Firewall Flashcards
how are firewall rules ordered
traffic is checked for rules in order from most specific to most generic
most specific considered first rule(s): ex, inbound traffic port # to specific host
secondary rules are lesser in specificity and might include: inbound traffic port # network segment (subnet)
final rules would be to block all traffic that doesn’t match the above rules
stateless vs stateful
stateful contains the jobs of stateless cross-checking port and IP source and destination addresses against rules, but stateful also inspects the traffic in more detail: contents, behavior, and data changes.
Linux firewalls managed by iptables or nftables
contain their own command sets or tools like firewalld (redhat), or UFW (debian)
iptables cmd: filter, nat, mangle, raw, security
iptables [options] [-t table] [commands] {chain/rule specification}
filter -default table used for packet filtering
nat -implements NAT rules
mangle -alters packets’ TCPIP headers
raw -configure exceptions for packets involved in connection tracking
security -mark packets with SELinux sec contexts
how to save iptables
they tend to be lost on reboot, but downloading iptables-services package and issuing: service iptables save
can save changes
nftables benefits
higher performance and scalability and integrates IPv4 and 6 rules together.
firewalld difference
doesn’t need restart to update modifications,
uses zones and services instead of chains and rules
firewall applies to services and apply to their specific zone.
ex: adding http service to perimeter network like internet to allow incoming connections but deny outgoing access to network
firewall-cmd commands
firewall-cmd –get-zones : lists all zones
firewall-cmd –zone=dmz :
–list-all
–change-interface<device> : add interface to perimeter network</device>
–{add| remove}-service=<service></service>
–{add |remove}-port=<port/{tcp |udp}>
–reload
all affecting perimeter network
adding –permanent flag keep changes on reboot
–zone=public for internal devices to establish outgoing connections
note: to remote into server, it needs incoming permissions from firewall: dmz
UFW (Uncomplicated Firewall)
ufw [options] {action}
easily configures {ip|nf}tables. and can be downloaded on other distros.
preferred for inexperienced home users.
ex:
allow traffic:
ufw allow http/tcp
turn on logging:
ufw logging on
ufw enable
/etc/default/ufw
configures high level policy settings
/etc/ufw
dir with more granular configuration files
when to use firewalld vs nftables
firewalld for simple, host-based situations
nftables for complex, high-performance, segmentation
ping cmd -c -v
-c {#} number of ping attempts
-v verbose output
mtr cmd
combo of ping & tracert, sending groups of packets sent at a time tracking time and lost packets
netstat cmd -v -i [interface] -c -l
recorded connections and can inform of existing connections, listening ports, NIC info, etc.
-v verbose
-i [interfaces] display info about all or specified int
-c continuously print info every second
-l show only ports being listened on
ss cmd -l -a -t -u scr {ip-addr} dst{ip-addr}
informs about established tcp connections or listening ports.
can troubleshoots if closed terminating session or if socket is not seen if service not running etc.
-l listening sockets
-a all listening/non-listening ports
-t TCP
-u UDP
subcmd
scr {ip-addr} : display connections from IP
dst {ip-addr} : display connections to IP
lsof
displays files in use by active processes.
-i displays network sockets in use
tcpdump cmd -i -n -v -w {filename} -r {filename}
tcpdump [options] [-i {interface}] [host {IP address}]
-i specify int to use
port {#} subcmd to
capture traffic
specific
-n not resulve hostnames
-v verbose
-w {filename} : writes result to files
-r {filename} : use tcpdump to read the results
wireshark and tshark
Wireshark involve GUI while also including tshark for CLI use or scripting
tshark -D identify available int
tshark -i {int} captures on int
-c {#} limits capture to # of packets
Ctrl+C end capture
nmap cmd
-Pn basic port scan of node
-sP Ping only scan
-sT TCP-connect scan
-sV scan nontraditional ports
-sn checks status of used IP-addr [network id/mask]
-F Fast scan
-p [ports] scan for ports
-top-ports [#] scan for common ports by #
-O detect OS
-oN [filename] generate basic text file in human readble format
nmap results
open - ports accepting connections
closed - ports reachable by Nmap but have no associative service
filtered - ports are protected by packet filtering and provide little info
