d

Firewall: The Complete Documentation

• This category contains 40 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

A Quantitative Study of Firewall Configuration Errors

Published on 2004, by Avishai Wool, ©Avishai Wool.

The protection that firewalls provide is only as good as the policy they are configured to implement. Analysis of real configuration data shows that corporate firewalls are often enforcing rule sets that violate wellestablished security guidelines.

Build a FreeBSD-STABLE Firewall with IPFILTER (HOWTO)

Published on September 03, 2002, by Marty Schlacter, ©Marty Schlacter.

This howto walks you through the process of building one of the most stable and secure firewalls available - a FreeBSD-STABLE firewall with IPFILTER. As a part of the installation process, all services will be disabled except OpenSSH, which will have its access controlled via TCP-Wrappers. The firewall will be configured to log through the syslog facility, but will have its own firewall log files (rather than filling up /var/log/messages.

Building a Diskless 2.6 Firewall

Published on 2004-08-25, by Christian Herzog, .

Want to build a custom router/firewall for your home network? You can obtain the necessary hardware virtually for free from garage sales or on-line auctions. You even might have some old hardware lying around. A Pentium-class system is more than sufficient and can handle the stress well. Typically, we don't need much memory, but I recommend at least 16MB of RAM. In place of a hard disk, we can use a compact Flash, or CF, card. CF has some nifty features, such as on-board error detection and correction to minimize Flash wear. Due to a full-fledged IDE interface, it also can be used as a normal IDE device. You do need an adapter to connect the card, though. We are going to use only two to three megabytes, so the size of the card doesn't really matter.

Comparison of iptables Automation Tools (A)

Published on April 23, 2001, by Anton Chuvakin, ©SecurityFocus.

Over the past several years, the use of Linux as a firewall platform has grown significantly. Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel 1.2. Recent changes in linux firewalling code include netfilter architecture (controlled from the command line by iptables utility), which was introduced in stable kernel 2.4. The newest version 2.4 of Linux kernel (first released in January 2001) presents many new security enhancements such as: enhanced capabilities, better support for encryption (for VPN and encrypted file systems) and netfilter architecture, which is a re-implementation of Linux's firewalling code and which remains fully backward-compatible due to the use of ipchains and ipfwadm loadable kernel modules.

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

Published on 2004, by Daniel Hartmeier, ©Daniel Hartmeier.

With more and more hosts being connected to the Internet, the importance of securing connected networks has increased, too. One mechanism to provide enhanced security for a network is to filter out potentially malicious network packets. Firewalls are designed to provide policy-based network filtering.

A firewall may consist of several components. Its key component is usually a packet filter. The packet filter may be stateful to reach more informed decisions. The state allows the packet filter to keep track of established connections so that arriving packets could be associated with them. On the other hand, a stateless packet filter bases its decisions solely on individual packets. With release 3.0, OpenBSD™ includes a new Stateful Packet Filter (pf) in the base install. pf implements traditional packet filtering with some additional novel algorithms. This paper describes the design and implementation of pf and compares its scalability and performance with existing packet filter implementations.

Design the firewall system

Published on 1999-07-01, by CERT, ©Carnegie Mellon University.

Designing a firewall requires that you understand and identify the boundaries between security domains in your network. A network security domain is a contiguous region of a network that operates under a single, uniform security policy. Wherever these domains intersect, there is a potential need for a policy conflict resolution mechanism at that boundary. This is where firewall technology can help.

FAQ: Firewalls: What am I seeing?

Published on March 6, 2000, by Robert Graham, ©Robert Graham.

This document answers the question: I've seen something on my firewall; what does it mean? Firewall administrators regularly see strange behaviour showing up in their logfiles. This document describes some of the common things seen on these firewalls, and what they mean. Note that this document is intended both for owners of personal firewalls as well as corporate firewalls. Also note that this document limits itself to discussing issues that firewall administrators are seeing right now. It doesn't try to discuss all possible evidence you might see in your logfiles.

Firewall Admins Guide to Porn FAQ

Published on November 11, 2001, by Robert Graham, www.robertgraham.com.

One of the more common problem security administrators will face is pornagraphy. It is a popular Internet application, and even when restrictions are put into place, users find ways of getting around them. At the same time, users tend to be clueless as to the knowledge firewall admins have of their surfing habits. Every administrator of a large company that I know of has had to confront this issue, but not much is discussed about the topic in the literature.

