User Guide
Contents
Building a Firewall Using IP Filtering
- Inroduction to the
Firewall Concepts in IPNetRouter
- A Full Firewall for a Static IP Gateway
- A More Practical Firewall for
a Static IP Gateway
- A More Practical Firewall for
users with a Dynamic IP Address
- Passing DHCP with LAN IP Filtering
- Passing "Local NAT" with
LAN IP Filtering
- Blocking Gateway Spoofing Inside
the LAN
- Order of NAT, Filtering,
and Routing
Introduction to the
Firewall Concepts in IPNetRouter
We've all heard the term "firewall" used to describe
making a network more secure, but what does this mean? Aren't Internet
firewalls supposed to be complicated and expensive? Not at all!
This section explains basic IP Filtering firewall concepts and describes
how to implement a good level of security against IP based attacks
using IPNetRouter.
"Firewall" is actually a generic term for a mechanism
that enforces an access policy. The basic building blocks of network
firewalls are IP routers with filtering and proxy servers.
A "classic" firewall configuration uses two routers with
a "Bastion Host" between them. One or more proxy servers
on the Bastion Host selectively authenticate and log specific requests.
Since IPNetRouter runs as software on a Macintosh, you can combine
the routing, filtering, and proxy function in a single machine which
we will hereafter refer to as the gateway.
Consider a Macintosh with two physically seperate Ethernet interfaces
(E0 and E1). IPNetRouter provides full IP filtering on each Ethernet
interface, and routing between them. Here's a simple block diagram:
IPNetRouter provides one kind of built-in proxy service: NAT (aka
IP Masquerading). NAT prevents access from the public Internet to
your private LAN, while still allowing clients on your private LAN
to access the public Internet. By itself, and with NO filters
or port mapping entries added, IPNetRouter completely protects your
CLIENT machines from outside access using NAT. (To understand
how NAT and IPNetRouter's Exposed Host feature can enhance security,
refer to the Inbound Port Mapping section.)
To increase security on your IPNetRouter gateway computer, we recommend
that you do not run any servers or server type services (e.g. web
sharing) on your gateway machine unless it is your intention to
provide public access to these services. Not using services that
are not necessary or are not required is a good "passive"
security practice.
In summary, just by running IPNetRouter as a NAT router, your network
becomes very secure and you actually have quite a solid firewall
in place. There is, however, the possibility of unauthorized
use or remote harm on your gateway or attached networks. To
prevent this IPNetRouter uses IP packet filters. IP Filters can
block access to the gateway and the network it controls from unauthorized
sources. In the following section a tutorial is provided describing
how this can be done.
Top
A Full Firewall for a Static IP Gateway
Let's assume that:
- We have a static IP address for our gateway machine.
- Only the gateway machine will have access to BOTH the Internet
and our private LAN and it is running an email server.
- Our client machines will access the gateway machine to retrieve/send
email but NOT have access to the Internet.
- There will be no outside access from the Internet to any of
our client machines.
- On the gateway machine, our Internet connection is via the built-in
ethernet port and our private LAN is connected to the slot 1 ethernet
port.
- We want to be absolutely sure that ONLY our designated client
machines will be able to access our gateway machine(e.g. prevent
IP spoofing).
To create a firewall for this situation we must use IP filters.
Starting from the block diagram above we would configure the filters
as follows:
- Set the filter on the Internet side to block any inbound packets
whose source IP address matches the network number used for our
LAN and the gateway itself. This insures any packets received
by the gateway with the source IP address from our LAN must have
come from our LAN (no IP spoofing from the public Internet is
allowed).
- Set the filter on the Internet side to block any outgoing packets
that don't originate from the gateway itself (source IP address
must match the IP address of the gateway).
- Similarly, set the filter on the LAN side to block any outbound
packets that don't originate from the gateway.
- Set the filter on the LAN side to block any inbound packets
that are not from our LAN (source IP address does not match the
network number of our LAN). This prevents machines on our LAN
from trying to use a different network number (IP spoofing), and
also prevents packets from our LAN being forwarded to the Internet
since the filter on the Internet side will only pass packets that
originate from the gateway, not from our LAN.
With this setup, no traffic can be routed directly between the
Internet and our LAN. It must pass through a server on the gateway
and then be resent from the gateway itself (only the gateway is
allowed to originate traffic in both directions).
