Skip to main content

Understanding Firewalls and Netfilter

A Firewall is designed to prevent unauthorized outside users from accessing a network or host. It is a device (software or hardware), installed between the internal network and the Internet. Firewall performs filtering of the packets that attempt to enter or leave a network. This is done by defining various policies that enforce control over the network traffic.

A Bastion Host defines a simple firewall implementation, where the bastion host is any computer that is fully exposed to attack by being on the public side of the DMZ, unprotected by a firewall or filtering router. [1]
It is also referred to as the, Bastion firewall. The bastion node, is usually a very powerful server with improved security measures and custom software.

A typical Bastion firewall implementation

DMZ (Demilitarized Zone), also known as Perimeter Network, refers to the part of the network, that is neither private nor public. It introduces an additional layer of security, as external network has access to network devices and servers in the DMZ only. 

Netfilter 

Netfilter is the program that implements a firewall within the Linux kernel, either compiled directly into the kernel or included as a set of modules. It wouldn't be wrong to refer to netfilter as the super-set of a firewall implementation. 
Netfilter may be referred to as a generalized framework of hooks in the network stack. Any kernel module can plug into one or more of these hooks and receive packets traversing through these hooks. [2] 

Netfilter Hooks 

1. NF_IP_PRE_ROUTING

NF_IP_PRE_ROUTING hook is triggered by any incoming packet. It is then passed to decide whether the packet is destined for another interface, or a local process. This refers as a routing decision.

2. NF_IP_LOCAL_IN

If the packet is destined for a local process, it is passed over to the NF_IP_LOCAL_IN hook.

3. NF_IP_FORWARD

If the packet is destined for another interface or host, NF_IP_FORWARD hook is called from the netfilter framework.

4. NF_IP_LOCAL_OUT

If the packet is created locally, it is passed on to this hook. The routing decision is made after the packets passes through this hook.

5. NF_IP_POST_ROUTING

NF_IP_POST_ROUTING is triggered after the routing decisions have been made. The packet passes this hook and sets off to the network again.


The kernel modules may register to one or more of these hooks, and for each packet passing through the hook. A function specified by the kernel module is called, which returns a decision for the netfilter framework to act upon. One of following five decisions is then processed by the netfilter:

1. NF_ACCEPT: Sustain the traversal as normal.
2. NF_DROP: Drop the packet; traversal is discontinued.
3. NF_STOLEN: Hook-registered module has taken over the packet; traversal discontinued.
4. NF_QUEUE: Packet is inserted into a dedicated queue inside the netfilter. It's then passed to an userspace process through a netlink socket, which further decides what to do with the packet.
5. NF_REPEAT: Hook is called again to process.



References:  

  1. [1]Krutz, Ronald; Vines, Russell (May 2003). The CISM Prep Guide: Mastering the Five Domains of Information Security Management. Wiley. p. 12. ISBN 9780471455981.
  2. [2]KernelNewbies: Documents/Netfilter
  3. [3]Linux netfilter Hacking HOWTO
  4. "Linux Firewalls" by Steve Suehring
  5. "Mastering Linux Security and Hardening" by Donald A. Tevault
  6. Diagram credits: https://www.draw.io/

Comments

Post a Comment

Popular posts from this blog

The C++ Way!

This post deals with definitions of few terms, understanding of which are important for having a strong foundation in C++.  This is a living blog and you can expect appends with logs at the bottom of the post. Object:  Most commonly accepted definition of an object is a region of memory that has a type. Variable:  A named storage that can be manipulated. Scope: A scope is a part of program in which a name has a particular meaning. '::' is the scope resolution operator used to refer to names from a different scope. #include<iostream> using namespace std; int variable_1 = 10 ; int main(){ int variable_1 = 20 ; cout << :: variable_1 << endl; //prints 10 on console. ::variable_name fetches the variable from global scope. return 0 ; } Lifetime: The lifetime of an object is the time during the programs execution that the object exists. Declaration: A declaration makes a name known to the program. We can declare a
1 comment
Read more

Plug & Rule : An Introduction to PAM!

The Pluggable Authentication Modules (PAM) library is a generalized API for authentication related services which allows a system administrator to dynamically configure authentication schemes for all PAM-enabled system utilities and applications by adding and removing PAM modules on the running system. It's a layer between Linux applications and native underlying authentication system. PAM is implemented as shared objects or so-files, and the applications communicate with the PAM library through the PAM API. Fig. 1 : PAM Framework Traditionally, login authentication is done by comparing the encrypted password for the user in the password file (/etc/shadow), but each program that requires authentication implements its own authentication mechanisms. For example, various services like FTP, SSH, et cetera have individual ways of authenticating their users. As a result, the administrator has to spend unnecessary amount of time in maintaining the database. A PAM service module p
1 comment
Read more