Firewall and Proxy Server HOWTO

Published on February 26, 2000, by Mark Grennan, www.grennan.com.

This document is designed to describe the basics of firewall systems and give you some detail on setting up both a filtering and proxy firewall on a Linux® based system.

Firewall Forensics FAQ

Published on August 2002, by Robert Graham, www.robertgraham.com.

This document explains what you see in firewall logs, especially what port numbers means. You can use this information to help figure out what hackers are up to.

FIREWALL PENETRATION TESTING

Published on 2000-11-20, by MountAraratBlossom, ©MountAraratBlossom.

Application gateways and Packet filtering gateways are two types of firewalls basically available in market. Application gateways are those proxies and they are causing some computational problems in computers due to heavy CPU usage, therefore on busy networks Packet filtering devices are more preferable. However, the vendors are trying to embed these two inevitable characteristics of firewall into one.

Firewall Piercing - Creative exploitation of valid Internet protocols to get your data through obstacles

Published on 2004, by Alien8 and Maik Hentsche, ©Alien8 and Maik Hentsche.

IT will be shown how IPv4 based protocols can be used to tunnel data through Firewalls while maintaining RFC compatibility. The goal is to show a broad spectrum of techniques. However, a few examples are presented in more detail.

Firewall Piercing mini-HOWTO

Published on November 24, 2001, by François-René Rideau, François-René Rideau.

Directions for using ppp over ssh, telnet or whatever, so as to do achieve transparent network connection accross a firewall. Applies to friendly VPN construction as well as to piercing unfriendly firewalls.

Firewall spotting and networks analisys with a broken CRC

Published on December 28, 2002, by Ed3f, ©Phrack Magazine.

Packet filters firewall are going to be deployed more and more for the sense of security the word \"firewall\" has got on not-technical people. Available as commercial software, embedded device or inside opensource OS they work at level 3. The support for level 4 isn\’t complete: they filter ports numbers, TCP flags, seq numbers, defragmentation, but ...

Firewalling with OpenBSD's PF packet filter

Published on 2005, by Peter N. M. Hansteen, ©Peter N. M. Hansteen.

This lecture will be about firewalls and related functions, starting from a little theory along with a number of examples of filtering and other network traffic directing. As in any number of other endeavors, the things I discuss can be done in more than one way. Under any circumstances I will urge you to interrupt me when you need to. That is, if you will permit me to use what I learn from your comments later, either in revised versions of this lecture or in practice at a later time.

IPFilter (IPF) Firewall

Published on 2004, by Joseph J. Barbish, ©Dæmon News.

The author of IPFilter is Darren Reed. IPFilter is not FreeBSD operating system dependant. IPFilter is a open source application and has been ported to FreeBSD, NetBSD, OpenBSD, Sun, HP, and Solaris operating systems. IPFilter is actively being supported and maintained, with updated versions being released regularly.

IPTables Linux firewall with packet string-matching support

Published on December 31, 2001, by Anton Chuvakin, ©SecurityFocus.

Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel version 1.2.1 in 1995. Ipfwadm enabled standard TCP/IP packet filtering features such as filtering by source/target addresses and port numbers. Then, in early 1999, when the first stable 2.2.0 kernel was released, firewalling code was replaced with new ipchains-controlled code. New features included support for chains of rules, fragmentation handling, better network address translation (NAT) support and several usability improvements. Readers should be reminded that Linux firewalling includes kernel-level code (usually in form of loadable module or kernel source patch) and user-level code (a control utility such as /usr/bin/ipchains, that is used to insert packet rules into kernel-space). Thus whenever new Linux firewalling code was introduced it involved both kernel and userspace code rewrite.

Iptables Tutorial

Published on 2002, by Oskar Andreasson, Oskar Andreasson.

Well, I found a big empty space in the HOWTO's out there lacking in information about the iptables and Netfilter functions in the new Linux 2.4.x kernels. Among other things, I'm going to try to answer questions that some might have about the new possibilities like state matching. Most of this will be illustrated with an example rc.firewall.txt file that you can use in your /etc/rc.d/ scripts. Yes, this file was originally based upon the masquerading HOWTO for those of you who recognize it.

