1
- Define Firewall.
A firewall is a system or router that sits between an external network (i.e. the Internet) and an internal network. It allows people on the internal network to access the external network (the Internet), but it restricts traffic so that no one can use the external network to access the systems or files on the internal network.
- Statefull vs. Stateless Firewalls
Statless firewalls can make filter decision based only on:
- Source / destination addresses and ports
Statfull firewall associates a packet to a state and can make decision base on:
- Source / destination addresses and ports
- state of the packet
- What is netfilter?
- The Netfilter is used to implement firewall.
- The netfilter software package implements both packet filtering and NAT tasks for the Linux 2.4 kernel and above. The netfilter software is developed by the netfilter project
- It has separate table and commands.
- Netfilter is a set of hooks inside the Linux kernel thatallows kernel modules to register callback functionswith the network stack.
- Define IP tables.
- iptables is used to implement firewall through iptables commands
- iptables software can be build directly into the 2.4 kernel or loaded as a kernel module, iptable_filter.o.
- Unlike the ipchain and netfilter, it is designed to be modularized and extensible. Capabilities can be added in the form of module, which adds connection tracking.
- iptables use to implement packet filtering and NAT tasks
- What is NAT?
- Network address translation (NAT) is the process whereby a system will change the destination or source of packets ad they pass through the system.
- A packet will traverse several linked systems on a network before it reaches its final destination.
- NAT is often used to provide access to systems that may be connected to the internet through only one IP address. Such is the case with networking features such as IP masquerading, support for multiple
- What are the different involved in packet selection process?
- Filter table is used to implement the packet filtering that holds the rules for dropping or accepting packets.
- Nat table holds IP masquerading rules and it is used to implement the Network Address Translation operations such as IP masquerading.
- Mangle table is used to implement the packet deletion and modification.
- What are the types of NAT operations?
- There are two types of NAT operations:
- Source NAT specified as SNAT target
- Destination NAT specified as DNAT target.
- SNAT target is used for rules that alter the source addresses.
- DNAT target is used for rules that alter the destination addresses.
- What is Compiler?
A compiler is a program takes a program written in a source language and translates it into an equivalent program in a target language.
- What is “GCC”?
GCC stands for “GNU Compiler Collection”. GCC is an integrated distribution of compilers for several major programming languages. These languages currently include C, C++, Objective-C, Objective-C++, Java, FORTRAN, and Ada.
- What are the Stages of GNU Compiler?
The GNU Compiler actually passes through four distinct stages to convert your C program into an executable file: it preprocesses your source code file, then compiles it, assembles it and finally links it. These stages are shown in the following diagram:
- List the GNU compiler tools.
The GNU Compiler Tools are,
Compilers for “C, C++, Objective C, FORTRAN, Chill, and Java - version 3.1”
- Define assembler.
The assembler is to convert the assembly language code into re-locatablebinary object output. In that assembler performs the following functions;
- Convert mnemonic operation codes to their machine language
- Convert symbolic operands to their equivalent machine address
- Build machine instructions in the proper format
- Convert the data constants specified in the source program into their internal machine representation
- Write the object program
- What is called CVS?
The (CVS), also known as the Concurrent Versioning System, is a free software revision control system. Version control system software keeps track of all work and all changes in a set of files, and allows several developers (potentially widely separated in space and/or time) to collaborate.
“Dick Grune” developed CVS in the 1980s. CVS has become popular in the open source software world and is released under the GNU General Public License.
- Define Preprocessing.
This is the first stage of the GNU Compiler converts input file into preprocessed output.Preprocessing a file converts all “preprocessing statements”(such as “#include, #define and #ifdef”) into true source code.
- Define preprocessors.
Preprocessors produce input to the compiler from the source code. They may perform the following functions:
- Macro processing
- File inclusion
- Rational Preprocessor
- Language Extensions
- Macros
A macro is a fragment of code which has been given a name. Whenever the name is used, it is replaced by the contents of the macro. There are two kinds of macros. They differ mostly in what they look like when they are used. Object-like macros resemble data objects when used, function-like macros resemble function calls.
