Benjamin Holmes Lab 6 ====================================== Task 1: I entered $sudo ufw status verbose and got Bacter@bactercomp:~$ sudo ufw

status verbose [sudo] password: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip Bacter@bactercomp:~$ ======================================== Task 2: I used LKM and netfilter to implement the packet filtering module. It supports t he rules as detailed in the above section. $ cd LKM $ make $ sudo insmod samplefw.ko then $ gcc -o -Wall sampleFirewall sampleFirewall.c $ sudo ./sampleFirewall --in --proto ALL --action BLOCK $ ping www.google.com and wasn't able to ping google. ======================================== Question 1: Netfilter supports the following hooks 1. NF_ACCEPT: continue traversal as normal. 2. NF_DROP: drop the packet; don't continue traversal. 3. NF_STOLEN: I've taken over the packet; don't continue traversal. 4. NF_QUEUE: queue the packet (usually for userspace handling). 5. NF_REPEAT: call this hook again. An example of a packet going through netfilter: Packets come in from the left, and are checked to make sure they aren't truncate d, have good IP checksums, aren't promiscuous recieves. 1 = NF_IP_PRE_ROUTING Then they go to routing code, which decides if the packet is going to another in terface or a local process. If it's local, we go to 2 = NF_IP_LOCAL_IN then it's passed to the local process. It it's supposed to go to another interface, it goes to 3 = NF_IP_FORWARD, then passes the 4 = NF_IP_POST_ROUTING hook, and then is sent back onto the wire. If a process is created locally, the 5 = NF_IP_LOCAL_OUT hook is applied to it, and it's passed through this then rou ted. Question 2: For ingress filtering, a hook should be placed after routing, and before the pac ket is sent to the local machine. For egress filtering, a hook should be placed before routing, and after the filt er and routing the packet is sent out.

Question 3: Netfilter should just filter packets, not change them. However, the netfilter mo dule iptable_mangle allows for modification of packets. ============================================= Task 3 I set up two VMs, one on my laptop, called bactercomp, and one on my PC at home, called bacterHome By using $ sudo ufw deny out port 23 When I tried to connect, I got dropped packets. Using the command $ sudo ufw deny out to 69.63.176.13 $ sudo ufw deny out to 69.63.181.15 $ sudo ufw deny out to 69.63.184.142 $ sudo ufw deny out to 69.63.187.17 $ sudo ufw deny out to 69.63.187.18 This seemed to block all possibilty of accessing facebook 3a: $ ssh -L 8000:10.4.24.177:23 seed@10.4.24.179 I was $ ssh I can eling able to observe what was happening over the wire with wireshark remote-host "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i see the packets entering the wire without filtering - a result of the tunn that happens.

3b: I run firefox, and I'm able to see the facebook page normally Once I close firefox, break the ssh, clear the cache, and try to re-open, I'm un able to see the site. The page says it's unable to connect to that IP address. I establish the SSH, and again I'm able to view firefox. I can see on wireshark how the SSH breaks the egress filtering. The SSH creates a tunnel that simply connects the computer directly to the net - totally bypass ing the filter. It forces the packets through another computer and port. ====================================== Question 4: Yes, you can set up an SSH tunnel on another channel - but BOTH computers need t o agree to use that channel for SSHing ======================================= Attached are the files I used!