Click here to load reader
Upload
markdavidboyd
View
199
Download
0
Embed Size (px)
DESCRIPTION
A guide to understanding simple firewall rules
Citation preview
Article by Mark Boyd www.simpleit.tumblr.com
Thursday, 23 June 2011 Page 1
The basics of a firewall rule
Most al l of the informat ion in this below wri t ing piece is informat ion disseminated f rom www.sans.org and i ts
af f i l iates. My experience is in the Managed Services Provider sector, more specif ical ly, the Educat ion vert ical
Understanding firewall rules:
Source > Destination > Traffic Type > Allow / Deny. There you have it, you now understand firewalls.
Move along people, nothing to see here. Or is there? In this article, I will talk briefly about how a basic
firewall rule works. I won’t be talking about packet inspection, I won’t be talking about NAT and its
intricacies, there’s plenty of information on the old interwebs1 about that. Firewalls can be big complex
beasts; this article might be seen as a “for dummies” guide to just one topic inside a firewall
You will find this article is general in nature; it doesn’t go into a huge amount of detail. This article is
largely brand agnostic. If you are looking for a shameless plug for a reputable firewall company, I
recommend Fortinet. Fortinet firewalls are well priced, feature full firewalls from SOHO to enterprise. I
use Fortinet because they are powerful, quick and secure. For more information on Fortinet gear visit
here
Alright, let’s get started. As always, decide what you are trying to achieve. In this example we want to
block all traffic from 192.168.1.0 out to the internet except web traffic, and allow 172.16.0.0 traffic out to
the internet.
Arrive Pseudo code. Now don’t be afraid, I have preached before that programming is the square root of
everything evil and nasty, and I maintain that disposition, however, writing something out logically
(Pseudo Code) is helpful. It logically spells out what you are trying to do. Let’s try it.
Source Traffic: 172.16.0.0 /16, Destination: Anywhere (0.0.0.0), Traffic type: Any, Allow / Deny
Source Traffic: 192.168.1.0 /24, Destination: Anywhere (0.0.0.0), Traffic type: port 80, Allow / Deny
explicitly deny any other traffic
Looks simple enough? Good. But make sure to understand some common I.T lingo.
- Common Service ports (Port 80 for HTTP, Port 443 for HTTPS, Port 53 for DNS etc)
- Common Subnet allocations for IPV4, 16 = 255.255.0.0, /24 = 255.255.255.0 and so on
- What the 0.0.0.0 IP Address designation is and how to use it.
Confused? Remember the rule: source > destination > traffic type > allow / deny.
Think about these statements if you get confused making firewall rules.
- All firewall rules are in essence just an access control list.
- All access control lists can be converted “logically” into an “if then else” type statement.
- Remember that all Access control lists / firewall rules end with an explicit deny rule.
- If your firewall rule doesn’t work, think wether your traffic matches the rule.
- Most useful, remember most good firewalls log allow / deny requests, the logs are your friend.
Next article: Top tools for top administrators
1 (Deviate for a second, Microsoft Word doesn’t believe interwebs is a word, it is now, and I implore you to add it to your dictionaries)