Building a Firewall Using IP Filtering
Introduction to the Firewall Concepts in IPNetRouter
We've all heard the term "firewall" used to describe making a network more secure, but what does this mean? Aren't Internet firewalls supposed to be complicated and expensive? Not at all! This section explains basic IP Filtering firewall concepts and describes how to implement a good level of security against IP based attacks using IPNetRouter.
"Firewall" is actually a generic term for a mechanism that enforces an access policy. The basic building blocks of network firewalls are IP routers with filtering and proxy servers.
A "classic" firewall configuration uses two routers with a "Bastion Host" between them. One or more proxy servers on the Bastion Host selectively authenticate and log specific requests. Since IPNetRouter runs as software on a Macintosh, you can combine the routing, filtering, and proxy function in a single machine which we will hereafter refer to as the gateway.
Consider a Macintosh with two physically seperate Ethernet interfaces (E0 and E1). IPNetRouter provides full IP filtering on each Ethernet interface, and routing between them. Here's a simple block diagram:
IPNetRouter provides one kind of built-in proxy service: NAT (aka IP Masquerading). NAT prevents access from the public Internet to your private LAN, while still allowing clients on your private LAN to access the public Internet. By itself, and with NO filters or port mapping entries added, IPNetRouter completely protects your CLIENT machines from outside access using NAT. (To understand how NAT and IPNetRouter's Exposed Host feature can enhance security, refer to the Inbound Port Mapping section.)
To increase security on your IPNetRouter gateway computer, we recommend that you do not run any servers or server type services (e.g. web sharing) on your gateway machine unless it is your intention to provide public access to these services. Not using services that are not necessary or are not required is a good "passive" security practice.
In summary, just by running IPNetRouter as a NAT router, your network becomes very secure and you actually have quite a solid firewall in place. There is, however, the possibility of unauthorized use or remote harm on your gateway or attached networks. To prevent this IPNetRouter uses IP packet filters. IP Filters can block access to the gateway and the network it controls from unauthorized sources. In the following section a tutorial is provided describing how this can be done.
A Full Firewall for a Static IP Gateway
Let's assume that:
- We have a static IP address for our gateway machine.
- Only the gateway machine will have access to BOTH the Internet and our private LAN and it is running an email server.
- Our client machines will access the gateway machine to retrieve/send email but NOT have access to the Internet.
- There will be no outside access from the Internet to any of our client machines.
- On the gateway machine, our Internet connection is via the built-in ethernet port and our private LAN is connected to the slot 1 ethernet port.
- We want to be absolutely sure that ONLY our designated client machines will be able to access our gateway machine(e.g. prevent IP spoofing).
To create a firewall for this situation we must use IP filters.
Starting from the block diagram above we would configure the filters as follows:
- Set the filter on the Internet side to block any inbound packets whose source IP address matches the network number used for our LAN and the gateway itself. This insures any packets received by the gateway with the source IP address from our LAN must have come from our LAN (no IP spoofing from the public Internet is allowed).
- Set the filter on the Internet side to block any outgoing packets that don't originate from the gateway itself (source IP address must match the IP address of the gateway).
- Similarly, set the filter on the LAN side to block any outbound packets that don't originate from the gateway.
- Set the filter on the LAN side to block any inbound packets that are not from our LAN (source IP address does not match the network number of our LAN). This prevents machines on our LAN from trying to use a different network number (IP spoofing), and also prevents packets from our LAN being forwarded to the Internet since the filter on the Internet side will only pass packets that originate from the gateway, not from our LAN.
With this setup, no traffic can be routed directly between the Internet and our LAN. It must pass through a server on the gateway and then be resent from the gateway itself (only the gateway is allowed to originate traffic in both directions).
By putting a mail server on the gateway, hosts on our LAN and hosts on the public Internet can both send and receive email from this server, but can never talk to each other directly. We can now post company information on our "Intranet" using web servers on the LAN. The public Internet will never be able to see these servers since they are behind our firewall.