- Define Autoconf.
- Autoconf is a set of tools (the programs are actually called autoconf, autoheader, autoscan,autoreconf, autoupdate, ifnames) which helps make user code configurable and portable tovarious versions of UNIX.
- The autoconf documentation is quite complete and detailed, but it does not contain any simpleconcrete examples to get a beginner of the ground.
- Define Autogen.
- AutoGen is a tool designed for generating program files that contain repetitive text withvaried substitutions.
- Its goal is to simplify the maintenance of programs that contain largeamounts of repetitious text.
- This is especially valuable if there are several blocks of suchtext that must be kept synchronized in parallel tables
- Define GNU make.
- GNU make is a software building automation tool that will execute repetitive tasks. It is controlled via a “Makefile” that contains lists of dependencies between different source files and output files.
- It also contains lists of commands that should be executed to satisfy these dependencies.
- What is makefile?
- A makefile consists of a set of dependencies and rules. A dependency has a target (a file to be created) and a set of source files upon which it is dependent. The rules describe how to create the target from the dependent file.
- The make file is read by the make command, which determines the target file or files on which make command to be executed and then compares the dates and times of the source files to decide which rules need to be invoked to construct the target.
- What is the use of CVS repository?
- The CVS repository stores a complete copyof all the files and directories which areunder version control
- CVS repository can be either local orremote, which can be identified with anaccess method
- What is the use of source code versioning software?
To control and manage the differentversions of the source code files, a varietyof software’s are available as Free/OpenSource Software
Basically they can be classified as:
- Those using a distributed approach (e.g. GNUArch, Codeville)
- Those that are using non-distributed approach(RCS, CVS, Subversion)
- Define Patch.
Patch is the set of differences can be transportedto someone who has the original copy ofthe document. By running the patchprogram, the document contents can beupdated to the new version.
patch < changes.txt
- Define diff.
The diff program compares two versions ofa document, generating a set ofdifferences that reflect the changes thatneed to be applied to the old document tomake it identical to the new document
diff –c orig/file newfile > changes.txt
SETTING UP A FIREWALL - Using netfilter and iptables
- A firewall is a system or router that sits between an external network (i.e. the Internet) and an internal network. This internal network can be a large LAN at a business or your networked home PCs. The firewall in its simplest form is like a one-way street. It allows people on the internal network to access the external network (the Internet), but it restricts traffic so that no one can use the external network to access the systems or files on the internal network
- The firewall is implemented in hardware, software or in combination of both.
- It examines each message and blocks those to meet the specified criteria.
- The primary function of these firewall are to let good traffic pass through while “bad traffic gets blocked”.
- Hardware firewall is the most secure version and would be used by large companies to protect their hardware’s from outside attack from the internet.
- A software firewall is more suited to a personal computer or SME (Small to Medium size Enterprise) and in much cheaper.
- The positive effects of firewall
- User authentication
- Auditing and logging
- Security
- The negative effects of firewall
- Traffic Bottlenecks
Enforcing all network traffic to pass through the firewall there is a chance, that the network will become congested.
- Single point of failure
Firewalls are the only link between networks, if they are not configured correctly or are unavailable no traffic will be allowed through it.
- A firewall cannot and does not guarantee that yournetwork is 100% secure. To achieve greater protection, afirewall should be used in conjunction with other securitymeasures. Even then, there is no guarantee that the networkwill be 100% secure.
- Using a firewall does not guarantee that you will never beattacked by an Internet intruder again. A good firewallwill, however, detour the intruder from gaining access toyour personal data.
- Firewalls cannot offer any protection against insideattacks.
- In origin use a firewall to implement either packet filtering or proxies.
- Each packet passes is examined and information contained inthe header is compared to a pre-configured set of rules orfilters.
