Unix Workshops:Firewall

Jump to navigationJump to search

Layers of communication:

  1. Bits - Physical
  2. Frame (HW) - use arp -a (address resolution protocol): deal with mac addresses.

For each network interface, card, port or transmitter, there is a mac address.

  1. Network (SW) - Logical addresses, or IP addresses. Destination path for packets.

netstat will show you the routing table

  1. Transport layer
  2. Representations
  3. Application

Set up a firewall rules

\* pf - packet filter (in the kernel or a module in the kernel)

In "/etc" folder we find a group of files. "rc" controls boot commands. "rc.d" contains scripts which will be executed on boot time, including operations of networking, servers, deamons, jails etc.

Configuration Details

We will apply everything to the external port, not the internal ports. (e.g. ex0, skip on lo0)

"block" statements

First block all will block everything, then we can enable certain things.
antispoof looks for packets that look like they have been spoofed to say they come from a machine different than the one they actually come from.

- "block" packets from computer we don't have a route to.
\* quick means stop here

  • 'quick' any source that trying to communicate to (This port broadcasts to all computers on a local network)
  • 'quick' a list of source addresses, like _fake_ local address (e.g.,

pass statements

pass out stuff we want, like ping, ssh etc. now we can:

  • pass in any tcp on port ssh, www, 8080, 443 etc.
  • pass in any icmp (ping)

You can create Table ("persist": stored on the hard disk) <ssh_abuse>. Where we can set rules for inserting. Such a rule like is: "more than 10 connections per 5 seconds" (probably brute force).

When you'll enable the firewall, if something goes wrong, you're locked out.
pfctl -f $filename should test this file for order and syntax errors

Now we can install a server. like "nginx".

Workshop notes: