Firewall

Question 1

how are firewall rules ordered

Answer 1

traffic is checked for rules in order from most specific to most generic

most specific considered first rule(s): ex, inbound traffic port # to specific host

secondary rules are lesser in specificity and might include: inbound traffic port # network segment (subnet)

final rules would be to block all traffic that doesn’t match the above rules

Question 2

stateless vs stateful

Answer 2

stateful contains the jobs of stateless cross-checking port and IP source and destination addresses against rules, but stateful also inspects the traffic in more detail: contents, behavior, and data changes.

Question 3

Linux firewalls managed by iptables or nftables

Answer 3

contain their own command sets or tools like firewalld (redhat), or UFW (debian)

Question 4

iptables cmd: filter, nat, mangle, raw, security

iptables [options] [-t table] [commands] {chain/rule specification}

Answer 4

filter -default table used for packet filtering
nat -implements NAT rules
mangle -alters packets’ TCPIP headers
raw -configure exceptions for packets involved in connection tracking
security -mark packets with SELinux sec contexts

Question 5

how to save iptables

Answer 5

they tend to be lost on reboot, but downloading iptables-services package and issuing: service iptables save
can save changes

Question 6

nftables benefits

Answer 6

higher performance and scalability and integrates IPv4 and 6 rules together.

Question 7

firewalld difference

Answer 7

doesn’t need restart to update modifications,
uses zones and services instead of chains and rules

firewall applies to services and apply to their specific zone.
ex: adding http service to perimeter network like internet to allow incoming connections but deny outgoing access to network

Question 8

firewall-cmd commands

Answer 8

firewall-cmd –get-zones : lists all zones

firewall-cmd –zone=dmz :
–list-all

–change-interface<device> : add interface to perimeter network</device>

–{add| remove}-service=<service></service>

–{add |remove}-port=<port/{tcp |udp}>

–reload

all affecting perimeter network

adding –permanent flag keep changes on reboot

–zone=public for internal devices to establish outgoing connections

note: to remote into server, it needs incoming permissions from firewall: dmz

Question 9

UFW (Uncomplicated Firewall)

ufw [options] {action}

Answer 9

easily configures {ip|nf}tables. and can be downloaded on other distros.
preferred for inexperienced home users.
ex:
allow traffic:
ufw allow http/tcp
turn on logging:
ufw logging on
ufw enable

Question 10

/etc/default/ufw

Answer 10

configures high level policy settings

Question 11

/etc/ufw

Answer 11

dir with more granular configuration files

Question 12

when to use firewalld vs nftables

Answer 12

firewalld for simple, host-based situations

nftables for complex, high-performance, segmentation

Question 13

ping cmd -c -v

Answer 13

-c {#} number of ping attempts
-v verbose output

Question 14

mtr cmd

Answer 14

combo of ping & tracert, sending groups of packets sent at a time tracking time and lost packets

Question 15

netstat cmd -v -i [interface] -c -l

Answer 15

recorded connections and can inform of existing connections, listening ports, NIC info, etc.

-v verbose
-i [interfaces] display info about all or specified int
-c continuously print info every second
-l show only ports being listened on

Question 16

ss cmd -l -a -t -u scr {ip-addr} dst{ip-addr}

Answer 16

informs about established tcp connections or listening ports.

can troubleshoots if closed terminating session or if socket is not seen if service not running etc.

-l listening sockets
-a all listening/non-listening ports
-t TCP
-u UDP

subcmd
scr {ip-addr} : display connections from IP
dst {ip-addr} : display connections to IP

Question 17

lsof

Answer 17

displays files in use by active processes.

-i displays network sockets in use

Question 18

tcpdump cmd -i -n -v -w {filename} -r {filename}

tcpdump [options] [-i {interface}] [host {IP address}]

Answer 18

-i specify int to use
port {#} subcmd to
capture traffic
specific
-n not resulve hostnames
-v verbose
-w {filename} : writes result to files
-r {filename} : use tcpdump to read the results

Question 19

wireshark and tshark

Answer 19

Wireshark involve GUI while also including tshark for CLI use or scripting

tshark -D identify available int
tshark -i {int} captures on int

-c {#} limits capture to # of packets

Ctrl+C end capture

Question 20

nmap cmd

Answer 20

-Pn basic port scan of node

-sP Ping only scan

-sT TCP-connect scan

-sV scan nontraditional ports

-sn checks status of used IP-addr [network id/mask]

-F Fast scan
-p [ports] scan for ports

-top-ports [#] scan for common ports by #

-O detect OS

-oN [filename] generate basic text file in human readble format

Question 21

nmap results

Answer 21

open - ports accepting connections
closed - ports reachable by Nmap but have no associative service
filtered - ports are protected by packet filtering and provide little info