ch10 firewall(2013 ncu-nos_nm)
TRANSCRIPT
![Page 1: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/1.jpg)
Firewall
CSIE 基爾 @ NCU網路開源社
Updated: 12232013
![Page 2: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/2.jpg)
課程
•相關學分:OS、Security
•等級:中
•背景知識:FreeBSD基本操作、網路概念
•課程目標:• 了解軟硬體防火牆的不同
• 實作防火牆腳本
![Page 3: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/3.jpg)
Firewall定義
![Page 4: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/4.jpg)
定義
•用來控制網路存取
•通常具備多張網卡,能夠集中管理
•全部拒絕,除了允許條件的之外。
![Page 5: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/5.jpg)
分類
•硬體防火牆:Packet filtering firewalls
•軟體防火牆:Application layer firewalls (proxy firewalls)
• Hybrids
Comment
• 硬體防火牆是簡單的、軟體防火牆是複雜的。• 除非你是網管,不然你不會有機會碰硬體防火牆。• 因為軟體要模擬硬體,所以很難學,設定很複雜。
![Page 6: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/6.jpg)
硬體防火牆 - Internet Accessible Systems
![Page 7: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/7.jpg)
硬體防火牆 - Single Firewall
![Page 8: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/8.jpg)
硬體防火牆 - Dual Firewalls
![Page 9: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/9.jpg)
軟體防火牆 (又叫做personal firewall)
terminate
類似proxy的概念,單NIC模擬多NIC還需要支援NAT
![Page 10: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/10.jpg)
知名的防火牆
• ipfw
• ufw
• iptables
•各家防毒軟體
• windows內建
![Page 11: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/11.jpg)
Limitations of Firewalls
•無法防止內賊
•無法對繞過防火牆的封包進行過濾或管制
•無法阻擋“合法掩護非法”的攻擊 ex.VPN
• Palo Alto Networks:http://youtu.be/pBz2LNfthAg• 0:58~1:28
![Page 12: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/12.jpg)
parameter
![Page 13: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/13.jpg)
規則構成如下
• Number –第幾條規則
• Src IP –來自何方
• Dst IP –送往何方
• Port –服務的埠號
• Protocol –網路層協定
• Action –行動
• Other
![Page 14: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/14.jpg)
Example 軟或硬都差不多
![Page 15: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/15.jpg)
Setting
![Page 16: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/16.jpg)
守則
• first match algorithm
• The most specific rules to be placed at the top of the rule set.
• The least specific rules to be placed at the bottom of the rule set.
![Page 17: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/17.jpg)
rc.conf設定檔
• firewall_enable="YES"
• firewall_logging="YES"
• firewall_script="/etc/ipfw.rules“
• Monitoring IPFW Logs
![Page 18: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/18.jpg)
rc.firewall設定檔
•個人電腦軟體防火牆越來越多,正常情況已經不需要改此檔案。
• (特殊需求ex. 限定頻寬)
![Page 19: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/19.jpg)
CMD RULE_
NUMBER
ACTION LOGGING SELECTION STATEFUL
ipfw -q add [00001-
65535]allow
accept
pass
permit
check-state
deny
drop
[log] @Next page check-state
Rule Syntax
![Page 20: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/20.jpg)
ipfw.rules腳本 –規則參數
udp | tcp | icmp –哪種協定?
from src to dst –從哪到哪?
port number –哪個服務?
in | out –出去還是近來?
via IF –哪張網卡?
setup –識別 session
keep-state –動態規則
limit –限制連線數目
uid –誰?
![Page 21: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/21.jpg)
官方example
![Page 22: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/22.jpg)
讀取腳本 –其實就是跑完全部指令
$ sh /etc/ipfw.rules
![Page 23: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/23.jpg)
觀看指令
$ ipfw –a list
![Page 24: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/24.jpg)
iptables example
![Page 25: Ch10 firewall(2013 ncu-nos_nm)](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559beeff1a28ab1b1b8b4620/html5/thumbnails/25.jpg)
さようなら~☆