Products:
Flowpoint 128, 144, 2025, 2100, 2200, SSR245, SSR250, SSR255
Speedstream 5711, 5781, 5851, 5861, 5871
Article Topic:
FlowPoint FAQs: Efficient Networks IP Filtering Tutorial
EFFICIENT NETWORKS - IP FILTERING TUTORIAL
Description:
IP filtering is a tool that will allow your router to make a decision to accept,
drop, or reject a packet based on the information in the addressing portions
of that packet (header). This allows one to control the flow of packets in and
out of your LAN. To accomplish this, you will define a list of rules that you
will place on your router that will define the actions that will be taken on
packets of various configurations. Typically, you will create a long list of
accept rules that define which packets can move from one interface to another.
Following your accept rules will be a drop rule that will disallow any further
packets to be forwarded.
These rules can be grouped on the ethernet (LAN), or remote (WAN) side of an
Efficient router. In addition, these rules are grouped to filter based on the
direction of packet flow, (inbound or outbound). This flexibility will allow
a rule to define whether the packet started on the LAN and or WAN as part of
the criteria to allow or drop. You need not expose your LAN to a given profile
without the ability to determine where the packet came from. For example, a
reply from the internet will be accepted, while a packet that was initiated
on the internet will be rejected even though both packets had the same type
of information in the header.
To efficiently administer our IP Filtering Firewall Rules the user must understand
what a packet looks like and identify what the different parts of a packet are
going to do during their journey from the LAN, through the internet, and back
to the LAN. A simple description of an IP packet is a single group of bits with
addressing information, (header) and a payload (data). The firewall looks at
the addressing information of an IP packet to determine what action will be
taken.
TCP-IP PACKET
The TCP-IP packet has many parts. For the purpose of IP Filtering, only the
parts that rules can be based on will be discussed. The header of a packet contains
all the information needed to get the packet to its destination, and provide
a path back to the source. The parts of a packet that a rule can be based on
are listed below with a description of each.
DESTINATION ADDRESS - This is the IP address that the packet is being sent to.
SOURCE ADDRESS - This is the IP address that the packet has been sent from.
FLAGS – These are Conditional status indicators used to determine how to
interpret other portions of the header.
SOURCE/DESTINATION PORT – Numbers used to identify what application the
packet is for.
PROTOCOL - Numbers that identify the packet type. TCP and UDP are packet types.
NOTE: IP packets do not contain a field for source or destination mask in the
header, yet the Efficient Firewall allows you to filter based on mask. The mask
entry in a rule is used to define a subnet, and should always be used in conjunction
with a source or destination address.
An IP packet, that is created by a workstation bound for the internet, will
be sent to the Efficient router since the router is defined by the workstation
as the default gateway (door to the internet). The routers job is to determine
if the packet should be forwarded to an address on the LAN or WAN. That decision
is made using the destination address field in the header of the packet. Once
the packet is forwarded to the WAN (internet) the packet will proceed to its
destination automatically. When the packet arrives, the payload (data) is exchanged,
and the information in the header is altered. The destination address and port
is moved to the source address and port fields, while the source information
is moved to the destination fields. This swap allows a packet to be directed
to the site of origin without large amounts of overhead. The packet at this
point contains a new payload, destination address, and port that will be directed
back to the originator.
PLANNING FOR YOUR FIREWALL
Prior to jumping into the Firewall Building Process, one should decide which
tasks they want the firewall to perform. You must be honest with yourself during
this process. The basic filtering script that Efficient offers will likely restrict
more than you may want. One should list all the required traffic that will need
to be allowed onto the LAN, then list all of the restrictions that you wish
to achieve.
The Efficient firewall can be installed and removed quite easily. To install
the firewall, simply execute a script using the Efficient Configuration Manager
Tool. To remove the firewall, either flush the rules, or delete all the drop
rules. Your network need not suffer excessive downtime while you are building
your firewall.
BUILDING A FIREWALL
Now that you have made your list, you are ready to build a firewall. Lets start
with a simple firewall example. In this example we want to build a firewall
that will allow all TCP packets and no others. We will place all rules on the
WAN interface, and will filter in both the input and output direction of packet
flow. Enter the following Ipfiltering Rules into your router.
Note: These rules must be applied from a Command Line Interface. You will need
to telnet to your router. To do this, simply type "telnet <router ip
gateway address>" from a command prompt or run command line.
remote ipfilter insert input accept -p tcp internet
remote ipfilter insert output accept -p tcp internet
remote ipfilter append input drop internet
remote ipfilter append output drop internet
save
Note: The accept rules should always be entered using the "insert"
command to place them at the top of the list, and the drop rules should be entered
using the "append" command to place them at the end of the filter
list. All packets are tested against the filter list from top to bottom. The
first rule that the packet can match will result in the specified action being
taken. In short, the drop rule must appear after all accept rules.
