Project Report On Implementation of Firewall On Linux Platform

Project Report on Implementation of Firewall on Linux Platform
1
LAN AND INTERNET
Extension of LAN to Internet

Before Networks were introduced, two or more computers could
communicate only through the manual exchange of data using
magnetic tapes, disks or card readers. Each computer had a limited
degree of productivity as it had to be equipped with its own set of
resources. Resource sharing was not possible. This gave rise to
Local Area Networks.
A Local Area Network is a group of computers either connected to
each other or to a central computer, all of which are in close
proximity to each other. LAN provided the advantages of Resource
sharing, Reliability and powerful communication medium. Sharing
of both hardware and software resources was made possible in a
network.
As business organizations ventured into new horizons there was a
need for people to communicate over larger distances. This was not
feasible with LAN's as it simply connected computers within room,
building or campus. Hence LAN extended itself to WAN.
WAN is a group of computers connected to each other or to a
central computer,all of which are not in close proximity to each
other. WAN is a network of computers connected across various
cities. Soon even this was found to be a shortcoming. Finally WAN
extended itself into Internet! ,which is simply a network of
networks.
Security in LAN
Security policy implemented in LAN was relatively simple.All that
was required was to station a guard at the door to the computer
room who made sure that there was no tampering of magnetic
tapes, disks or card readers by an unauthorised person. This policy
could not be extended to the internet, As it was not possible to
monitor the millions of data exchange that took place across the
various networks in the internet. Furthermore it was beyond scope
to insert physical security checkpoints across the internet.
Internet and its Growth
The internet in its broadest possible terms is the network of
millions of computers, all of which link together through common
standards and protocols. The internet includes a large number of
LAN's, WAN's and routers. The united states government's
2
ARPANet(Advanced Research Project Agency ) is the internet's

predecessor.
In a LAN , each user connected to the LAN has a desktop or laptop
computer. Each user's computer has a network card that is
connected to one or more network servers by means of wires and
electronic equipment. In addition there are WAN's which connect a
large number of LAN's together.In addition to this the internet also
links millions of individual users who access the internet through
dial-up accounts with the scores of different Internet service
providers.
Internet is a PACKET SWITCHED NETWORK, that is packet
switching is the means of communication across the internet.
TCP/IP(transport control protocol / internet protocol) is the
protocol that is used for transmissions across the internet. It can
successfully switch packets from computer systems on any
network to another network, regardless of incidental network
pecularities, operating system differences and other packet
differences.It remains the backbone of the internet.
In the past ten years , the internet's growth has exploded.In 1985
the internet included only 1961 host computers . The growth of
internet has been phenomenal and by 1999 there has been nearly
300,000 computers.The internet has continued to grow at
exponential rates.
More important than the increase in the number of hosts
connected to the internet is the increase in the number of internet
users. The internet has essentially doubled in size. Today the
number of internet users increases at a rate of nearly 200,000 new
logins each month.
Security in Internet
November 2nd, 1988 is the most infamous date in the internet

history. It also recalls one of the Internet's finest hours. It was on
this day Network worm hit the internet. It was the first significant
virus ever to hit the internet.The virus was called Morris Worm and
nearly affected 4000 to 6000 machines. Fortunately it represented
only 5% of the total internet site.
Prior to this Internet was considered safe. Computers had caught
viruses before but they were due to infected diskettes and all that
was required was to reformat the hard drive. The Morris worm
3
however was the first networking worm that brought down many of
the world's leading Unix-based computer installations. Though the
Morris worm caused little damage, it nevertheless ushered in a new
significant era of security consciousness as it revealed the
internet's vulnerability. It gave rise to a new era of "Cyber -
terrorism".
Corporate losses due to computer security were also on the rise. A
survey showed that there was a significant increase in the number
of intrusions and data corruptions and also in the number of
companies that percieved the internet as a source of danger.
Packet switching is the root of many transmission security
problems. In packet switching the network server forwards the
packet in the wire that is immediately available. In LAN this may
not be problem but in case of internet it is possible for a packet
sent from home computer to the computer in the office to travel
through the server of the company's major competitor who simply
destroy the essential data.
The main danger to the internet security comes in the form of

HACKERS!. A Hacker simply refers to anyone who would break into
the computer security to steal or corrupt data,joy-riding,as an
ethical hacker.
Hackers are classified into the following categories in increasing
threat order.
Security Experts
Students
Underemployed Adults
Criminal Hackers
Corporate spies
Disgruntled Employees
Security Experts :
Most security experts are capable of hacking,but decline from
doing so for moral or economic reasons.Computer security
experts have found that there's more money in preventing
hacking than in perpetrating it.A number of large internet
service companies employ ethical hackers to test their
security systems.
Student Hackers :
These hackers belong to junior high, high school or college.
Their social position is Student. They usually perform joy-
4
riding through cyberspace looking for targets of opportunity

and concerned mostly with impressing their peers and not
getting caught .Their motivation is not to harm. They
generally hack for free internet stuff.
Underemployed Adult Hackers:

These are hackers who have either dropped out of school or
who have failed to achieve full time employment and family
commitments for some reason or other. They often create the
"crackz" to unlock other commercial software. They also write
majority of the software viruses.
They hack for notoriety,to impress their peers with exploits
and information they have obtained.
Criminal Hackers :
They hack for revenge or to perpetrate theft.These are the
persons who compromise internet servers to steal credit card
numbers or hack the internet banking mechanism to steal
money. They regarded as real criminals
Spies:
These are hackers employed by Foreign Governments against
high technology businesses. Many high technology
businesses are naïve about security, making them easy
targets for the experienced intelligence agencies of foreign
governments.
The main purpose is to extract technology that give their own
corporations an edge.
Disgruntled Employees:
They pose the most dangerous threat.They are the most
difficult to detect. An employee who is constantly picked by
an employer may become an hacker. As he is aware of the
security details in the company.
Hacking stages can be classified into the following areas:
 Eavesdropping and snooping
 Denial-of-service
 Impersonation
 Man-in-the-middle
 Hijacking
Eavesdropping and snooping:
5
The simplest thing a hacker can do to gain information is simply to

