SummaryCovers Red Hat and SUSE
When something goes wrong with your Linux firewall, you need to fix it--right now. You don't have time for endless newsgroup searches, confusing man pages, emails to the developers... it's an emergency! One book brings together all the step-by-step solutions and proven problem-solving techniques you'll need when the time comes: Troubleshooting Linux® Firewalls.
Authors Michael Shinn and Scott Shinn are among the world's leading firewall experts; they've even been hired to protect computer security at the White House. In this book, they cover every area where Linux firewalls can go wrong: rules and filtering problems, Layer 2/3/4 issues, trouble with individual services, DNS/DHCP failures, even misconfigured VPNs. They also present an easy, start-to-finish troubleshooting methodology that'll help you identify even the newest or most obscure firewall problem fast--and solve it!
Inside, you will find in-depth information on the following areas:
What you must know about iptables and netfilter to troubleshoot and avoid problems
Using loggers, sniffers, and other tools to diagnose even the most obscure firewall problems
Making sure your firewall rules work the way they're supposed to
Resolving problems with Network Address Translation and IP Forwarding
Troubleshooting SMTP, Apache, Squid, NFS, FTP, instant messaging, and other Web-based services
Finding and fixing common problems with IPsec VPN configuration
Making your firewalls more failure-resistant: recommendations from the experts
If you depend on a Linux firewall, what will you do if it goes down? With Troubleshooting Linux® Firewalls, you can be confident that the solutions are right at hand--so you can sleep at night!
© Copyright Pearson Education. All rights reserved.
Author Bio
AUTHORS
Michael Shinn is managing partner of the Prometheus Group, an IT security consulting firm. He was formerly a member of Cisco's Advanced Network Security Research group and a senior software developer and founding member of the firm's Signatures and Exploits Development Team.
Scott Shinn co-founded Plesk, a server management firm. He was formerly a senior network security engineer specializing in penetration testing for Fortune 50 clients at Wheelgroup, a firm later acquired by Cisco.
Both authors served on the White House technology staff, specializing in security and penetration testing of both internal and Internet-connected systems.
© Copyright Pearson Education. All rights reserved.
Table of Contents
I. GETTING STARTED.
1. Introduction.
Why We Wrote This Book
How This Book Is Organized
Goals of This Book
The Methodical Approach and the Need for a Methodology
Firewalls, Security, and Risk Management
How to Think About Risk Management
Computer Security Principles
Firewall Recommendations and Definitions
Why Do I Need a Firewall?
Do I Need More Than a Firewall?
What Kinds of Firewalls Are There?