By putting a mail server on the gateway, hosts on our LAN and hosts
on the public Internet can both send and receive email from this
server, but can never talk to each other directly. We can now post
company information on our "Intranet" using web servers
on the LAN. The public Internet will never be able to see these
servers since they are behind our firewall.
Here's what this setup might look like using IPNetRouter. Suppose
we have been assigned a static IP address of 201.115.101.231 by
our ISP, and will use IP addresses from the range 192.168.0.x for
our LAN. The filters described above can be specified as follows.
Eight IP Filters. Note that the filter add order is the reverse
of the filter resolution order.
The 201.115.101.231 address is used on E0 (Ethernet Built-in) attached
to the public Internet.
We use 192.168.0.1 on E1 (Ethernet Slot 1) attached to our LAN.
Filters are invoked from TOP to BOTTOM. Hence the strategy is to
first add a filter which BLOCKS all traffic on a specific interface,
then add a PASS filter which will permit specific connections (datagrams).
This is typically refered to as "punching a hole" into
a firewall.
How does this work? Let's examine the filter order as seen by IPNetRouter:
Filter Resolution Order (top to
bottom)
|
Description
|
Result
|
Top
|
The first filter PASSes all packets RECEIVED on our slot
1 ethernet port which originated from our private subnet (only
machines in our 192.168.0.1/24 subnet). |
Net Result of Filters 1 & 2: Only client
machines connected through the slot 1 port within our designated
192.168.0.1/24 subnet can use the IPNetRouter gateway. |
2nd
|
2nd Filter: All other RECEIVED packets on this slot 1 interface
are BLOCKed. |
|
3rd
|
3rd Filter: This filter PASSes all packets SENT from the
gateway onto the private LAN. |
Net Result of Filters 3 & 4: Only packets
originating from the gateway machine can be SENT out to our
client machines. |
4th
|
4th Filter: All other packets SENT out of the gateway onto
the private LAN to any other machine are BLOCKed. |
|
5th
|
5th Filter: This filter permits the gateway machine to SEND
packets out to the Internet over the built-in ethernet port. |
Net Result of Filters 5 & 6: Only packets
originating from the gateway machine can be SENT out to the
Internet. |
6th
|
Filter: All other packets SENT out of the gateway to the
Internet are BLOCKed. |
|
7th
|
This filter BLOCKs all packets from the Internet which claim
to originate from the same IP address as our gateway. |
Net Result of Filter 7: Our gateway has a unique, public
IP address. No other packets received should have this same
IP address...if so, BLOCK them. |
|
Bottom
|
This filter BLOCKs any packets received from the public
Internet that claim to originate from our private LAN (192.168.0.1/24) |
Net Result of Filter 8: Our private subnet is strictly reserved
to be used by client machines connected through the Slot 1
interface. All external attempts to use the gateway from a
machine on the Internet and having an IP address within our
private subnet will be BLOCKed. |
Filtering is performed before Network Address Translation (NAT)
for transmitted datagrams, and after NAT for received datagrams.
This allows you to filter on the "Actual LAN Address"
as opposed to the "Apparent Gateway Address".
Top
A More Practical Firewall for
a Static IP Gateway
If you carefully followed the example above, you will note that
this is an absolute firewall. Not only will it prevent outside users
from getting in to your LAN, but it will also prevent any client
machines from getting out to the Internet! This is the way most
good network administrators start building a firewall:
1. First prevent all access.
2. Then permit any specific access on a case by case basis (commonly
called "punching holes in a firewall").
Most users of IPNetRouter, however, want all client machines to
have access to the Internet, while preventing any intrusions into
their client machines or unauthorized use of their router. If you
followed the example above, and understand the net results of invoking
all of the eight filters, you will see that the way to let the client
machines access the Internet is to remove filter lines 3, 4, 5 and
6 of the above example.
This is what the IP Filtering window would look like (once again
assuming the fixed IP address you have been assigned is 201.115.101.231):
Top
A More Practical Firewall for
users with a Dynamic IP Address
Cable and DSL modem users are often assigned a dynamic IP address
(through DHCP from their ISP), but still want the protection of
a firewall while letting all their client machines access to the
Internet. In this case, we simply replace the filter with the fixed
IP address (second line from the bottom) with an entry for a dynamic
IP address. To do this, just enter 0.0.0.1/32 in the Source Net
edit box. Your IP Filtering window should appear similar to this:
Note that the 0.0.0.1 address is replaced by the word "dynamic"
in IPNetRouter's Interface.