listen and ask the network computers information about
themselves. The hacker can communicate with other computers
that provide services to the computers to be hacked. Networked
computers volunteer a remarkable amount of information about
themselves and how they are configured especially if left in default.
Common hacking practices include :
Password capture:
Many networking protocols do not encrypt
passwords,allowing any computer on the path between the
client and the server to "overhear" the username and
password. Not all encrypted logon procedures are safe from
eavesdropping either,because a hacker can record the
username and encrypted password to send to the server
later in a "reply attack".
Eavesdropping requires software that will listen to all the
communication that flow over the network medium.It must also
have access to a computer that is situated on a network link with
network traffic over it.
Network traffic analysis:
The hacker can obtain quite a bit of information about the
network from the nature the nature of the traffic in and out of
your network. The hacker looks for the IP addresses of the
source and destination computers.The locations of gateways
and routers.The amount of traffic originating from,being sent
to,or flowing through is identified by the Hacker.
Network Address scanning :
In this the Hacker specifies the beginning and ending address
to scan,and then the hacker's computer program will attempt
to establish a connection to a computer on each of those
network addresses in turn.If a computer answers from any of
those addresses then the Hacker has found a target which he
can hack.
Port scanning:
Once a hacker has identified a target computer,the hacker
attempts to determine the type of operating system and what
services are provided. In at TCP/IP based Network, services
are provided on numbered connections called sockets. These
are used by the hacker to determine what operating system is
running and what services are offered. For eg:by scanning the
TCP ports between 0 and 150, a Hacker can discern windows
hosts by the presence of port 139 in the scan list.
6
Denial of Service:
The next thing a hacker can do is to disable some aspect of
the network or to bring the network down. Methods hacker
can use to disable computer services are:
Ping of Death: In this a specially constructed ICMP packet
that violates the construction rules is sent by the hacker to
crash the computer if the computer's networking software
does not check for invalid ICMP packets.
SYN Attacks and ICMP flooding : This is another method
used by the Hackers.The initial IP packet of a TCP Connection
attempt is simple and easy to generate and responding to this
takes more time and memory space as the receiving computer
must record information about the new connection. The
Hacker can send one SYN packet after another to the target
computer and then the target computer will be unable to
process legitimate connection attempts as its memory and
time is wasted processing SYN requests.
In ICMP flooding ,the Hacker sends a constant stream of
ICMP echo requests to the target computer.The target
computer then spends most of its time responding to the echo
requests instead of processing legitimate network traffic.
Impersonation:
This is the next step the Hacker takes. By impersonating
another computer that the computers on a given network
trust, the hacker's computer may be able to trick the
computers in revealing enough information for the hacker to
get into the security. The tactic that a hacker uses is :
Source routed Attacks: Source routing is the route the packet
takes as it crosses the TCP/IP based network.This makes it
possible for the hacker to send data from one computer and
make it look like it comes from a trusted source.The Hacker
can use source routing to impersonate an already connected
user and inject additional information into an otherwise
benign communication between server and authorised client
computer.
Man -in - the -Middle:
This is a special case of impersonation, where the hacker
operates between two computers on a network. When the
client computer opens a connection to the server
computer,the hacker's computer intercepts it. The hacker
computer opens a connection on behalf of the client computer
7
to the server computer. Ideally the client thinks he is

communicating with the server,server thinks he is
communicating with the client and the hacker computer will
be able to observe all the communications between them.
For example,if the connection is an administrator-level Telnet
session into a server computer from a client computer,the
hacker computer in the middle could download the password
file from the server to the hacker computer instead of
uploading HTML pages as required.
Hijacking:
Another hacker trick is to hijack an already established and
authenticated networking connection.This mainly occurs at
the TCP connection layer.In order to hijack an existing TCP
connection,a hacker must be able to predict TCP sequence
numbers,which the two communicating computers use to
keep IP packets in order and to ensure that they arrive at the
destination.The hacker also redirects the TCP/IP connection
to the hacker computer and also launches a denial-of-service
attack on the client computer.
8
IPCHAINS USING C
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/icmp.h>
#include <linux/if.h>
#include <linux/ip_fwchains.h>
int setsockopt (int socket, IPPROTO_IP, int command, void
*data, int length)
DESCRIPTION
The IP firewall facilities in the Linux kernel provide mechanisms for
accounting IP packets, for building firewalls based on packet-level
filtering, for building firewalls using transparent proxy servers (by
redirecting packets to local sockets), and for masquerading
forwarded packets. The administration of these functions is
maintained in the kernel as a series of separated table (hereafter
referred to as chains) each containing zero or more rules. There are
three builtin chains which are called input, forward and output
which always exist. All other chains are user defined. A chain is a
sequence of rules; each rule contains specific information about
source and destination addresses, protocols, port numbers, and
some other characteristics. Information about what to do if a
packet matches the rule is also contained. A packet will match with
a rule when the characteristics of the rule match those of the IP
packet.
A packet always traverses a chain starting at rule number 1. Each
rule specifies what to do when a packet matches. If a packet does
not match a rule, the next rule in that chain is tried. If the end of a
builtin chain is reached the a default policy for that chain is
returned. If the end of a user defined chain is reached then the rule
after the rule which branched to that chain is tried. The purpose of
the three builtin chains are
Input firewall
9
These rules regulate the acceptance of incoming IP packets.

