this: Allow all traffic from network 4 from the "inside" interface of the proxy server. All other traffic, say from network 3, would be denied. Previous Table of Contents Next