VIEWING YOUR IPFILTERING RULES FROM WITHIN YOUR ROUTER
• First, from a Command Line Interface you will need to telnet to your
router. To do this, simply type "telnet <router ip gateway address>"
from a command prompt or run command line.
• Next, to display your existing routers firewall configuration (wan side),
execute the following command:
"remote ipfilter list <remote name>"
Note: The remote name is "internet" by default.
Example of what would be displayed:
remote ipfilter list internet
# Begin rules for input list
remote ipfilter append input accept -c 0 -p tcp internet
remote ipfilter append input drop -c 0 internet
# End rules for input list
# Begin rules for output list
remote ipfilter append output accept -c 0 -p tcp internet
remote ipfilter append output drop -c 0 internet
# End rules for output list
The filters above will act on packets in both the input and output direction
of the remote (WAN) interface. The (-c 0) is a count indicator that will increment
each time a packet activates a rule. The counts will be reset to 0 during a
reboot.
TROUBLESHOOTING A FIREWALL
If one were to attempt to access a web browser utilizing the rules included
in the example above, you would not be able to access the internet.
To troubleshoot a problem of this nature and see which packets the router drops,
turn the filter display on. To do this simply execute the following command,
"remote ipfilter watch on|off <remote name>" Again the remote
name is "internet" by default. Next type, "system log start"
or "system history" to view the output of the watch command. The watch
command will display all dropped packets in the following format.
Protocol
- source address
- source port
- destination address
- destination port
Example of system log:
# remote ipf watch on internet
UDP packet from 192.168.254.2/1117 to 134.141.7.201/53 dropped
UDP packet from 192.168.254.2/1117 to 134.141.7.200/53 dropped
UDP packet from 192.168.254.2/1117 to 134.141.7.201/53 dropped
Now enter the list command as follows:
Remote ipfilter list output <remote name>
Note: Remote name is "internet" by default
Example of output list:
# Begin rules for input list
remote ipfilter flush input internet
remote ipfilter append input accept -c 0 -p tcp internet
remote ipfilter append input drop -c 0 internet
# End rules for input list
# Begin rules for output list
remote ipfilter flush output internet
remote ipfilter append output accept -c 0 -p tcp internet
remote ipfilter append output drop -c 3 internet
# End rules for output list
Utilizing the list command we can identify the problem by observing the dropped
packets in the output direction. By observing the watch output for the system
log example above, we can determine that there were packets dropping in which
were labeled as protocol UDP, and had a destination port of 53. By identifying
the port number, you can in most cases determine the packet type. In this case,
port 53 is DNS. These DNS packets were being directed the DNS server to be resolved
to an IP address. The firewall rules, however were disallowing these packets
to pass through.
Since we want to allow these packets, lets build a rule that will let them pass
through. We will use the protocol and port in this rule. If one wanted to be
more specific, one could also include the IP address of the DNS server by utilizing
the destination address in the output rule, and source address in the input
rule.
Example of a rule to allow DNS from lan to wan:
remote ipfilter insert input accept -p udp -sp 53 internet
remote ipfilter insert output accept -p udp -dp 53 internet
save
Now lets test the firewall to prove that it now works with a web browser. To
accomplish this, simply list your filters using the command as outlined in the
example below. This time as you can see, the DNS packets made it through, as
did the browser packets using the protocol TCP and the port 80. Notice that
the count indicators (-c) have incremented for the two accept rules in both
the input and output filter list, but the drop rules did not.
remote ipfilter list internet
# Begin rules for input list
remote ipfilter append input accept -c 5 -p udp -sp 53 internet
remote ipfilter append input accept -c 15 -p tcp internet
remote ipfilter append input drop -c 0 internet
# End rules for input list
# Begin rules for output list
remote ipfilter append output accept -c 5 -p udp -dp 53 internet
remote ipfilter append output accept -c 15 -p tcp internet
remote ipfilter append output drop -c 0 internet
# End rules for output list CONCLUSION
If you start with the Efficient basic
firewall script and use the technique described above to add rules for email
and other needs that are specific to your LAN, you will find the Efficient firewall
easy to configure and monitor. The Firewall can be as simple or complex as you
wish to make it, based on the number of parameters placed in each rule. Hostile
packets can be monitored easily using the watch command. For more detailed descriptions
of the commands in which are specific to the Efficient firewall, review the
following documents:
IP Filtering Concepts
http://support.efficient.com/KB/FP/filterconcepts.html
DSL Command Line Interface
http://support.efficient.com/KB/pdf/fp_dslcli_feb99.pdf
Efficient Networks, Inc.
Technical Support