All packets coming in via one of the local network interfaces
are checked against the input firewall rules (locally-generate
packets are considered to come from the loopback interface).
A rule which matches a packet will cause the rule's packet
and byte counters to be incremented appropriately.
Forwarding firewall
These rules define the permissions for forwarding IP packets.
All packets sent by a remote host having another remote host
as destination are checked against the forwarding firewall
rules. A rule which matches will cause the rule's packet and
byte counters to be incremented appropriately.
Output firewall
These rules define the permissions for sending IP packets. All
packets that are ready to be be sent via one of the local
network interfaces are checked against the output firewall
rules. A rule which matches will cause the rule's packet and
byte counters to be incremented appropriately.
Each of the firewall rules contains either a branch name or a
policy, which specifies what action has to be taken when a packet
matches with the rule. There are 5 different policies possible:
ACCEPT (let the packet pass the firewall), REJECT (do not accept
the packet and send an ICMP host unreachable message back to
the sender as notification), DENY (sometimes referred to as block)
(ignore the packet without sending any notification), REDIRECT
(redirected to a local socket - input rules only) and MASQ (pass the
packet, but perform IP masquerading - forwarding rules only)
The last two are special; for REDIRECT, the packet will be received
by a local process, even if it was sent to another host and/or
another port number. This function only applies to TCP or UDP
packets.
For MASQ, the sender address in the IP packets is replaced by the
address of the local host and the source port in the TCP or UDP
header is replaced by a locally generated (temporary) port number
before being forwarded. Because this administration is kept in the
kernel, reverse packets (sent to the temporary port number on the
local host) are recognized automatically. The destination address
and port number of these packets will be replaced by the original
address and port number that was saved when the first packet was
masqueraded. This function only applies to TCP or UDP packets.
10
There is also a special target RETURN which is equivalent to falling

off the end of the chain.
This paragraph describes the way a packet goes through the
firewall. Packets received via one of the local network interface will
pass the following chains:
input firewall (incoming device) Here, the device (network
interface) that is used when trying to match a rule with an IP
packet is listed between brackets. After this step, a packet
will optionally be redirected to a local socket. When a packet
has to be forwarded to a remote host, it will also pass the next
set of rules: forwarding firewall (outgoing device) After this
step, a packet will optionally be masqueraded. Responses to
masqueraded packets will never pass the forwarding firewall
(but they will pass both the input and output firewalls). All
packets sent via one of the local network interfaces, either
locally generated or being forwarded, will pass the following
sets of rules: output firewall (outgoing device)
When a packet enters one of the three above chains rules are
traversed from the first rule in order. When analysing a rule one of
three things may occur.
Rule unmatched:
If a rules is unmatched then the next rule in that chain is
analysed. If there are no more rules for that chain the default
policy for that chain is returned (or traversal continues back
at the calling chain, in the case of a user-defined chain).
Rule matched (with branch to chain):
When a rule is matched by a packet and the rule contains a
branch field then a jump/branch to that chain is made.
Jumps can only be made to user defined chains. As described
above, when the end of a builtin chain is reached then a
default policy is returned. If the end of a used defined chain is
reached then we return to the rule from whence we came.
There is a reference counter at the head of each chain which
determines the number of references to that chain. The
reference count of a chain must be zero before it can be
deleted to ensure that no branches are effected. To ensure the
builtin chains are never deleted their reference count is
initialised to one. Also since no branches to builtin chains
can be made, their reference counts are always one. The
11
reference count on user defined chains are initialised to zero

and are changed accordingly when rules are inserted, deleted
etc.
Multiple jumps to different chains are possible which
unfortunately make loops possible. Loop detection is therefore
provided. Loops are detected when a packet tries to re-enter a
chain it is already traversing. An example of a simple loop
that could be created is if we set up two user defined chains
called "test1" and "test2". We firstly insert a rule in the "input"
chain which jumps to "test1". We then create a rule in the
"test1" chain which points to "test2" and a rule in "test2"
which points to "test1". Here we have obviously created a
loop. When a packet then enters the input chain it will
branch to the "test1" chain and then to the "test2" chain.
From here it will try to branch back to the "test1" chain. A
message in the syslog will be recorded along with the path
which the packet traversed, to assist in debugging firewall
rules.
Rule matched (special branch):
The special labels ACCEPT, DENY, REJECT, REDIRECT,
MASQ or RETURN can be given which specify the immediate
fate of the packet as discussed above. If no of labels is
specified then the next rule in the chain is analysed.
Using this last option (no label) an accounting chain can be
created. If each of the rules in this accounting chain have no
branch or label then the packet will always fall through to the
end of the chain and then return to the calling chain. Each
rule that matches in the accounting chain will have its byte
and packet counters incremented as expected. This
accounting chain can be branched to from any other chain (eg
input, forward or output chain). This is a very neat way of
performing packet accounting.
The firewall administration can be changed via calls to

