CS & IT Solutions

This tutorial will cover firewall principles and implementation of a firewall in FreeBSD with IPFW.

“Firewall (networking), a logical barrier designed to prevent unauthorized or unwanted communications between sections of a computer network”  Wikipedia.org
Well this is a general description. In order to make a successfull firewall a good understanding of firewalling principles and security measures to prevent different kinds of attacks is needed.

1. Type of attacks

a. Unauthorized access
People who succeed to access your servers/network from inside or outside  (for example by finding weak passwords with bruteforce programs). Preventing unauthorized access can be done by automaticaly force users from time to time to change their passwords, by enforcing them to choose strong passwords (not word from dictionary, letters and numbers, 8-10 characters minimum), by deleting accounts of people that do not work anymore for respective organization/company. A good policy of preventing unauthorized access does not refer only to server accounts but also to implement a security policy for network resources (file servers and print servers).

b. Exploits of bugs in programs
Some of the applications within operating system or userland applications installed on the server might have bugs/vulnerabilities. Those vulnerabilities might be exploited to gain access. To prevent that kind of security problems a good advice is to disable all services you do not need. Run only minimum/necessary services. Also be informed about security vulnerabilities of your installed applications (there are a lot of internet resources regarding security vulnerabilities) and when a version of your installed application is vulnerable, patch it. Also from time to time audit your server security.

c. Spoofing
This techinique is used to fake a host, in order to comunicate to victim host, creating the idea that victim communicate to a real/known host. To protect against this type of attacks it is recommended to setup the firewall to  verify datagrams’s authenticity, block datagram routing with invalid source address. Also can be introduced into firewall a system for connection control mechanism to introduce unpredictibility (generating random ports for every connection, TCP sequence numbers and allocation of dynamic port address. Read the rest of this entry »

I’ve long been a fan of FreeBSD (although I also use a Mac, Linux, and Windows machine — right tool for the job, and all that), and one of the things I like best about the various BSDs is the ease with which you can set up a stateful packet-filtering firewall. To put it simply, pf rocks.

Setting it up for the first time, though, can be a bit of a chore. If you are interested in giving pf a look, here’s how you do it on FreeBSD.

Recompile your kernel
For the sake of argument, let’s assume that we are going to be setting up a machine called “zeus” as a gateway server with a few simple services running on it. We first need to compile the pf stuff into the kernel, and then install our new kernel. First, get to the right directory:

[tcs@zeus] ~> su -
Password:
1:28PM up 60 days, 3:54, 1 user, load averages: 0.03, 0.01, 0.00
[root@zeus] ~# cd /usr/src/sys/i386/conf/

Now, copy the file GENERIC to some new file (I’m calling my zeus):

[root@zeus] ~# cp GENERIC ZEUS

Edit the file ZEUS and add the following lines just below “options ADAPTIVE_GIANT”: Read the rest of this entry »

In this article I’m going to show you how you can use SSH Port Forwarding to access a service a firewall might be blocking.

As an example, I’m going to take the one from a campus blocking access to IRC servers usually running on port 6667, but letting the SSH port 22 unblocked.

The idea here is: because we can connect to a remote host on port 22, why not telling this machine to forward all the incoming traffic to the remote host we want to connect to in the first place.

So here is the configuration. We are using a computer in a campus which blocks external access to port 6667, but leaves port 22 opened.

We have a known host (let’say your home computer) with ssh port 22 opened.

Here is a graph representing the configuration:

As you can see, we are going to use a longer path to connect to the IRC server by connecting to our home computer. Doing a Port Forwarding, we will create a tunnel between our local machine on port 1234 and the IRC server on port 6667. This way, we will be able to connect to the IRC network by simply connected on our local machine on port 1234.

Let’s get into the command line now. Firstly, we need to create the tunnel. To do so, connect to your home computer by SSH and forward your port 1234 on localhost to the IRC server (here irc.freenode.net) on port 6667.

tester@laptop:~$ssh myhomeuser@myhomenetwork.net -L 1234:irc.freenode.net:6667

Now, our tunnel is created (the purple connection on the graph) and port 1234 is open on localhost. The only thing left, is to connect to IRC using your favorite IRC client and provide it with the server located at localhost:1234.

In this example I’m going to connect to it using irssi, a text mode client for IRC network.

tester@laptop:~$ irssi -c localhost -p 1234

and here is what we get…

hey, hey, we are connected to freenode.net .

Basically, you could use this trick to access any type of service. The only thing it require is to be able to connect to a remote machine outside of the firewalled network.

Thanks to Author, orignal link http://www.debuntu.org/2006/04/08/22-ssh-and-port-forwarding-or-how-to-get-through-a-firewall