Here's what this setup might look like using IPNetRouter. Suppose we have been assigned a static IP address of 22.214.171.124 by our ISP, and will use IP addresses from the range 192.168.0.x for our LAN. The filters described above can be specified as follows.
(NOTE: the list window above has been expanded to show all 8 filters at once).
The 126.96.36.199 address is used on E0 (Ethernet Built-in) attached to the public Internet.
We use 192.168.0.1 on E1 (Ethernet Slot 1) attached to our LAN.
Filters are invoked from TOP to BOTTOM. Hence the strategy is to first add a filter which BLOCKS all traffic on a specific interface, then add a PASS filter which will permit specific connections (datagrams). This is typically refered to as "punching a hole" into a firewall.
How does this work? Let's examine the filter order as seen by IPNetRouter:
Filter Order (top to bottom)
||The first filter PASSes all packets RECEIVED on our slot 1 ethernet port which originated from our private subnet (only machines in our 192.168.0.1/24 subnet).
||Net Result of Filters 1 & 2: Only client machines connected through the slot 1 port within our designated 192.168.0.1/24 subnet can use the IPNetRouter gateway.
||2nd Filter: All other RECEIVED packets on this slot 1 interface are BLOCKed.
||3rd Filter: This filter PASSes all packets SENT from the gateway onto the private LAN.
||Net Result of Filters 3 & 4: Only packets originating from the gateway machine can be SENT out to our client machines.
||4th Filter: All other packets SENT out of the gateway onto the private LAN to any other machine are BLOCKed.
||5th Filter: This filter permits the gateway machine to SEND packets out to the Internet over the built-in ethernet port.
||Net Result of Filters 5 & 6: Only packets originating from the gateway machine can be SENT out to the Internet.
||Filter: All other packets SENT out of the gateway to the Internet are BLOCKed.
||This filter BLOCKs all packets from the Internet which claim to originate from the same IP address as our gateway.
||Net Result of Filter 7: Our gateway has a unique, public IP address. No other packets received should have this same IP address...if so, BLOCK them.
||This filter BLOCKs any packets received from the public Internet that claim to originate from our private LAN (192.168.0.1/24)
||Net Result of Filter 8: Our private subnet is strictly reserved to be used by client machines connected through the Slot 1 interface. All external attempts to use the gateway from a machine on the Internet and having an IP address within our private subnet will be BLOCKed.
Filtering is performed before Network Address Translation (NAT) for transmitted datagrams, and after NAT for received datagrams. This allows you to filter on the "Actual LAN Address" as opposed to the "Apparent Gateway Address".
A More Practical Firewall for a Static IP Gateway
If you carefully followed the example above, you will note that this is an absolute firewall. Not only will it prevent outside users from getting in to your LAN, but it will also prevent any client machines from getting out to the Internet! This is the way most good network administrators start building a firewall:
1. First prevent all access.
2. Then permit any specific access on a case by case basis (commonly called "punching holes in a firewall").
Most users of IPNetRouter, however, want all client machines to have access to the Internet, while preventing any intrusions into their client machines or unauthorized use of their router. If you followed the example above, and understand the net results of invoking all of the eight filters, you will see that the way to let the client machines access the Internet is to remove filter lines 3, 4, 5 and 6 of the above example.
This is what the IP Filtering window would look like (once again assuming the fixed IP address you have been assigned is 188.8.131.52):
A More Practical Firewall for users with a Dynamic IP Address
Cable modem users are often assigned a dynamic IP address (through DHCP from their ISP), but still want the protection of a firewall while letting all their client machines access to the Internet. In this case, we simply replace the filter with the fixed IP address (second line from the bottom) with an entry for a dynamic IP address. To do this, just enter 0.0.0.1/32 in the Source Net edit box. Your IP Filtering window should appear similar to this:
Passing DHCP with LAN IP Filtering
If you are using the DHCP server within IPNetRouter to dynamically assign IP addresses on your private LAN, then you have to add yet one more PASS filter to any of the above examples. The reason is that we are BLOCKING all incoming packets into the Slot 1 ethernet interface which are not originating from the local 192.168.0.1/24 subnet...and our client machines do not yet have an IP address in this subnet range (remember, these client machines are using DHCP to get an IP address assigned to them).
