Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Tutorial
Vadim Kurland
vadim@fwbuilder.org
Firewall Builder: Tutorial by Vadim Kurland This tutorial provides an overview of the Firewall Builder application. The tutorial uses snapshots to graphically orient you to a particular step and to introduce you to the concepts used in the application. Examples used in this document can be found in the le tutorial_objects.xml1 In order to view examples in this le, you need to download it to your computer and then open it in Firewall Builder. Since this le is in XML format and many web browsers will try to show it, you need to make sure you download it and not just open it in your browser. Use "Shift+Mouse button" or right mouse button or whatever else method your browser provides as a way to save a le pointed at by that link on the page.
Table of Contents
1. Introduction .......................................................................................................................7 Concepts ........................................................................................................................7 Policies and rules..........................................................................................................7 Global Policy versus Interface Policy ........................................................................9 Network Address Translation ....................................................................................9 Building policy ...........................................................................................................10 Building policy by hand ..................................................................................10 Building a policy using Druid ........................................................................11 2. Policy Rules......................................................................................................................13 Letting certain protocols through, while blocking everything else ....................13 Interchangeable and non-interchangeable objects ................................................13 Using groups...............................................................................................................14 Blocking IP fragments and other potentially dangerous types of packets ........14 Anti-spoong rules ....................................................................................................16 Protecting local host...................................................................................................16 Proper blocking of Ident protocol............................................................................17 Using negation in policy rules..................................................................................18 3. Network Address Translation Rules...........................................................................21 Providing Internet connection for workstations behind the rewall .................21 Server behind the rewall using address of the rewall for access....................21 Server behind the rewall using virtual address for access.................................22 Server behind the rewall with port mapping ......................................................23 Redirecting the trafc ................................................................................................24
Chapter 1. Introduction
Concepts
Firewall Builder consists of an object-oriented graphic user interface (GUI) and set of policy compilers for a number of rewall platforms. In Firewall Builder, a rewall policy is a set of rules, where each rule consists of abstract objects that represent real network objects and services (hosts, routers, rewalls, networks, protocols, and so on). Firewall Builder helps you maintain a database of objects, in addition to enabling you to edit a policy using simple drag-and-drop operations. The following list shows all supported object types:
Services:
IP (Internet Protocol) ICMP (Internet Control Message Protocol) UDP (User Datagram Protocol) TCP (Transmition Control Protocol) Custom Service Group of services
Time interval
A Firewall object describes the rewall itself. The object has a number of basic parameters that describe its IP address, software platform, and so on. It also provides a way to describe which network interfaces the rewall has, and the parameters specic to the chosen software platform.
Global Policy rules Network Address Translation (NAT) rules Rules, associated with its network interfaces
Chapter 1. Introduction
Figure 1-1. Three different rule sets: Both Global Policy rules and Interface Policy rules include the following common elements:
Source and Destination correspond to the source and destination addresses in the packet. Firewall Builder provides different types of objects that can be used in these rule elements; these are: Firewall, Host, Network, and Group. In the end, Firewall, Host and Network objects specify the address that is going to be used for the target platform code. A Group object is simply a container that can include any number of Firewall, Host or Network objects. Service is a generalized way to describe port numbers in case of UDP and TCP protocols, message type and code for ICMP messages, and protocol number and options for other IP protocols. There are different types of objects available for TCP, UDP, ICMP, and generalized IP protocols; each type of service object provides its own means of setting port numbers and other parameters. Action can be one of the following:
If a rules action is Accept, then a packet with source and destination addresses and service matching the rule is let through. If a rules action is Deny, such a packet is silently dropped. If a rules action is Reject, then the packet is dropped and an appropriate ICMP message is sent back to the sender. For target platforms that support it, there might be an option to send a TCP RST packet back in response for TCP services.