- An allow or deny decision is made based on the results of thecomparison.
- A packet filtering firewall is often called a network layerfirewall because the filtering is primarily done at the networklayer (layer three) or the transport layer (layer four) of the OSIreference model.
- With proxies the user can control access to specific services, such as web or FTP servers.
- User needs a proxy for each service they want to control. The web server has its own web proxy, while an FTP server has an FTP proxy.
- An additional task performed by firewall is Network Address Translation(NAT)
- NAT redirects the packets to appropriate destinations, It performs tasks such as redirecting packets to certain hosts, forwarding packets to other networks, and changing the host source of packets to implement IP masquerading.
ipchains
- ipchains is the precursor to iptables that was used on Linux systems running the 2.2 kernel. It is still in many Linux systems.
- The Linux web sites for ipchains, which is the successor of ipfwadm used on older versions of Linux, is currently netfilter.
- ipchains organizes its rules into chains. A chain is simply a checklist of rules. These rules specify what action to take for packets containing certain headers. If packet does match a rule, it is passed to its target, which determines what to do with the packet.
- If a packet match doesn’t match any of the rules, it is passed to the chain’s default target.
- The target could, in turn, be another chain of rules, even a chain of user-defined rules. A packet could be passed through several chains before finally reaching a target.
- The ipchains targets are,
Target / Function
ACCEPT
DENY
REJECT
MASQ
REDIRECT
RETURN / Allow packet to pass through the firewall
Deny access by the packet
Deny access and notify the sender.
Masquerade the packet.
Redirect the packet to a local socket or process on the firewall.
Jump to the end of the chain and let the default target process it
Netfilter
- The netfilter software package implements both packet filtering and NAT tasks for the Linux 2.4 kernel and above. The netfilter software is developed by the netfilter project
- It has separate table and commands.
- Netfilter is a set of hooks inside the Linux kernel thatallows kernel modules to register callback functionswith the network stack.
- A registered callback function is then called back forevery packet that traverses the respective hook withinthe network stack.
- It is a protocol independent framework.
- Multiple kernel modules can register with each of the hook.
iptables
- iptables software can be build directly into the 2.4 kernel or loaded as a kernel module, iptable_filter.o.
- Unlike the ipchain and netfilter, it is designed to be modularized and extensible. Capabilities can be added in the form of module, which adds connection tracking.
- iptables use to implement packet filtering NAT tasks, but for NAT add “–nat“option.
Packet filtering
- Netfilter is essentially a framework for packet management that can check packets for particular network protocols and notify parts of the kernel listening for them.
- Built on the netfilter framework is the packet selection system implemented by IP tables.
- With IP tables different tables of rules can be set up to select packets according to differing criteria. The tables are filter table, nat table and mangle table.
- Filter table is used to implement the packet filtering that holds the rules for dropping or accepting packets.
- Nat table holds IP masquerading rules and it is used to implement the Network Address Translation operations such as IP masquerading.
- Mangle table is used to implement the packet deletion and modification.
- The tables are managed by “iptablse”command
- Example:iptables –L –n
- The options L is used to list the rules and to see the port labels and hostnames
- The option n is used for numeric output for both IP address and ports.
- The iptable targets are,
Target / Function
ACCEPT
DROP
REJECT
QUEUE
RETURN / Allow packet to pass through the firewall
Deny access by the packet
Deny access and notify the sender.
Send packets to user space
Jump to the end of the chain and let the default target process it
- The built-in netfilter chains are,
Chain / Description
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING / Rule for incoming packets
Rule for outgoing packets
Rule for forwarded packets
Rule for redirecting or modifying incoming packets NAT table only
Rule for redirecting or modifying outgoing packets NAT table only.
- The output of the command shows the default values created by iptables command.