setsockopt(2). The existing rules can be inspected by looking at 2
files in the /proc/net directory: ip_fwchains, ip_fwnames. These two
files are readable only by root. The current administration related
to masqueraded sessions can be found in the file ip_masquerade in
the same directory
12
COMMANDS
Command for changing and setting up chains and rules is
ipchains(8) Most commands require some additional data to be
passed. A pointer to this data and the length of the data are passed
as option value and option length arguments to setsockopt. The
following commands are available:
IP_FW_INSERT
This command allows a rule to be inserted in a chain at a
given position (where 1 is considered the start of the chain). If
there is already a rule in that position, it is moved one slot, as
are any preceding rules in that chain. The reference count of
any chains referenced by this inserted rule are incremented
appropriately. The data passed with this command is an
ip_fwnew structure, defining the position, chain and contents
of the new rule.
IP_FW_DELETE
Remove the first rule matching the specification from the
given chain. The data passed with this command is an
ip_fwchange structure, defining the rule to be deleted and its
chain. The reference count of any chains referenced by this
deleted rule are decremented appropriately. Note that the
fw_mark field is currently ignored in rule comparisons (see
the BUGS section).
IP_FW_DELETE_NUM
Remove a rule from one of the chains at a given rule number
(where 1 means the first rule). The data passed with this
command is an ip_fwdelnum structure, defining the rule
number of the rule to be deleted and its chain. The reference
count of any chains referenced by this deleted rule are
decremented appropriately.
IP_FW_ZERO
Reset the packet and byte counters in all rules of a chain. The
data passed with this command is an ip_chainlabel which
defines the chain which is to be operated on. See also the
description of the /proc/net files for a way to atomically list
and reset the counters.
IP_FW_FLUSH
13
Remove all rules from a chain. The data passed with this
command is a ip_chainlabel which defines the chain to be
operated on.
IP_FW_REPLACE
Replace a rule in a chain. The new rule overwrites the rule in
the given position. Any chains referenced by the new rule are
incremented and chains referenced by the overwritten rule
are decremented. The data passed with this command is an
ip_fwnew structure, defining the contents of the new rule, the
the chain name and the position of the rule in that chain.
IP_FW_APPEND
Insert a rule at the end of one of the chains. The data passed
with this command is an ip_fwchange structure, defining the
contents of the new rule and the chain to which it is to be
appended. Any chains referenced by this new rule have their
refcount incremented.
IP_FW_MASQ_TIMEOUTS
Set the timeout values used for masquerading. The data
passed with this command is a structure containing 3 fields
of type int, representing the timeout values (in jiffies, 1/HZ
second) for TCP sessions, TCP sessions after receiving a FIN
packet, and UDP packets, respectively. A timeout value 0
means that the current timeout value of the corresponding
entry is preserved.
IP_FW_CHECK
Check whether a packet would be accepted, denied, rejected,
redirected or masqueraded by a chain. The data passed with
this command is an ip_fwtest structure, defining the packet
to be tested and the chain which it is to be test on. Both
builtin and user defined chains can be tested.
IP_FW_CREATECHAIN
Create a chain. The data passed with this command is an
ip_chainlabel defining the name of the chain to be created.
Two chains can not have the same name.
IP_FW_DELETECHAIN
Delete a chain. The data passed with this command is an
ip_chainlabel defining the name of the chain to be deleted.
The chain must not be referenced by any rule (ie. refcount
14
must be zero). The chain must also be empty which can be

achieved using IP_FW_FLUSH.
IP_FW_POLICY
Changes the default policy on a builtin rule. The data passed
with this command is an ip_fwpolicy structure, defining the
chain whose policy is to be changed and the new policy. The
chain must be a builtin chain as user-defined chains don't
have default policies.
STRUCTURES
The ip_fw structure contains the following relevant fields to be filled
in for adding or replacing a rule:
struct in_addr fw_src, fw_dst
Source and destination IP addresses.
struct in_addr fw_smsk, fw_dmsk
Masks for the source and destination IP addresses. Note that
a mask of 0.0.0.0 will result in a match for all hosts.
char fw_vianame[IFNAMSIZ]
Name of the interface via which a packet is received by the
system or is going to be sent by the system. If the option
IP_FW_F_WILDIF is specified, then the fw_vianame need only
match the packet interface up to the first NUL character in
fw_vianame. This allows wildcard-like effects. The empty
string has a special meaning: it will match with all device
names.
__u16 fw_flg
Flags for this rule. The flags for the different options can be
bitwise or'ed with each other.
The options are: IP_FW_F_TCPSYN (only matches with TCP
packets when the SYN bit is set and both the ACK and RST
bits are cleared in the TCP header, invalid with other
protocols), The option IP_FW_F_MARKABS is described
under the fw_mark entry. The option IP_FW_F_PRN can be
used to list some information about a matching packet via
printk(). The option IP_FW_F_FRAG can be used to specify a
rule which applies only to second and succeeding fragments
(initial fragments can be treated like normal packets for the
sake of firewalling). Non-fragmented packets and initial
fragments will never match such a rule. Fragments do not
contain the complete information assumed for most firewall
rules, notably ICMP type and code, UDP/TCP port numbers,
15
or TCP SYN or ACK bits. Rules which try to match packets by

these criteria will never match a (non-first) fragment. The
option IP_FW_F_NETLINK can be specified if the kernel has
been compiled with CONFIG_IP_FIREWALL_NETLINK
enabled. This means that all matching packets will be sent
out the firewall netlink device (character device, major
number 36, minor number 3). The output of this device is
four bytes indicating the total length, four bytes indicating the
mark value of the packet (as describe under fw_mark above),
a string of IFNAMSIZ characters containing the interface
name for the packet, and then the packet itself. The packet is
truncated to fw_outputsize bytes if it is longer.
__u16 fw_invflg
This field is a set of flags used to negate the meaning of other
fields, eg. to specify that a packet must NOT be on an
interface. The valid flags are IP_FW_INV_SRCIP (invert the
meaning of the fw_src field) IP_FW_INV_DSTIP (invert the
meaning of fw_dst) IP_FW_INV_PROTO (invert the meaning of
fw_proto) IP_FW_INV_SRCPT (invert the meaning of fw_spts)
IP_FW_INV_DSTPT (invert the meaning of fw_dpts)
IP_FW_INV_VIA (invert the meaning of fw_vianame)
IP_FW_INV_SYN (invert the meaning of fw_flg &
IP_FW_F_TCPSYN) IP_FW_INV_FRAG (invert the meaning of
fw_flg & IP_FW_F_FRAG). It is illegal (and useless) to specify a
rule that can never be matched, by inverting an all-inclusive
set. Note also, that a fragment will never pass any test on
ports or SYN, even an inverted one.
__u16 fw_proto
The protocol that this rule applies to. The protocol number 0
is used to mean `any protocol'.
__u16 fw_spts[2], fw_dpts[2]
These fields specify the range of source ports, and the range
of destination ports respectively. The first array element is the
inclusive minimum, and the second is the inclusive
maximum. Unless the rule specifies a protocol of TCP, UDP or
ICMP, the port range must be 0 to 65535. For ICMP, the
fw_spts field is used to check the ICMP type, and the fw_dpts
field is used to check the ICMP code.
__u16 fw_redirpt
This field must be zero unless the target of the rule is
"REDIRECT". Otherwise, if this redirection port is 0, the
16
destination port of a packet will be used as the redirection