Chapter 1. Introduction
In addition, Interface Policy rules have a Direction option that can be one of the following:
Figure 1-2 and Figure 1-3 represent examples of a Global Policy rule and an Interface Policy rule
Chapter 1. Introduction
Original Source Original Destination Original Service Translated Source Translated Destination Translated Service Comment
As names of these elements suggest, the rst three refer to the source and destination address and service of the packet before translation, while the last three refer to those parameters after translation. The Policy compiler is supposed to be smart enough to generate correct NAT code for the target platform and determine parameters like chain and type of translation (for example SNAT, DNAT, MASQUERADING, or REDIRECT in case of iptables). When the policy compiler generates code for the target platform, it rst scans NAT rules, then Interface Policies, then Global Policy. This determines the order in which lines of the target code are generated.
Building policy
At this point, you should be ready to start building a rewall policy. This can be done either manually or with the help of another Druid.
10
Chapter 1. Introduction
Start with adding a rule on top of the policy; then proceed by adding more rules and lling them with objects. You can simply drag and drop objects from the tree on the left into appropriate rule elds. Figure 1-5 illustrates this process.
Figure 1-5. Adding objects to the rule using drag and drop
Once a policy is lled, call the pop-up menu by clicking the right mouse button on any rule number. Both main menu Rules and the pop-up menu provide ways to insert rules in the middle of the policy, remove rules, add a rule at the top or bottom of the policy, and move rules up and down. You can also move rules up and down simply by dragging them by the number eld in the direction you want them to go.
11
Chapter 1. Introduction
12
Figure 2-1. Example of the rule permitting only certain protocols to the server and block everything else.
Rule #0 allows SMTP and FTP through to the server, while rule #1 blocks and logs everything else. It is worth mentioning that this policy also blocks all the access to rewall itself, including access to it from internal hosts. We do not need any additional rules to take care of "reply" packets coming back from the server to clients because our underlying rewall software supports stateful inspection and "understands" that such packets should be let through.
13
objects to describe the same object may be confusing, the nal rewall policy will be correct.
Using groups
Sometimes we need to dene a lot of very similar rules for multiple hosts or networks. For example, there may be a need to permit the same service to 10 different hosts on the network, while still blocking it to all others. The simplest way to accomplish this is to add 10 rules with the same source and service elds and just different destinations. Obviously this can make rewall policy quite cluttered. To avoid this and make policy readable we can use groups. Group is just a container which includes multiple objects of the same or similar type. Firewall Builder supports groups of objects and groups of services. One can put "Host", "Network" and "Firewall" objects in the group of objects; service objects can not be put in a such group. Similarly group of services can contain "IP Service", "TCP Service", "UDP Service" and "ICMP Service" objects and can not contain hosts or networks. Groups can contain other groups of the same type as well. To add objects to a group simply drag them from the tree on the left into group view on the right, or use Copy/Paste functions available via menus. Once appropriate group has been created, it can be used for policy and NAT rules just like any other object.
14
Object "ip_fragments" is included in the section "Services/IP" of the standard objects database coming with Firewall Builder. Another potentially harmful type of packets is so called "Christmas tree" packet. This one is just a TCP packet with all TCP ags turned on at once (SYN, ACK, FIN, RST, PSH). This combination is never used in real communications, so if any packet like that comes to your network, it should be considered illegal and blocked. Object "tcpxmas" is included in the section "Services/TCP" of the standard objects database coming with Firewall Builder. Some platforms provide a mechanism to turn on and off stateful inspection on individual rules. Turning it off on those rules which do not require it may improve performance of the rewall. Obviously we do not need stateful inspection while analysing fragmented packets as we do not really want any session to be established, so we can safely use this option on this rule. One example of rewall platform which supports stateful inspection but provides a way to turn it on and off is iptables. In Firewall Builder, this can be done in the rule options dialog (which is platform-sensitive and shows different options for different platforms). Figure 2-3 shows rule options dialog for iptables rewall:
Here is an example of the policy rule which is intended to block all fragmented and TCP "Christmas tree" packets. Note an icon in the "Options" column, it indicates that this rule has non-default options set.