Top
Passing DHCP with LAN IP Filtering
If you are using the DHCP server within IPNetRouter to dynamically
assign IP addresses on your private LAN, then you have to add yet
one more PASS filter to any of the above examples. The reason is
that we are BLOCKING all incoming packets into the Slot 1 ethernet
interface which are not originating from the local 192.168.0.1/24
subnet...and our client machines do not yet have an IP address in
this subnet range (remember, these client machines are using DHCP
to get an IP address assigned to them).
To remedy this, we add the following filter which permits incoming
DHCP discover and request messages:
This filter PASSes all UDP protocol port 68 messages (DHCP negotiation
messages) which are received on our internal ethernet interface
(see above for full example) so that the DHCP server within IPNetRouter
can handle them.
Top
Passing "Local NAT" with
LAN IP Filtering
If you are using the optional "Enable Local NAT" feature
of IPNetRouter to access a server behind your gateway using its
public IP address, then you have to add yet one more PASS filter
to any of the above examples. The reason is that we are BLOCKING
all incoming packets into the Slot 1 (LAN) ethernet interface which
are not originating from the local 192.168.0.1/24 subnet...but the
Local NAT function is translating packets to the gateways public
address to appear as if they originate from the gateways public
address (201.115.101.231/32 or dynamic/32) so the response can be
routed back correctly. This translation occurs before IP filtering
for incoming packets, so the packets appear to originate from outside
our LAN.
To remedy this, we add the following filter which permits Enable
Local NAT to function normally:
Or, if our public IP address is static, we could also use the following
filter:
Top
Blocking Gateway Spoofing Inside
the LAN
There is a filter which can be added to the top of each of the
above examples which will even further secure your private LAN.
Most of the time this is not necessary, since most users of IPNetRouter
are also the administrator of their own small private LAN. This
filter simply ensures that no one else on the private LAN is claiming
to be the gateway machine (which is not an easy thing to do anyway...since
you would have to spoof packets). This filter would look like this:
With this filter, all packets RECEIVED on the slot 1 interface
and claiming to be from 192.168.0.1 (our IPNetRouter address) would
be BLOCKed.
But, as mentioned previously, if you are in control of all the
machines on your private LAN, there is very little use or need for
this additional filter.
Top
Order of NAT, Filtering,
and Routing
Proxy instance Proxy instance
Internet <---> NAT <-> Filtering <---> IP <--->
Filtering <-> NAT <---> LAN
Consider a packet travelling from the Internet to the LAN (left
to right). Following the diagram above the order of processing is:
- Packet originates from Internet
- NAT on Internet side of gateway (reverse IP masquerading)
- Filtering on Internet side of gateway
- Routed by IP
- Filtering on LAN side of gateway
- NAT on LAN side of gateway (no operation).
- Packet delivered to LAN
For packets from the LAN to the Internet, the order is reversed.
Following the diagram from right to left:
- Packet originates from LAN
- NAT on LAN side of gateway if Local NAT is enabled (optional)
- Filtering on LAN side of gateway
- Routed by IP
- Filtering on Internet side of gateway
- NAT (IP masquerading) on Internet side of gateway
- Packet sent on to destination on Internet
The Single Ethernet case is similar except that Local NAT is not
available. Specifically, the instance of the Proxy module enabled
for IP masquerading is now also processing packets between IP and
the LAN. It does not translate datagrams to or from our "Private
Network" so that IP masquerading will work correctly in this
configuration. More information about NAT and Security is covered
in the "Inbound Port Mapping"
section.
Top
Conclusion
Firewalls don't have to be complicated or expensive. A firewall
is simply a mechanism for enforcing an access policy. The first
step in choosing a firewall is to consider what access policies
you wish to enforce. Using IPNetRouter, you can turn an existing
Mac into a rock solid IP firewall---for a lot less $ than any other
commercial hardware based firewall router.
Just remember: first BLOCK...then PASS (and you only have to enter
PASS filters when you want to punch holes in your Firewall).
There's lots of information about "firewalls" available
on the web. Visit your favorite web search engine for more information.
Top
|