port.
__u32 fw_mark
This field indicates a value to mark the skbuff with (which
contains the administration data for the matching packet).
This is currently unused, but could be used to control how
individual packets are treated. If the IP_FW_F_MARKABS flag
is set then the value in fw_mark simply replaces the current
mark in the skbuff, rather than being added to the current
mark value which is normally done. To subtract a value,
simply use a large number for fw_mark and 32-bit wrap-
around will occur.
__u8 fw_tosand, fw_tosxor
These 8-bit masks define how the TOS field in the IP header
should be changed when a packet is accepted by the firewall
rule. The TOS field is first bitwise and'ed with fw_tosand and
the result of this will be bitwise xor'ed with fw_tosxor.
Obviously, only packets which match the rule have their TOS
effected. It is the responsibility of the user that packets with
invalid TOS bits are not created using this option.
The ip_fwuser structure, used when calling some of the above
commands contains the following fields:
struct ip_fw ipfw
See above
ip_chainlabel label This is the label of the chain which is to be
operated on.
The ip_fwpkt structure, used when checking a packet, contains the
following fields:
struct iphdr fwp_iph
The IP header. See <linux/ip.h> for a detailed description of
the iphdr structure.
struct tcphdr fwp_protoh.fwp_tcph
struct udphdr fwp_protoh.fwp_udph
struct icmphdr fwp_protoh.fwp_icmph
The TCP, UDP, or ICMP header, combined in a union named
fwp_protoh. See <linux/tcp.h>, <linux/udp.h>, or
<linux/icmp.h> for a detailed description of the respective
structures.
struct in_addr fwp_via
17
The interface address via which the packet is pretended to be received or sent.
RETURN VALUE
On success (or a straightforward packet accept for the CHECK
options), zero is returned. On error, -1 is returned and errno is set
appropriately. See setsockopt(2) for a list of possible error values.
ENOENT indicates that given chain name doesn't exist. When the
check packet command is used, zero is returned when the packet
would be accepted without redirection or masquerading. Otherwise,
-1 is returned and errno is set to ECONNABORTED (packet would
be accepted using redirection), ECONNRESET (packet would be
accepted using masquerading), ETIMEDOUT (packet would be
denied), ECONNREFUSED (packet would be rejected), ELOOP
(packet got into a loop), ENFILE (packet fell off end of chain (only
occurs for used defined chains)).
18
FIREWALL
1. What is a firewall?
A firewall protects networked computers from intentional
hostile intrusion that could compromise confidentiality or
result in data corruption or denial of service. It may be a
hardware device or a software program running on a secure
host computer. In either case, it must have at least two
network interfaces, one for the network it is intended to
protect, and one for the network it is exposed to. A firewall
sits at the junction point or gateway between the two
networks, usually a private network and a public network
such as the Internet. The earliest firewalls were simply
routers. The term firewall comes from the fact that by
segmenting a network into different physical subnetworks,
they limited the damage that could spread from one subnet to
another just like firedoors or firewalls.
2. What does a firewall do?

A firewall examines all traffic routed between the two
networks to see if it meets certain criteria. If it does, it is
routed between the networks, otherwise it is stopped. A
firewall filters both inbound and outbound traffic. It can also
manage public access to private networked resources such as
host applications. It can be used to log all attempts to enter
the private network and trigger alarms when hostile or
unauthorized entry is attempted. Firewalls can filter packets
based on their source and destination addresses and port
numbers. This is known as address filtering. Firewalls can
also filter specific types of network traffic. This is also known
as protocol filtering because the decision to forward or reject
traffic is dependant upon the protocol used, for example
HTTP, ftp or telnet. Firewalls can also filter traffic by packet
attribute or state.
19
3. What can't a firewall do?

A firewall cannot prevent individual users with modems from
dialling into or out of the network, bypassing the firewall
altogether. Employee misconduct or carelessness cannot be
controlled by firewalls. Policies involving the use and misuse
of passwords and user accounts must be strictly enforced.
These are management issues that should be raised during
the planning of any security policy but that cannot be solved
with firewalls alone.
The arrest of the Phonemasters cracker ring brought these
security issues to light. Although they were accused of
breaking into information systems run by AT&T Corp., British
Telecommunications Inc., GTE Corp., MCI WorldCom,
Southwestern Bell, and Sprint Corp, the group did not use
any high tech methods such as IP spoofing (see question 10).
They used a combination of social engineering and dumpster
diving. Social engineering involves skills not unlike those of a
confidence trickster. People are tricked into revealing sensitive
information. Dumpster diving or garbology, as the name
suggests, is just plain old looking through company trash.
Firewalls cannot be effective against either of these
techniques.
4. Who needs a firewall?
Anyone who is responsible for a private network that is
connected to a public network needs firewall protection.
Furthermore, anyone who connects so much as a single
computer to the Internet via modem should have personal
firewall software. Many dial-up Internet users believe that
anonymity will protect them. They feel that no malicious
intruder would be motivated to break into their computer.
Dial up users who have been victims of malicious attacks and
who have lost entire days of work, perhaps having to reinstall
their operating system, know that this is not true.
Irresponsible pranksters can use automated robots to scan
random IP addresses and attack whenever the opportunity
presents itself.
5. How does a firewall work?
There are two access denial methodologies used by firewalls. A
20
firewall may allow all traffic through unless it meets certain

criteria, or it may deny all traffic unless it meets certain
criteria . The type of criteria used to determine whether traffic
should be allowed through varies from one type of firewall to
another. Firewalls may be concerned with the type of traffic,
or with source or destination addresses and ports. They may
also use complex rule bases that analyse the application data
to determine if the traffic should be allowed through. How a
firewall determines what traffic to let through depends on
which network layer it operates at. A discussion on network
layers and architecture follows.
6. What are the OSI and TCP/IP Network models?

