Firewall Flashcards

1
Q

how are firewall rules ordered

A

traffic is checked for rules in order from most specific to most generic

most specific considered first rule(s): ex, inbound traffic port # to specific host

secondary rules are lesser in specificity and might include: inbound traffic port # network segment (subnet)

final rules would be to block all traffic that doesn’t match the above rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

stateless vs stateful

A

stateful contains the jobs of stateless cross-checking port and IP source and destination addresses against rules, but stateful also inspects the traffic in more detail: contents, behavior, and data changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Linux firewalls managed by iptables or nftables

A

contain their own command sets or tools like firewalld (redhat), or UFW (debian)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

iptables cmd: filter, nat, mangle, raw, security

iptables [options] [-t table] [commands] {chain/rule specification}

A

filter -default table used for packet filtering
nat -implements NAT rules
mangle -alters packets’ TCPIP headers
raw -configure exceptions for packets involved in connection tracking
security -mark packets with SELinux sec contexts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

how to save iptables

A

they tend to be lost on reboot, but downloading iptables-services package and issuing: service iptables save
can save changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

nftables benefits

A

higher performance and scalability and integrates IPv4 and 6 rules together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

firewalld difference

A

doesn’t need restart to update modifications,
uses zones and services instead of chains and rules

firewall applies to services and apply to their specific zone.
ex: adding http service to perimeter network like internet to allow incoming connections but deny outgoing access to network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

firewall-cmd commands

A

firewall-cmd –get-zones : lists all zones

firewall-cmd –zone=dmz :
–list-all

–change-interface<device> : add interface to perimeter network</device>

–{add| remove}-service=<service></service>

–{add |remove}-port=<port/{tcp |udp}>

–reload

all affecting perimeter network

adding –permanent flag keep changes on reboot

–zone=public for internal devices to establish outgoing connections

note: to remote into server, it needs incoming permissions from firewall: dmz

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

UFW (Uncomplicated Firewall)

ufw [options] {action}

A

easily configures {ip|nf}tables. and can be downloaded on other distros.
preferred for inexperienced home users.
ex:
allow traffic:
ufw allow http/tcp
turn on logging:
ufw logging on
ufw enable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

/etc/default/ufw

A

configures high level policy settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

/etc/ufw

A

dir with more granular configuration files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

when to use firewalld vs nftables

A

firewalld for simple, host-based situations

nftables for complex, high-performance, segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ping cmd -c -v

A

-c {#} number of ping attempts
-v verbose output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

mtr cmd

A

combo of ping & tracert, sending groups of packets sent at a time tracking time and lost packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

netstat cmd -v -i [interface] -c -l

A

recorded connections and can inform of existing connections, listening ports, NIC info, etc.

-v verbose
-i [interfaces] display info about all or specified int
-c continuously print info every second
-l show only ports being listened on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ss cmd -l -a -t -u scr {ip-addr} dst{ip-addr}

A

informs about established tcp connections or listening ports.

can troubleshoots if closed terminating session or if socket is not seen if service not running etc.

-l listening sockets
-a all listening/non-listening ports
-t TCP
-u UDP

subcmd
scr {ip-addr} : display connections from IP
dst {ip-addr} : display connections to IP

17
Q

lsof

A

displays files in use by active processes.

-i displays network sockets in use

18
Q

tcpdump cmd -i -n -v -w {filename} -r {filename}

tcpdump [options] [-i {interface}] [host {IP address}]

A

-i specify int to use
port {#} subcmd to
capture traffic
specific
-n not resulve hostnames
-v verbose
-w {filename} : writes result to files
-r {filename} : use tcpdump to read the results

19
Q

wireshark and tshark

A

Wireshark involve GUI while also including tshark for CLI use or scripting

tshark -D identify available int
tshark -i {int} captures on int

-c {#} limits capture to # of packets

Ctrl+C end capture

20
Q

nmap cmd

A

-Pn basic port scan of node

-sP Ping only scan

-sT TCP-connect scan

-sV scan nontraditional ports

-sn checks status of used IP-addr [network id/mask]

-F Fast scan
-p [ports] scan for ports

-top-ports [#] scan for common ports by #

-O detect OS

-oN [filename] generate basic text file in human readble format

21
Q

nmap results

A

open - ports accepting connections
closed - ports reachable by Nmap but have no associative service
filtered - ports are protected by packet filtering and provide little info