Command:iptables – L –n
Output:Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
- In the following example, the user adds a rule to the INPUT chain to accept all packets originating from the address 192.168.0.55. Any packet that are received (INPUT) whose source address (-s) matches 192.168.0.55 are accepted and passed through (-j ACCEPT).
- Example:iptables –A INPUT –s 192.168.0.55 –j ACCEPT
- Some of the iptables options are,
Option / Function
-A chain
-D chain
-R chain
-E chain
-p chain
-i chain
-j chain
-o chain / Add a rule to chain
Deletes matching rule from a chain
Replaces a rule
Renames a chain
Specifies a protocol, such as TCP, UDP, ICMP or ALL
Specifies an input network interface
Specifies a target for a rule
Specifies an input network interface
ICMP packets
- Firewalls often block certain Internet Control Message Protocol (ICMP) messages. ICMP redirect messages, in particular, can take control of user routing tasks.
- User need to enable some ICMP messages, however, such as those needed for ping. To enable ICMP type of packet with the –icmp-type option.
- The following example enables the use of echo-reply messages, which have the number “0”.
iptables –A INPUT –j ACCEPT –p icmp –I etho –icmp-type echo-reply –d 10.0.0.1
- Some of the common ICMP packets are,
Number / Name / Required By
0
3
5
8
11 / echo-reply
destination-unreachable
redirect
echo-reply
time-needed / ping
Any TCP / UDP traffic
Routing if not running routing daemon
ping
traceroute
Ports
- If the system is hosting an Internet service, such as Web or FTP server, user can use iptables to control access to it.
- For that user has to specify a particular service by using the source port (--sport) or destination port (--dport) options with the port that the service uses.
- The following example accepts all messages to the web server located at 192.168.0.43
iptables –A INPUT –d 192.168.0.43 –dport www –j ACCEPT
- Common ports checked in iptables and their labels are shown here:
Service / Port Number / Port Label
Auth
Finger
FTP
NTP
Telnet
Web server / 113
79
21
123
23
80 / auth
finger
ftp
ntp
telnet
www
States
- In iptables one of the more useful extensions is the state extension, which can easily detect tracking information for a packet.
- User needs to specify the state module first with –m state.
- Then user can use the --stateoption to specify the state.
- The following states are used by the iptables command.
State / Description
NEW
ESTABLISHED
RELATED
INVALID / A packet that creates a new connection
A packet that belongs to an existing connection
A packet that is related to, but not part of, an existing connection
A packet that could not be identified for some reason.
- The following example will drop any packets trying to create a new connection on the eth0 interface; through they will be accepted on any other interface.
iptables –A INPUT –m state --state NEW –i eth0 –j DROP
Network Address Translation (NAT)
- Network address translation (NAT) is the process whereby a system will change the destination or source of packets ad they pass through the system.
- A packet will traverse several linked systems on a network before it reaches its final destination.
- NAT is often used to provide access to systems that may be connected to the internet through only one IP address. Such is the case with networking features such as IP masquerading, support for multiple servers and transparent proxy.
- Packet selection rules for NAT operations are added to the NAT table managed by the iptables command. To add rules to the NAT table, user has to specify the NAT table with the –t option. Thus to add a rule to the NAT table, user would have to specify the NAT table with “–t nat” option.
- There are two types of NAT operations:
- Source NAT specified as SNAT target
- Destination NAT specified as DNAT target.
- SNAT target is used for rules that alter the source addresses.
- DNAT target is used for rules that alter the destination addresses.
- In NAT table there are 3 chains are used for NAT operation.
Chain / Description
PREROUTING
POSTROUTING
OUTPUT / Used for destination NAT rules
Used for Source NAT rules
Used for destination NAT rules for locally generated packets
- The following example to change the source address of a packet leaving from the system, the user would use the POSTROUTING rule with the SNAT target. For the SNAT target, user uses the --to-source option to specify the source address:
#iptables –t nat –A POSTROUTING –o eth0 –j SNAT –to-source 192.168.0.4