Team LiB
Previous Section Next Section

Firewall Theory

In the most general sense, firewalls look at incoming data packets, examine their source or destination addresses and ports, and make decisions about those packets based on a set of configured rules. Before you can set up a firewall, you must create these rules. To do so, you need to determine which services (or ports) on your network are required in or through your network, and should be left open, and which services or ports should be locked down.

In this section of the chapter, we describe the various ports and port ranges found on a standard Linux machine. If you have some port knowledge, consider reading this section anyway-port terminology and standard ranges have changed in the last few years and your basic understanding may be somewhat outdated.

Ports and the IP Stack

Every IP address has 65,535 ports associated with it. Ports are used to associate a network connection with a service and protocol running on a machine attached to a TCP/IP-based network. Ports are often described as windows or doors in an office building: if you want to see Person A, you open the door to Person A's office. In the same way, if you want to get a web page from a particular server with the http protocol, you request services through port 80 on that server.

In the past few years, port assignments on UNIX-based operating systems have changed from their original locations. Here is a list of current Red Hat-based Linux port assignments:

  • Ports 0-1,023: The Well-Known or Reserved ports are standardized and controlled by IANA, the Internet Assigned Numbers Authority. These ports are generally used for standard incoming system and protocol interactions.

  • Ports 1,024-49,151: The Registered ports are also used for incoming services, but are not regulated as strictly as the first 1,024 ports (remember, under UNIX, 0 counts as a number). These ports are controlled by community standards, not by dictated rules.

  • Ports 32,768-61,000: These Ephemeral or Dynamic port assignments are specific to the Linux 2.4 kernel, but can very by distro. They are used by outgoing client requests and programs to establish connections with other servers. On some systems, Ephemeral ports range up to 65,535. You can see this kernel setting on your Linux 2.4 kernel by looking at the kernel's proc filesystem:

    # cat /proc/sys/net/ipv4/ip_local_port_range
    32768    61000
    

    Ephemeral ports used to be defined as 1,024-4,999 on Linux and other platforms, but in recent years they have shifted upward for several performance, standardization, and security reasons.

You may have noticed the overlap of ports from 32,768 to 49,151. This is not particularly critical to the average Linux administrator, and is a legacy issue that is documented in RFC's and in IANA's own internal documentation. It does not affect regular Linux use in any significant way. The more of these Dynamic or Ephemeral ports that you open for use, the more simultaneous outgoing connections your server can make. This keeps busy servers from fighting over limited outgoing server resources, and on such servers the additional ~24k outgoing ports can speed things up a bit (when talking about max outgoing connections per second such as a large mail server).

Note 

IANA is the regulatory group that controls IP address allocations, top-level domains, port assignments below 1,024, and other Internet-related public standards. The IANA port list (www.iana.org/assignments/port-numbers) shows both the regulated Reserved or Well-Known ports, as well as a list of industry common Registered ports.

Port Assignments

To see the human-readable service names that your server associates with port numbers, look the /etc/services file. This file lists the most commonly used ports and the protocols or programs associated with each one. For example, this command's output lists the TCP ports associated with several common Internet protocols:

$ cat /etc/services | grep -e ^http -e ^ftp -e ^ssh|grep tcp
ftp-data    20/tcp
ftp         21/tcp
ssh         22/tcp                  # SSH Remote Login Protocol
http        80/tcp   www www-http   # WorldWideWeb HTTP
https       443/tcp                 # Mcom

If you'd like to see the daemons that are currently bound to your various IP addresses by a specific service name, instead of simply the number or the port, issue this command and use grep to look at the one service that you're interested in:

$ netstat -at|grep "http "
tcp        0       0 *:http       *:*           LISTEN

Leave off the grep to see all such bindings.

TCP/IP Packet Structures

With a basic understanding of port allocation under your belt, take a closer look at TCP and IP packet structures.

When on a TCP/IP-based network, each packet you send out has either a TCP packet wrapped or encapsulated in an IP datagram, or a UDP packet wrapped in an IP datagram. The former is a TCP/IP packet and the latter is called a UDP/IP datagram. You look at the information contained in a TCP/IP packet (in most of our examples in this chapter) to determine where the packet came from, where it's going, and what protocols are being used or requested. This is the very nitty-gritty nature of TCP/IP firewalling. But before we can get much further into this discussion, we need to take a quick peek inside these data structures to speak intelligently about how we're using this information.

These TCP and IP structures can be used in various ways to trigger on and control the different types of traffic that flow across your network or into/out of your server.

Note 

If you plan to take full advantage of these packet-level mechanisms, you'll want to use the iptables form of Linux firewalling rules as opposed to the older, less powerful TCP wrappers-which is really more of a service/host ACL than a real firewall control system.

TCP and IP structures are defined by RFC 793 and RFC 791. The basic layout for TCP looks like this:

TCP Header:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |         Source Port         |        Destination Port         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Sequence Number                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                     Acknowledgment Number                     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Data  |            |U|A|P|R|S|F|                             |
    |  Offset| Reserved   |R|C|S|S|Y|I|      Window                 |
    |        |            |G|K|H|T|N|N|                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |             Checksum        |        Urgent Pointer           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                     Options                   |  Padding      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           data                                |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Reading from left to right you will see the packets that actually get transmitted across the wire.

Although there is a great deal of information in this TCP packet diagram, the easiest elements to identify and use from a firewalling perspective are probably the TCP packet's source and destination ports. In short, this identifies what protocols are being used or requested. Also, when setting up firewall rules and allowing or denying access to services (remember, services = ports), you might want to use the sequence number to track session-based protocols. This idea of session and protocol tracking is the basis for SPI or session tracking for bidirectional transfer protocols like FTP or NFS. Doing session tracking is pretty much automatic in iptables after you enable it, but we'll still cover this later.

Tip 

Although this chapter does not cover data pattern and string matching, you might be interested in this subject if you're doing things like intrusion detection or packet filtering. If you want to learn more on those topics, check these sites:

In the IP structure, as shown following, you'll also want to be able to trigger on the IP source and destination addresses (who it's coming from and who it's going to). Triggering on and allowing or denying access based on these addresses (as well as the attributes we already covered) is, in essence, what firewalling is all about.

Let's take a closer look at the IP datagram structure and see what useful information firewall administrators would use from this low-level protocol. The IP datagram looks like this

IP Datagram:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Version| IHL  |Type of Service  |         Total Length        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |            Identification         | Flags|   Fragment Offset  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Time to Live |      Protocol |          Header Checksum     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                        Source Address                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                     Destination Address                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                     Options                   |  Padding      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The main aspects of the IP datagram interesting to the firewall administrator are source and destination addresses and the protocol. These elements are important for both TCP wrappers and iptables-based firewalls. However, some of the other fields are useful when setting up a dual-homed firewall with NAT and masquerading, such as TTL (as described in the following section).


Team LiB
Previous Section Next Section