Linux 2.4 NAT HOWTO

Published on January 14, 2002, by Rusty Russell, www.netfilter.org.

This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network Address Translations with the 2.4 Linux Kernels.

Linux 2.4 Packet Filtering HOWTO

Published on January 24, 2002, by Rusty Russell, www.netfilter.org.

This document describes how to use iptables to filter out bad packets for the 2.4 Linux kernels.

Linux Firewall-related /proc Entries

Published on July 14, 2003, by Bri, ©Hacking Linux Exposed.

Most people, when creating a Linux firewall, concentrate soley on manipulating kernel network filters: the rulesets you create using userspace tools such as iptables (2.4 kernels,) ipchains (2.2 kernels,) or even ipfwadm (2.0 kernels).

Linux iptables HOWTO

Published on September 29, 1999, by Rusty Russell, www.linuxguruz.org.

This document describes how to use iptables to filter out bad packets for Linux kernels 2.3.15 and beyond.

Linux stateful firewall design

Published on 2004-12-29, by Daniel Robbins, ©Daniel Robbins.

This tutorial shows you how to use netfilter to set up a powerful Linux™ stateful firewall. All you need is an existing Linux™ system that's currently using a Linux™ 2.4.x or 2.6.x kernel. A laptop, workstation, router or server with at a Linux™ 2.4.x or 2.6.x kernel will do. You should be reasonably familiar with standard network terminology like IP addresses, source and destination port numbers, TCP, UDP and ICMP, etc. By the end of the tutorial, you'll understand how Linux™ stateful firewalls are put together and you'll have several example configurations to use in your own projects.

Memoirs of an Invisible Firewall

Published on 2001-09-06, by wes, ©wes.

In the stone age of firewalling, a firewall was a fairly complicated device that was less-than-trivial to factor into your network. It needed an IP address on it's outside, and another on the inside. This immediately created subnetting problems, forcing wasted IP allocation and overall disquietude amongst the cognoscenti. It also meant that your firewall was very visible to the world, and its function was rather obvious and easy to deduce. There had to be a better way. And now there is...

Monitoring Net Traffic with OpenBSD's Packet Filter

Published on 2004, by Randal L. Schwartz, ©CMP Media LLC..

The server for stonehenge.com lives somewhere in Texas, in a place I've never seen. I rent a box from Sprocket Data Systems, and they provide my remote eyes and ears, and hook me up to their networks and power grid. I'm limited to a certain bandwidth each month for the rate I pay, and to offset the costs, I also sublease the box to geekcruises.com and redcat.com.

Because the bandwidth costs me actual dollars for usage and over-usage, I needed to monitor how much is used, and by whom. This would be easy to solve if I controlled the upstream router for the box, but I don't. However, as I was setting up tighter security on my OpenBSD™ machine, I noticed that the Packet Filtering firewall software could give me statistics on named rules. By naming the rules that pass traffic, I could query the pf subsystem frequently and get traffic data. Problem solved!

Netfilter Extensions HOWTO

Published on 2002, by Fabrice MARIE, www.netfilter.org.

This document describes how to install and use current iptables extensions for netfilter.

Netfilter Hacking HOWTO (Linux)

Published on July 02, 2002, by Rusty Russell and Harald Welte, www.netfilter.org.

This document describes the netfilter architecture for Linux, how to hack it, and some of the major systems which sit on top of it, such as packet filtering, connection tracking and Network Address Translation.

Networking-concepts HOWTO (Linux)

Published on July 29, 2001, by Rusty Russell, www.netfilter.org.

This document describes what a network (such as the Internet) is, and the very basics of how it works.

Newbie's Guide to Setting up PF on OpenBSD 3.x (A)

Published on September 17, 2003, by Eric Bullen, ©Eric Bullen.

Since PF replaced IPF on OpenBSD starting with OpenBSD 3.0, it has become a world-class firewalling solution. Within PF, there are some excellent facilities to help the firewaller build a robust solution providing a protection for private networks in a hostile internet. The goal of this article is to give you a good step-by-step on setting up your PF firewall, and explains each step sufficiently, but not so deep that it would confuse.

PF: The OpenBSD Packet Filter

Published on 2005-02-13, by OpenBSD, ©OpenBSD.

