RuggedCom RX1000 Network Router User Manual


 
Chapter 13 - Configuring The Firewall
Chapter 13 - Configuring The Firewall
Introduction
This chapter familiarizes the user with:
Enabling/Disabling The Firewall
Elements of Firewall design
How to configure the Firewall
Checking Firewall configuration
Firewall Fundamentals
Firewalls are software systems designed to prevent unauthorized access to or from
private networks. Firewalls are most often used to prevent unauthorized Internet users
from accessing private networks (intranets) connected to the Internet.
When the RuggedRouter firewall is used, the router serves a gateway machine
through which all messages entering or leaving the intranet pass. The router examines
each message and blocks those that do not meet the specified security criteria. The
router also acts as a proxy, preventing direct communication between computers on
the Internet and intranet. Proxy servers can filter the kinds of communication that are
allowed between two computers and perform address translation.
Stateless vs Stateful Firewalls
Firewalls fall into into two broad categories: stateless and stateful (session-based).
Stateless or “static” firewalls make decisions about a traffic without regard to the
history, simply opening a “hole” for the traffic's type (based upon TCP or UDP port
number). Stateless firewalling is a relatively simple affair, easily handling web and
email traffic. Stateless firewalls suffer from disadvantages, however. All holes
opened in the firewall always open, there is no opening and closing connections based
on outside criteria. Static IP filters offer no form of authentication.
Stateful firewalling adds considerable complexity the firewalling process by tracking
the state of each connection.
A stateful firewall also looks at each packet and apply tests, but the tests applied or
“rules” may be modified depending on packets that have already been processed. This
is called “connection tracking”. Stateful firewalls can also recognize that traffic on
connected sets of TCP/UDP ports is from a particular protocol and manage it as a
whole.
Linux
®
netfilter, iptables And The Shoreline Firewall
The RuggedRouter employs a stateful firewall system known as netfilter, a set of
loadable kernel modules that provides capabilities to allow session-based packet
examination. The netfilter system is an interface built into the Linux kernel that
allows the IP network stack to provide access to packets.
The netfilter system uses rulesets, collections of packet classification rules that
determine the outcome of examination of a specific packet. The rules are defined by
iptables, a generic table structure syntax and utility program for the configuration and
control of netfilter.
RuggedCom 109