Figure 2-4. Rule blocking all fragmented packets and TCP "cristmas tree" packets
This rule is part of the Global Policy and therefore applies to all packets crossing the rewall regardless of their origin. This means that it will block such packets originating in your network, headed out to the Internet. If by some reason you might want
15
to be able to send this kind of packets out, then put this rule in the Interface Policy on your external interface, with Direction "Inbound". An interactive Druid available via menu item "Rules/Help me build rewall policy" can create a rule to protect against fragmented packets.
Anti-spoong rules
First of all, spoofed packet is one which is coming from the Internet into your network, but its source address belongs to one of the address blocks or subnets used on your network. Under normal circumstances such packet can only originate on your network, therefore it can not be entering it from the Internet. Basic idea of antispoong protection is to have a rewall rule assigned to the external interface of the rewall, which examines source address of all packets crossing that interface coming from outside. If that address belongs to internal network or rewall itself, packet should be dropped. Since rule must take into account both interface packet is coming through and the direction in which it is coming, it must be put into Interface Policy. This is one of the rare cases when the rule can not be put into Global Policy. To create anti-spoong rule in Firewall Builder we need objects for all subnets inside the rewall perimeter and obviously an object for rewall itself. Objects for internal subnets can be put in the single group, to make rule compact. Then we create a rule in the Interface Policy of rewalls external interface and put all these objects, or a group which contains them, and the rewall object in the "source" rule element. "Destination" and "service" must be set to "any" and Direction must be set to "inbound". Figure 2-5 shows the anti-spoong rule.
Just like in the previous example, it may be advantageous to turn stateful inspection off on anti-spoong rules. Since we want to prevent these packets from entering our network, there is going to be no session opened and we do not want to keep state at all. You can use "Options" element to do it. An interactive Druid available via menu item "Rules/Help me build rewall policy" can create anti-spoong rules.
16
create rewall object, enter its IP address create interface for it in "Interfaces" tab, mark it as "external" add loopback interface named "lo", address 127.0.0.1/255.0.0.0 call Druid, chose "Firewall protects local host" and then pick rules you want.
See what Druid have created for you. You can edit these and add more rules now. If address is dynamic:
create rewall object, mark its address as "dynamic" create interface for it in "Interfaces" tab, mark address as "external" and "dynamic" add loopback interface named "lo", address 127.0.0.1/255.0.0.0 call Druid, chose "Firewall protects local host" and then pick rules you want.
File tutorial_objects.xml includes rewall object called "rewall_on_the_host" which illustrates local host protection rules created with the aid of the Druid.
17
Figure 2-7. Adding rule option to make send TCP RST packet
Figure 2-8. Using two rules to block access from DMZ to internal net and permit access to the Internet
Another solution uses negation. We can specify destination in the rule as "not internal_net", thus permitting access to anything but "internal_net". Negation can be
18
enabled and disabled in the pop-up menu which you call by clicking right mouse button on the corresponding rule eld.
Figure 2-9. Using rule with negation to block access from DMZ to internal net and permit access to the Internet
19
20
If your network uses addresses from one of these blocks, and you want to provide Internet access for machines on this net, then you may need Network Address Translation (NAT) congured on the rewall. This particular type of NAT conguration is often called Masquerading. When congured this way, rewall rewrites source IP address of each packet sent by internal machines to the Internet replacing private IP address with the address of its external interface. In Firewall Builder this type of the NAT rule is composed as shown on Figure 3-1
Here, object representing internal network is placed in "Original Source" and rewalls object is placed in "Translated Source", thus indicating that we want source address of the packets to be translated. As before, we do not need to worry about reply packets because underlying rewall software keeps track of translations done for all the connections opened through the rewall and rewrites addresses in all reply packets automatically. The rule on Figure 3-1 provides address translation for all the packets, but to permit connections to the Internet a special Global Policy rule is needed. This rule simply permits all connections from internal network to "any" and should be placed somewhere close to the end of the policy, for example right on top of "catch all and log" rule.