To understand how firewalls work it helps to understand how
the different layers of a network interact. Network architecture
is designed around a seven layer model. Each layer has its
own set of responsibilities, and handles them in a well-defined
manner. This enables networks to mix and match network
protocols and physical supports. In a given network, a single
protocol can travel over more than one physical support (layer
one) because the physical layer has been dissociated from the
protocol layers (layers three to seven). Similarly, a single
physical cable can carry more than one protocol. The TCP/IP
model is older than the OSI industry standard model which is
why it does not comply in every respect. The first four layers
are so closely analogous to OSI layers however that
interoperability is a day to day reality.
Firewalls operate at different layers to use different criteria to
restrict traffic. The lowest layer at which a firewall can work is
layer three. In the OSI model this is the network layer. In
TCP/IP it is the Internet Protocol layer. This layer is
concerned with routing packets to their destination. At this
layer a firewall can determine whether a packet is from a
trusted source, but cannot be concerned with what it contains
or what other packets it is associated with. Firewalls that
operate at the transport layer know a little more about a
packet, and are able to grant or deny access depending on
more sophisticated criteria. At the application level, firewalls
know a great deal about what is going on and can be very
21
selective in granting access.
It would appear then, that firewalls functioning at a higher

level in the stack must be superior in every respect. This is
not necessarily the case. The lower in the stack the packet is
intercepted, the more secure the firewall. If the intruder
cannot get past level three, it is impossible to gain control of
the operating system.
According To Byte Magazine*, traditional firewall technology is

susceptible to misconfiguration on non-hardened OSes. More
recently, however, "...firewalls have moved down the protocol
stack so far that the OS doesn't have to do much more than
act as a bootstrap loader, file system and GUI". The author
goes on to state that newer firewall code bypasses the
operating system's IP layer altogether, never permitting
"potentially hostile traffic to make its way up the protocol
stack to applications running on the system".
*June 1998
7. What different types of firewalls are there?
Firewalls fall into four broad categories: packet filters, circuit
level gateways, application level gateways and stateful
multilayer inspection firewalls.
Packet filtering firewalls work at the network level of the OSI
model, or the IP layer of TCP/IP. They are usually part of a
router. A router is a device that receives packets from one
network and forwards them to another network. In a packet
filtering firewall each packet is compared to a set of criteria
before it is forwarded. Depending on the packet and the
criteria, the firewall can drop the packet, forward it or send a
message to the originator. Rules can include source and
destination IP address, source and destination port number
and protocol used. The advantage of packet filtering firewalls
is their low cost and low impact on network performance.
Most routers support packet filtering. Even if other firewalls
22
are used, implementing packet filtering at the router level

affords an initial degree of security at a low network layer.
This type of firewall only works at the network layer however
and does not support sophisticated rule based models .
Network Address Translation (NAT) routers offer the
advantages of packet filtering firewalls but can also hide the
IP addresses of computers behind the firewall, and offer a
level of circuit-based filtering.
Circuit level gateways work at the session layer of the OSI

model, or the TCP layer of TCP/IP. They monitor TCP
handshaking between packets to determine whether a
requested session is legitimate. Information passed to remote
computer through a circuit level gateway appears to have
originated from the gateway. This is useful for hiding
information about protected networks. Circuit level gateways
are relatively inexpensive and have the advantage of hiding
information about the private network they protect. On the
other hand, they do not filter individual packets.
Application level gateways, also called proxies, are similar to

circuit-level gateways except that they are application specific.
They can filter packets at the application layer of the OSI
model. Incoming or outgoing packets cannot access services
for which there is no proxy. In plain terms, an application
level gateway that is configured to be a web proxy will not
allow any ftp, gopher, telnet or other traffic through. Because
they examine packets at application layer, they can filter
application specific commands such as http:post and get, etc.
This cannot be accomplished with either packet filtering
firewalls or circuit level neither of which know anything about
the application level information. Application level gateways
can also be used to log user activity and logins. They offer a
high level of security, but have a significant impact on
network performance. This is because of context switches that
slow down network access dramatically. They are not
transparent to end users and require manual configuration of
23
each client computer.
Stateful multilayer inspection firewalls combine the aspects of

