Next Previous Contents

2. Background Knowledge

2.1 What is a firewall?

A firewall is, in its simplest form, a device that connects two networks and controls the traffic that may pass between those networks. Generally a firewall is used to make sure outsiders can only access those resources the administrator wishes to make available to the public.

The most common way to do this is through packet filters. A packet filter identifies network traffic by specifying its source and destination using the IP addresses and possibly port numbers. Once traffic has been identified it can be permitted or blocked, or subjected to further processing.

Some resources for more information on firewalls:

2.2 What is a Boundary Network or DMZ?

A common network configuration is to have two firewalls: one between the public Internet and a small “boundary network” or “Demilitarized Zone” (DMZ), where publicly-visible computers (e.g. a public HTTP and FTP server, the public mail server) are attached. Then a second firewall is placed between the boundary network and the private network.

This way both the public and the users on the private network have access to the servers on the boundary network, but an attacker on the Internet would have to penetrate two firewalls to gain access to the private network. This allows much more control over access, and separating the security between the public and the boundary network from the security between the public and the private network makes it easier to design and audit the firewall system as a whole. It also spreads the packet filtering load over two machines.

2.3 What is a firewall script?

A firewall script is a shell script that contains a series of firewall commands that configure the operating system's packet filters. Typically this script is run whenever the firewall system is rebooted.

Firewall scripts usually define environment variables to improve their readability. The firewall script examples in this document will do this as well.

Here are the firewall environment variables used in our examples:

These variables would be set at the top of your firewall script.

2.4 What is a tarpit?

A tar pit is a big pit with tar in it. Large animals would become mired in the tar and eventually die through starvation or suffocation. When applied to a network firewall, it means much the same thing.

The TCP communication protocol provides flow control settings which allow the communicating computers to set the size of data packets being exchanged, and ensures reliable communications through retransmission of packets whose receipt has not been acknowleged.

A TCP tarpit is a program that sets the flow control settings to, essentially, prevent communication rather than facilitate it. It sets the packet data and “unacknowleged data” (window) size parameters to very low values (e.g. the protocol overhead plus only one data byte), which slows the transmission rate to a trickle. Then it never acknowledges packets, so transmission of that one byte will be retried over and over, ideally bringing the transmitting program (the scanning tool or worm) to a virtual halt for several hours.

More information is available on the LaBrea website at http://www.hackbusters.net/LaBrea/ - this site is required reading.

2.5 What is Transparent Proxy?

Transparent Proxy is a facility provided by the Linux kernel. It provides the capability of taking traffic that would normally pass through a gateway and redirecting it instead to the gateway itself.

The most common application for this is transparent proxy of HTTP traffic. The firewall redirects traffic destined for port 80 on some other computer to the local port on the firewall that the proxy server is listening on. This way web browsers on the local network can browse the Internet via the proxy, without being explicitly told to use the proxy.

We will use this facility to enable us to detect scans of the entire boundary network, not just scans of the outer firewall itself.

More information (focusing on the use of transparent proxy in the above HTTP setting) is available on the LinuxDoc website at http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html


Next Previous Contents