Figure 3-2. Rule #3 permits connections from internal network to the Internet (this rule is part of Global Policy)
21
Server behind the rewall using address of the rewall for access
Suppose we have a network using private IP addresses behind the rewall, and a web server on it. We need to provide access to this server from the Internet in a such way that connections will be established to the address of the rewall. In this case we need destination address of packets to be rewritten so packets would reach the server on internal network. Just like in the previous case we need one NAT rule to provide translation and one Global Policy rule to permit connecitons. Figure 3-3 shows NAT rule we need:
Figure 3-3. NAT rule for the server behind the rewall
Since we wanted to use address of the rewalls external interface to access the server, rewalls object is placed in "Original Destination" part of the rule. Servers object was placed in "Translated Destination" part of the rule so that original destination address of the packet will be replaced with servers address. We also need a Global Policy rule to permit connections to the server. This rule is shown on Figure 3-4
Figure 3-4. rule #1 permits access to the server (This rule is part of Global Policy)
Conguration on Figure 3-3 and Figure 3-4 can be combined with conguration on Figure 3-1 and Figure 3-2 Such combination illustrate a situation when machines on the local network can go out to the Internet, and at the same time server located on internal network can provide service for the Internet users - all using single IP address of the rewalls external interface! This conguration can be useful for those with cable or DSL connection and single IP address.
22
Figure 3-5. Additional object used for "Original Destination" in the NAT rule
Figure 3-6. NAT rule for the server behind the rewall with different address used for access
Finally we need a Global Policy rule to permit connections to the server. This rule looks exactly like that in the previous case - see Figure 3-4 Using different address for translation requires additional set up to be done on the rewall to ensure packets would reach rewall while headed for that address. There are two approaches to this problem: One way to do it is to basically take care of ARP requests sent by the router in front of the rewall. This can be done either by setting up static ARP entries on the router or on the rewall, so the additional address we use for translation will get mapped to the same MAC address of the rewalls external interface. Here are the commands we would need to run on Linux rewall to map address 222.222.222.33 to the MAC address of the interface eth1 and add appropriate routing entry pointing to the internal interface eth0:
route add 222.222.222.33 dev eth0 arp -Ds 222.222.222.33 eth1 pub
Another way is to use tool /sbin/ip to assign an "alias" ip address to the same interface of the rewall:
ip addr add 222.222.222.33 dev eth0 scope link
Tool /sbin/ip is a part of the package iproute. Firewall Builder provides simple way of doing this. Just check option "Create virtual addresses for NAT rules" in the "Firewall" tab in Firewall dialog and policy compiler will include all the neccesary code in the rewall script.
23
provide access to the web server running on non-standard port #8080 by setting up translation of TCP ports to the standard one #80. This conguration can be combined with either one of the two above, that is translation can be done using either rewalls external interface address or some different address. This kind of translation works for both TCP and UDP services. First of all, additional Service object needs to be created. This object would have its port number set to that used by the real server. Figure 3-7 illustrates this objects setup:
Now we can create the rule, it would look just like previous translation rules except we put appropriate service objects in "Original Service" and "Translated Service" columns. see Figure 3-8
Of course we need Global Policy rule as well to permit connections to our server. Since Policy rules are consulted after NAT, Policy rule should use TCP Service object "tcp-8080" instead of "http". See Figure 3-9
Figure 3-9. Global Policy rule which permits access to the server
24
ject in "Translated desination". Redirection rule may be combined with port mapping, so redirected packet will hit rewall on a different port. In a real policy this rule would have specic port number in "Original Service" to limit its scope to the protocol supported by the proxy server and will also be placed on top of other NAT rules dealing with the same source addresses so it would match rst. Figure 3-10 shows redirection rule which bounces all HTTP connections opened by users on "internal_net" to the Squid proxy server running on the rewall box on port 3128. Obviously squid has to be congured properly to work as transparent proxy.
Note that for this setup to work a Global Policy rule is needed to permit HTTP requests made by Squid. These requests will originate from the rewall itself.
25
26