the other three types of firewalls. They filter packets at the
network layer, determine whether session packets are
legitimate and evaluate contents of packets at the application
layer. They allow direct connection between client and host,
alleviating the problem caused by the lack of transparency of
application level gateways. They rely on algorithms to
recognize and process application layer data instead of
running application specific proxies. Stateful multilayer
inspection firewalls offer a high level of security, good
performance and transparency to end users. They are
expensive however, and due to their complexity are potentially
less secure than simpler types of firewalls if not administered
by highly competent personnel.
24
Fwall.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/icmp.h>
#include <linux/if.h>
#include <linux/ip_fw.h>
#include <netdb.h>
#include <string.h>
#define MAXPORT 60000
struct ip_fwnew fwnew;
struct ip_fwchange fwappend;
struct ip_fwdelnum fwdelnum;
#define TOKENLEN 20
#define RULELEN 500
unsigned int lineno,src,dst,srcmsk,dstmsk,port,in_no,out_no,for_no,pos;
char token[TOKENLEN],rule[RULELEN];
struct protoent *proto;
struct servent *servent;
struct hostent *hostent;
struct ip_fwpolicy fwpolicy;
char protoname[20];
int getvalue(char *str,long *val)
{
char *endptr;
*val = strtol(str,&endptr,10);
if(*endptr != '\0')
return(0);
return(1);
}
int gettoken()
{
int i;
for(;rule[pos] == ' ' || rule[pos] == '\t';pos++);
if(rule[pos] == '\0' || rule[pos] == '\n')
return(0);
for(i = 0;rule[pos] != ' ' && rule[pos] != '\t' && rule[pos] != '\n'&& rule[pos] !=
'\0';pos++)
token[i++] = rule[pos];
token[i] = '\0';
return(1);
}
void initialise(void)
{
25
fwappend.fwc_rule.ipfw.fw_mark = 0;
fwappend.fwc_rule.ipfw.fw_flg = IP_FW_F_WILDIF;
fwappend.fwc_rule.ipfw.fw_invflg = 0;
fwappend.fwc_rule.ipfw.fw_vianame[0] = '\0';
fwappend.fwc_rule.ipfw.fw_tosand = 0xff;
fwappend.fwc_rule.ipfw.fw_tosxor = 0;
fwappend.fwc_rule.ipfw.fw_proto = 0;
fwappend.fwc_rule.ipfw.fw_outputsize = 0;
fwappend.fwc_rule.ipfw.fw_spts[0] = 0;
fwappend.fwc_rule.ipfw.fw_spts[1] = 0xffff;
fwappend.fwc_rule.ipfw.fw_dpts[0] = 0;
fwappend.fwc_rule.ipfw.fw_dpts[1] = 0xffff;
fwappend.fwc_rule.ipfw.fw_src.s_addr = 0;
fwappend.fwc_rule.ipfw.fw_dst.s_addr = 0;
fwappend.fwc_rule.ipfw.fw_smsk.s_addr = 0;
fwappend.fwc_rule.ipfw.fw_dmsk.s_addr = 0;
protoname[0] = '\0';
}
int getports(__u16 ports[2])
{
char *endptr;
int count;
gettoken();
if(token[0] >= 'a' && token[0] <= 'z'){
if(protoname[0] == '\0')
strcpy(protoname,"tcp");
servent = getservbyname(token,protoname);
if(servent == NULL){
printf("Invalid service name %s in line %d col
%d\n",token,lineno,pos);
return(0);
}
ports[0] = ports[1] = ntohs(servent->s_port);
return(1);
}
count = strtol(token,&endptr,10);
if(*endptr == '\0'){
ports[0] = ports[1] = count;
return(1);
}
else if(*endptr == '.' && endptr[1] == '.'){
endptr += 2;
ports[0] = count;
count = strtol(endptr,&endptr,10);
if(*endptr != '\0'){
printf("invalid range at line %d col %d",lineno,pos);
return(0);
}
ports[1] = count;
}
else{
printf(" Expected [!][port[..port]] in line %d col %d\n",lineno,pos);
return(0);
}
return(1);
26
}
int getsord(struct in_addr *sd,struct in_addr *sdmsk)
{
char src[20],msk[20];
int count,i;
__u32 flag;
char *endptr;
gettoken();
sdmsk->s_addr = 0xffffffff;
for(i = 0; token[i] != '/' && token[i] != '\0' ;i++)
src[i] = token[i];
src[i] = '\0';
hostent = gethostbyname(src);
if(hostent == NULL){
printf(" Host %s was not found in line %d \n",src,lineno);
return(0);
}
else{
sd->s_addr = hostent->h_addr_list[0];
}
if(token[i] == '/'){
i++;
strcpy(msk,&token[i]);
count = strtol(msk,&endptr,10);
if(*endptr == '\0'){
flag = 0x1;
sdmsk->s_addr = 0;
for( ; count >0;count--,flag <<= 1){
sdmsk->s_addr |= flag;
}
}
else{
if(inet_aton(msk,sdmsk) == 0){
printf(" Error in line no %d col %d invalid address
mask\n",lineno,pos);
perror("");
return(0);
}
}
}
return(1);
}
int appendrule(void)
{
gettoken();
strcpy(fwappend.fwc_label,token);
while(1){
if(gettoken() == 0) return(1);
if(strcmp(token,"-p") == 0){
gettoken();
strcpy(protoname,token);
proto = getprotobyname(token);
if(proto == NULL){
printf(" Error illegal protocol name in line %d col
%d\n",lineno,pos);
27
return(0);
}
fwappend.fwc_rule.ipfw.fw_proto = proto->p_proto;
}
else if(strcmp(token,"-s") == 0 || strcmp(token,"!-s") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_SRCIP;
if( getsord(&fwappend.fwc_rule.ipfw.fw_src,
&fwappend.fwc_rule.ipfw.fw_smsk) == 0)
return(0);
}
else if(strcmp(token,"-sp") == 0 || strcmp(token,"!-sp") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_SRCPT;
if(getports(&fwappend.fwc_rule.ipfw.fw_spts) == 0)
return(0);
}
else if(strcmp(token,"-d") == 0 || strcmp(token,"!-d") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_DSTIP;
if( getsord(&fwappend.fwc_rule.ipfw.fw_dst,
&fwappend.fwc_rule.ipfw.fw_dmsk) == 0)
return(0);
}
else if(strcmp(token,"-dp") == 0 || strcmp(token,"!-dp") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_DSTPT;
if(getports(&fwappend.fwc_rule.ipfw.fw_dpts) == 0)
return(0);
}
else if(strcmp(token,"-j") == 0){
gettoken();
strcpy(fwappend.fwc_rule.label,token);
if(strcmp(token,"REDIRECT") == 0){
if(gettoken()){
getvalue(token,&fwappend.fwc_rule.ipfw.fw_redirpt);
}
}
}
else if(strcmp(token,"-f") == 0)
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_FRAG;
else if(strcmp(token,"!-f") == 0)
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_FRAG;
else if(strcmp(token,"-y") == 0)
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_TCPSYN;
else if(strcmp(token,"!-y") == 0)
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_SYN;
else if(strcmp(token,"-m") == 0){
gettoken();
if(getvalue(token,(long *)&fwappend.fwc_rule.ipfw.fw_mark) == 0){
printf(" Error in mark value in line %d col
%d\n",lineno,pos);
return(0);
}
28
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_MARKABS;
}
else if(strcmp(token,"-t") == 0){
gettoken();
if(getvalue(token,(long *)&fwappend.fwc_rule.ipfw.fw_tosand)==0){
printf(" Error in tos_and value in line %d col
%d\n",lineno,pos);
return(0);
}
gettoken();
if(getvalue(token,(long *)&fwappend.fwc_rule.ipfw.fw_tosxor)==0){
printf(" Error in tos_xor value in line %d col
%d\n",lineno,pos);
return(0);
}
}
else if(strcmp(token,"-i") == 0 || strcmp(token,"!-i") == 0 ){
int i;
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_VIA;
gettoken();
for(i = 0; token[i] != '\0' || token[i] != '+';i++)
fwappend.fwc_rule.ipfw.fw_vianame[i] = token[i];
fwappend.fwc_rule.ipfw.fw_vianame[i] = '\0';
if(token[i] == '\0')
fwappend.fwc_rule.ipfw.fw_flg &= ~IP_FW_F_WILDIF;
}
else if(strcmp(token,"-l") == 0){
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_PRN;
}
else{
printf(" Invalid option %s in line %d col %d",token,lineno,pos);
return(0);
}
}
}
main(int argc,char *argv[])
{
int sockfd;
char c;
FILE *fp;
char fname[20];
if(argc > 2){
printf("USAGE : fwall [configuration file] \n");
exit(0);
}
if(argc == 2)
strcpy(fname,argv[1]);
else
strcpy(fname,"fw.conf");
lineno = 0;
in_no = 1;
out_no = 1;
for_no = 1;
sockfd = socket(AF_INET,SOCK_STREAM,0);
29
fp = fopen(fname,"r");
if(fp == NULL){
printf(" File %s not found \n",fname);
exit(0);
}
setsockopt(sockfd,IPPROTO_IP,IP_FW_FLUSH,"input",9);
setsockopt(sockfd,IPPROTO_IP,IP_FW_FLUSH,"output",9);
setsockopt(sockfd,IPPROTO_IP,IP_FW_FLUSH,"forward",9);
while(fgets(rule,RULELEN,fp) != NULL){
lineno++;
pos = 0;
initialise();
if(gettoken() == 0)
continue;
if(strcmp(token,"#") == 0)
continue;
if(strcmp(token,"-A") == 0){
if(appendrule() == 1){
if( setsockopt(sockfd,IPPROTO_IP,IP_FW_APPEND,&fwappend,sizeof(fwappend)) != 0){