Firewall Types
The Myth of 'Trustworthy' or 'Secure' Software
Know Your Vulnerabilities
Creating Security Policies
Training
Defense in Depth
Summary
2. Getting Started.
Risk Management
Basic Elements of Risk Management
Seven Steps to Managing Risk
Phase I: Analyze
Inventory
Quantify the Value of the Asset
Threat Analysis
Phase II: Document
Create Your Plan
Create a Security Policy
Create Security Procedures
Phase III: Secure the Enterprise
Implement Policies
Implement Procedures
Deploy Security Technology and Counter Measures
Securing the Firewall Itself
Isolating Assets
Filtering
Ingress/Egress Filtering
Phase IV: Implement Monitoring
Phase V: Test
Phase VI: Integrate
Phase VII: Improve
Summary
3. Local Firewall Security.
The Importance of Keeping Your Software Up to Date
yum
red carpet
up2date
emerge
apt-get
Over Reliance on Patching
Turning Off Services
Using TCP Wrappers and Firewall Rules
Running Services with Least Privilege
Restricting the File System
Security Tools to Install
Log Monitoring Tools
Network Intrusion Detection
Host Intrusion Detection
Remote Logging
Correctly Configure the Software You Are Using
Use a Hardened Kernel
Other Hardening Steps
Summary
4. Troubleshooting Methodology.
Problem Solving Methodology
Recognize, Define, and Isolate the Problem
Gather Facts
Define What the 'End State' Should Be
Develop Possible Solutions and Create an Action Plan
Analyze and Compare Possible Solutions
Select and Implement the Solution
Critically Analyze the Solution for Effectiveness
Repeat the Process Until You Resolve the Problem
Finding the Answers or...Why Search Engines Are Your Friend
Websites
Summary
II. TOOLS AND INTERNALS.
5. The OSI Model: Start from the Beginning.
Internet Protocols at a Glance
Understanding the Internet Protocol (IP)
Understanding ICMP
Understanding TCP
Understanding UDP
Troubleshooting with This Perspective in Mind
Summary
6. netfilter and iptables Overview.
How netfilter Works
How netfilter Parses Rules
Netfilter States
What about Fragmentation?
Taking a Closer Look at the State Engine
Summary
7. Using iptables.
Proper iptables Syntax
Examples of How the Connection Tracking Engine Works
Applying What Has Been Covered So Far by Implementing Good Rules
Setting Up an Example Firewall
Kernel Options
iptables Modules
Firewall Rules
Quality of Service Rules
Port Scan Rules
Bad Flag Rules
Bad IP Options Rules
Small Packets and Rules to Deal with Them
Rules To Detect Data in Packets Using the String Module
Invalid Packets and Rules to Drop Them
A Quick Word on Fragments
SYN Floods
Polite Rules
Odd Port Detection and Rules to Deny Connections to Them
Silently Drop Packets You Don't Care About
Enforcement Rules
IP Spoofing Rules
Egress Filtering
Send TCP Reset for AUTH Connections
Playing Around with TTL Values
State Tracking Rules
STEALTH Rules
Shunning Bad Guys
ACCEPT Rules
Summary
8. A Tour of Our Collective Toolbox.
Old Faithful
Sniffers
Analyzing Traffic Utilization
Network Traffic Analyzers
Useful Control Tools
Network Probes
Probing Tools
Firewall Management and Rule Building
Summary
9. Diagnostics.
Diagnostic Logging
Scripts To Do This for You
The catch all Logging Rule
The iptables TRACE Patch
Checking the Network
Using a Sniffer to Diagnose Firewall Problems
Memory Load Diagnostics
Summary
III. DIAGNOSTICS.
10. Testing Your Firewall Rules (for Security!).
INSIDE->OUT Testing with nmap and iplog
Interpreting the Output from an INSIDE->OUT Scan
Testing from the OUTSIDE->IN
Reading Output from nmap
Testing your Firewall with fragrouter
VLANs
Summary
11. Layer 2/Inline Filtering.
Common Questions
Tools Discussed in this Part
Building an Inline Transparent Bridging Firewall with ebtables (Stealth Firewalls)
Filtering on MAC Address Bound to a Specific IP Address with ebtables
Filtering Out Specific Ports with ebtables
Building an Inline Transparent Bridging Firewall with iptables (Stealth Firewalls)
MAC Address Filtering with iptables
DHCP Filtering with ebtables
Summary
12. NAT (Network Address Translation) and IP Forwarding.
Common Questions about Linux NAT
Tools/Methods Discussed in this Part
Diagnostic Logging
Viewing NAT Connections with netstat-nat
Listing Current NAT Entries with iptables
Listing Current NAT and Rule Packet Counters
Corrective Actions
Summary
13. General IP (Layer 3/Layer 4).
Common Question
Inbound: Creating a Rule for a New TCP Service
Inbound: Allowing SSH to a Local System
Forward: SSH to Another System
SSH:
Connections Timeout
telnet: Forwarding telnet Connections to Other Systems
MySQL: Allowing MySQL Connections
Summary
14. SMTP (e-mail).
Common Questions
Tools Discussed in this Part
Allowing SMTP to/from Your Firewalls
Forwarding SMTP to an Internal Mail Server
Forcing Your Mail Server Traffic to Use a Specific IP Address with an SNAT Rule
Blocking Internal Users from Sending Mail Through Your Firewall
Accept Only SMTP Connections from Specific Hosts (ISP)