To remedy this, we add the following filter which permits incoming DHCP discover and request messages:
This filter PASSes all UDP protocol port 68 messages (DHCP negotiation messages) which are received on our internal ethernet interface (see above for full example) so that the DHCP server within IPNetRouter can handle them.
Passing "Local NAT" with LAN IP Filtering
If you are using the "Enable Local NAT" feature of IPNetRouter to access a server behind your gateway using its public IP address, then you have to add yet one more PASS filter to any of the above examples. The reason is that we are BLOCKING all incoming packets into the Slot 1 (LAN) ethernet interface which are not originating from the local 192.168.0.1/24 subnet...but the Local NAT function is translating packets to the gateways public address to appear as if they originate from the gateways public address (184.108.40.206/32 or dynamic/32) so the response can be routed back correctly. This translation occurs before IP filtering for incoming packets, so the packets appear to originate from outside our LAN.
To remedy this, we add the following filter which permits Enable Local NAT to function normally:
Or, if our public IP address is static, we could also use the following filter:
Blocking Gateway Spoofing Inside the LAN
There is a filter which can be added to the top of each of the above examples which will even further secure your private LAN. Most of the time this is not necessary, since most users of IPNetRouter are also the administrator of their own small private LAN. This filter simply ensures that no one else on the private LAN is claiming to be the gateway machine (which is not an easy thing to do anyway...since you would have to spoof packets). This filter would look like this:
With this filter, all packets RECEIVED on the slot 1 interface and claiming to be from 192.168.0.1 (our IPNetRouter address) would be BLOCKed.
But, as mentioned previously, if you are in control of all the machines on your private LAN, there is very little use or need for this additional filter.
Order of NAT, Filtering, and Routing
Proxy instance Proxy instance
Internet <---> NAT-Filtering <---> IP <---> Filtering-NAT <---> LAN
Consider a packet travelling from the Internet to the LAN (left to right). Following the diagram above the order of processing is:
- Packet originates from Internet
- NAT on Internet side of gateway (reverse IP masquerading)
- Filtering on Internet side of gateway
- Routed by IP
- Filtering on LAN side of gateway
- NAT on LAN side of gateway (no operation).
- Packet delivered to LAN
For packets from the LAN to the Internet, the order is reversed. Following the diagram from right to left:
- Packet originates from LAN
- NAT on LAN side of gateway if Local NAT is enabled
- Filtering on LAN side of gateway
- Routed by IP
- Filtering on Internet side of gateway
- NAT (IP masquerading) on Internet side of gateway
- Packet sent on to destination on Internet
The Single Ethernet case is similar except that Local NAT is not available. Specifically, the instance of the Proxy module enabled for IP masquerading is now also processing packets between IP and the LAN. It does not translate datagrams to or from our "Private Network" so that IP masquerading will work correctly in this configuration. More information about NAT and Security is covered in the "Inbound Port Mapping" section.
Firewalls don't have to be complicated or expensive. A firewall is simply a mechanism for enforcing an access policy. The first step in choosing a firewall is to consider what access policies you wish to enforce. Using IPNetRouter, you can turn an existing Mac into a rock solid IP firewall---for a lot less $ than any other commercial hardware based firewall router.
Just remember: first BLOCK...then PASS (and you only have to enter PASS filters when you want to punch holes in your Firewall).
There's lots of information about "firewalls" available on the web. Visit your favorite web search engine for more information.
Copyright 2000 by Sustainable Softworks.