Firewall Flashcards
how are firewall rules ordered
traffic is checked for rules in order from most specific to most generic
most specific considered first rule(s): ex, inbound traffic port # to specific host
secondary rules are lesser in specificity and might include: inbound traffic port # network segment (subnet)
final rules would be to block all traffic that doesn’t match the above rules
stateless vs stateful
stateful contains the jobs of stateless cross-checking port and IP source and destination addresses against rules, but stateful also inspects the traffic in more detail: contents, behavior, and data changes.
Linux firewalls managed by iptables or nftables
contain their own command sets or tools like firewalld (redhat), or UFW (debian)
iptables cmd: filter, nat, mangle, raw, security
iptables [options] [-t table] [commands] {chain/rule specification}
filter -default table used for packet filtering
nat -implements NAT rules
mangle -alters packets’ TCPIP headers
raw -configure exceptions for packets involved in connection tracking
security -mark packets with SELinux sec contexts
how to save iptables
they tend to be lost on reboot, but downloading iptables-services package and issuing: service iptables save
can save changes
nftables benefits
higher performance and scalability and integrates IPv4 and 6 rules together.
firewalld difference
doesn’t need restart to update modifications,
uses zones and services instead of chains and rules
firewall applies to services and apply to their specific zone.
ex: adding http service to perimeter network like internet to allow incoming connections but deny outgoing access to network
firewall-cmd commands
firewall-cmd –get-zones : lists all zones
firewall-cmd –zone=dmz :
–list-all
–change-interface<device> : add interface to perimeter network</device>
–{add| remove}-service=<service></service>
–{add |remove}-port=<port/{tcp |udp}>
–reload
all affecting perimeter network
adding –permanent flag keep changes on reboot
–zone=public for internal devices to establish outgoing connections
note: to remote into server, it needs incoming permissions from firewall: dmz
UFW (Uncomplicated Firewall)
ufw [options] {action}
easily configures {ip|nf}tables. and can be downloaded on other distros.
preferred for inexperienced home users.
ex:
allow traffic:
ufw allow http/tcp
turn on logging:
ufw logging on
ufw enable
/etc/default/ufw
configures high level policy settings
/etc/ufw
dir with more granular configuration files
when to use firewalld vs nftables
firewalld for simple, host-based situations
nftables for complex, high-performance, segmentation
ping cmd -c -v
-c {#} number of ping attempts
-v verbose output
mtr cmd
combo of ping & tracert, sending groups of packets sent at a time tracking time and lost packets
netstat cmd -v -i [interface] -c -l
recorded connections and can inform of existing connections, listening ports, NIC info, etc.
-v verbose
-i [interfaces] display info about all or specified int
-c continuously print info every second
-l show only ports being listened on