SMTP Server Timeouts/Failures/Numerous Processes
Small e-Mail Send/Receive Correctly-Large e-Mail Messages Do Not
Summary
15. Web Services (Web Servers and Web Proxies).
Common Questions
Tools Discussed in this Part
Inbound: Running a Local Web Server (Basic Rules)
Inbound: Filter: Incoming Web to Specific Hosts
Forward: Redirect Local Port 80 to Local Port 8080
Forwarding Connections from the Firewall to an Internal Web Server
Forward: To Multiple Internal Servers
Forward: To a Remote Server on the Internet
Forward: Filtering Access to a Forwarded Server
Outbound: Some Websites Are Inaccessible (ECN)
Outbound: Block Clients from Accessing Websites
Transparent Proxy Servers (squid) on Outbound Web Traffic
Summary
16. File Services (NFS and FTP).
Tools Discussed in this Part
NFS: Cannot Get NFS Traffic to Traverse a NAT or IP Forwarding Firewall
FTP Inbound: Running a Local FTP Server (Basic Rules)
FTP Inbound: Restricting Access with Firewall Rules
FTP Inbound: Redirecting FTP Connections to Another Port on the Server
FTP Forward: Forwarding to an FTP Server Behind the Firewall on a DMZ Segment
FTP Forward: Forwarding to Multiple FTP Servers Behind the Firewall on a DMZ Segment
FTP Forward: From One Internet Server to Another Internet Server
FTP Forward: Restricting FTP Access to a Forwarded Server
FTP Outbound: Connections are Established, but Directories Cannot Be Listed, and Files Cannot Be Downloaded
Summary
17. Instant Messaging.
Common Questions/Problems
Tools Discussed in This Part
NetMeeting and GnomeMeeting
Connecting to a Remote NetMeeting/GnomeMeeting Client from Behind an iptables Firewall (Outbound Calls Only)
Connecting to a NetMeeting/GnomeMeeting Client Behind a netfilter/iptables Firewall (Inbound/Outbound Calls)
Directly from the GnomeMeeting Website's Documentation
Blocking Outbound NetMeeting/GnomeMeeting Traffic
MSN Messenger
Connecting to Other MSN Users
Blocking MSN Messenger Traffic at the Firewall
Yahoo Messenger
Connecting to Yahoo Messenger
Blocking Yahoo Messenger Traffic
AOL Instant Messenger (AIM)
Connecting to AIM
Blocking AOL Instant Messenger Traffic
ICQ
Connecting to ICQ
Blocking ICQ
Summary
Recalling Our Methodology
18. DNS/DHCP.
Common Questions
Tools Discussed in this Part
Forwarding DNS Queries to an Upstream/Remote DNS Server
DNS Lookups Fail: Internal Hosts Communicating to an External Nameserver
DNS Lookups Fail: Short DNS Name Lookups Work-Long Name Lookups Do Not
DNS Lookups Fail: Nameserver Running on the Firewall
DNS Lookups Fail: Nameserver Running on the Internal and/or DMZ Network
Misleading rDNS Issue: New Mail, or FTP Connections to Remote Systems Take 30 Seconds or More to Start
DHCP: Dynamically Updating Firewall Rules with the IP Changes
Blocking Outbound DHCP
DHCP: Two Addresses on One External Interface
DHCP: Redirect DHCP Requests to DMZ
Summary
19. Virtual Private Networks.
Things to Consider with IPSEC
Common Questions/Problems
Tools Discussed in this Part
IPSEC: Internal Systems-Behind a NAT/MASQ Firewall Cannot Connect to an External IPSEC Server
IPSEC: Firewall Cannot Establish IPSEC VPNs
IPSEC: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN
PPTP: Cannot Establish PPTP Connections Through the Firewall
Running a PPTP Server Behind a NAT Firewall
PPTP: Firewall Cannot Establish PPTP VPNs
PPTP: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN
Using a free/openswan VPN to Secure a Wireless Network
Summary
Index.