Packet Filter (from here on referred to as PF) is OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization. PF has been a part of the GENERIC OpenBSD™ kernel since OpenBSD™ 3.0. Previous OpenBSD™ releases used a different firewall/NAT package which is no longer supported.

Piercing Firewalls

Published on January 26, 1998, by bishnu, ©Phrack Magazine.

Many ISPs manage a firewall to protect their users against the hostile Internet. While the firewall might protect the users, it also serves to limit their freedom.

Placing Backdoors Through Firewalls

Published on , by van Hauser, THC.

This article describes possible backdoors through different firewall architectures. However, the material can also be applied to other environments to describe how hackers (you?) cover their access to a system. Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job and b) is not easily detectable. The kind of backdoor needed depends on the firewall architecture used. As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun.

Standards in desktop firewall policies

Published on 2006-06-06, by Phil Kostenbader, ©SecurityFocus.

The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events.

The purpose of this article is to discuss the need for a desktop firewall policy within an organization, determine how it should be formed, and provide an example of one along with the security benefits it provides an organization.

Ten minute host firewall, Part 1

Published on July 03, 2003, by Brian Hatch, ©Hacking Linux Exposed.

One of my friends finds himself in a very annoying situation: he started a new job and now has a Windows machine on his desk. Worse yet, he's not allowed, by corporate policy, to wipe it clean and install Linux on it "for security reasons". Being that we both live up here in Seattle, close to the belly of the beast itself, it's not surprising that the Microsoft FUD machine is strong.

Ten minute host firewall, Part 2

Published on July 09, 2003, by Brian Hatch, ©Hacking Linux Exposed.

Last week I explained how to run iptables rules to create a simplistic inbound-access-limiting firewall. Now you certainly don't want to run all these commands every time you start up your computer, so how do you have them run on reboot?

The Perils of Deep Packet Inspection

Published on 2005-01, by Thomas Porter, ©SecurityFocus.

This paper looks at the evolution of firewall technology towards Deep Packet Inspection, and then discusses some of the security issues with this evolving technology.

Microsoft™, Cisco™, Checkpoint™, Symantec™, Nortel™, SonicWall™, NAI™, Juniper/Netscreen™, and others, have, in the past eighteen months started manufacturing firewall appliances that implement Deep Packet Inspection (DPI). In general, the DPI engine scrutinizes each packet (including the data payload) as it traverses the firewall, and rejects or allows the packet based upon a ruleset that is implemented by the firewall administrator. The inspection engine implements the ruleset based upon signature-based comparisons, heuristic, statistical, or anomaly-based techniques, or some combination of these.

Top Ten Tips for Managing Your Firewall

Published on 2006-08-31, by Anonymous, ©SecManager.

This article discusses the Top ten tips that you can implement to best manage and fine tune your firewall. The purpose of this article is to get the best performance out of your firewall and increased security to your network.

Transparent Packet Filtering with OpenBSD

Published on 2002, by Nate Underwood, ©Nate Underwood.

In today's world of broadband Internet technologies such as cable and DSL, IP addresses are often assigned in limited quantity by an ISP. Many of us would like a robust firewall to protect our network, but would rather not waste precious IP addresses. In this article we are going to build a robust, stateful packet filter that uses no IP addresses. Thankfully, OpenBSD™ provides built-in support for this invisible firewall via the bridge interface and the new packet filter, pf.

Transparent, Bridging and In-line Firewall Devices

Published on October 15, 2003, by Matthew Tanase, ©SecurityFocus.

There are many tools we use as network and security professionals to build a secure network. Routers, virtual private networks, intrusion detection systems and vulnerability scanners are regularly employed to tackle this challenging task. Many would agree that the foundation of such a defense is the firewall. While the traditional implementation of a firewall as a router works well in most situations, another version can strengthen existing configurations or succeed where its brethren fail. In this article we will examine the concept of a bridging or transparent firewall which sits in-line with the network it protects.

Two-Faced: Setting up a Simple Linux Firewall

Published on 2004-09-10, by Joseph Brenner, .

This is an overview of the things I think you need to know if you're going to try and set up a simple firewall using linux on an old PC (really it's an excuse for me to whine about the hassles I went through doing this, but I've got to get something out of it).