printf("Error setting socket option in line %d :",lineno);
perror("");
}
}
}
else if(strcmp(token,"-N") == 0){
gettoken();
if(setsockopt(sockfd,IPPROTO_IP,IP_FW_CREATECHAIN,token,9)
< 0){
printf("Error setting socket option in line %d :",lineno);
perror("");
}
}
else if(strcmp(token,"-P") == 0){
gettoken();
strcpy(fwpolicy.fwp_label,token);
gettoken();
strcpy(fwpolicy.fwp_policy,token);
if(setsockopt(sockfd,IPPROTO_IP,IP_FW_POLICY,&fwpolicy,sizeof(fwpolicy)) < 0){

printf(" Error setting policy of line %d",lineno);
perror("");
}
}
else
printf(" Error in line %d col %d invalid command %s
",lineno,pos,token);
}
}
30
fw.conf
#This file was created using the GetRules module.

#The Default policies are:
-P input DENY
-P output DENY
-P forward ACCEPT
#Allow Source Quench packets
-A input -p icmp -sp 4 -dp 0 -j ACCEPT
#Allow echo reply inbound
-A input -p icmp -i eth0 -sp 8 -dp 0 -j ACCEPT
#Allow TTL exceeded inbound
-A input -p icmp -i pp0 -sp 11 -dp 0 -j ACCEPT
#Drop packets below 21
-A input -p tcp -dp 0..20 -j DENY
#Drop X- windows packets
-A input -p tcp -dp 6000..6003 -j DENY
#Drop SNMP packets
-A input -p tcp -dp 161-162 -j DENY
#Drop incoming telnet connections
-A input -p tcp -dp telnet -i pp0 -j DENY
#Allow http packets to webcache
-A input -p tcp -dp webcache -i pp0 -j ACCEPT
#Drop tcp packets from non standard ports
-A input -p tcp -dp 1024..65535 -i pp0 -y -j DENY
#Disallow ftp data connections
-A input -p tcp -dp 20..21 -i pp0 -y -j DENY
#Allow incoming http
-A input -p tcp -sp 1024..65535 -dp 80 -i eth0 -j ACCEPT
-A input -p tcp -sp http -dp 1024..65535 !-y -i pp0 ACCEPT
# Allow echo requests outbound
-A output -p icmp -i pp0 -sp 0 -dp 0 -j ACCEPT
#Allow destination unreachable outbound.
31
32

Project Report On Implementation of Firewall On Linux Platform

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Project Report On Implementation of Firewall On Linux Platform

Hochgeladen von

Copyright:

Verfügbare Formate

Project Report on Implementation of Firewall on Linux Platform

LAN AND INTERNET

Extension of LAN to Internet

ARPANet(Advanced Research Project Agency ) is the internet's

November 2nd, 1988 is the most infamous date in the internet

The main danger to the internet security comes in the form of

riding through cyberspace looking for targets of opportunity

Underemployed Adult Hackers:

Eavesdropping and snooping:

The simplest thing a hacker can do to gain information is simply to

to the server computer. Ideally the client thinks he is

These rules regulate the acceptance of incoming IP packets.

There is also a special target RETURN which is equivalent to falling

reference count on user defined chains are initialised to zero

The firewall administration can be changed via calls to

must be zero). The chain must also be empty which can be

or TCP SYN or ACK bits. Rules which try to match packets by

destination port of a packet will be used as the redirection

2. What does a firewall do?

3. What can't a firewall do?

firewall may allow all traffic through unless it meets certain

6. What are the OSI and TCP/IP Network models?

selective in granting access.

It would appear then, that firewalls functioning at a higher

According To Byte Magazine*, traditional firewall technology is

are used, implementing packet filtering at the router level

Circuit level gateways work at the session layer of the OSI

Application level gateways, also called proxies, are similar to

each client computer.

Stateful multilayer inspection firewalls combine the aspects of

if( setsockopt(sockfd,IPPROTO_IP,IP_FW_APPEND,&fwappend,sizeof(fwappend)) != 0){

if(setsockopt(sockfd,IPPROTO_IP,IP_FW_POLICY,&fwpolicy,sizeof(fwpolicy)) < 0){

#This file was created using the GetRules module.

Das könnte Ihnen auch gefallen