Miscellaneous improvements of the first two sections:
- Don't state that firewalls and stateful filtering will always improve security, since that might not be the case. - Change the Firewall Rulesets section to a more general Firewall Concepts section. - Remove some basic network text which the user should already know when reading about more advanced topics, like firewalls. - Miscellaneous rewording. Reviewed by: -doc Improvments by: remko, David Adam <zanchey@ucc.gu.uwa.edu.au>
This commit is contained in:
Simon L. B. Nielsen
parent
2fb284c96c
commit
8fd665c892
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=23246
1 changed files with 32 additions and 53 deletions
|
|
@ -32,18 +32,18 @@
|
|||
<sect1 id="firewalls-intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>All software-based firewalls provide some way to filter
|
||||
<para>Firewalls make it possbile to filter
|
||||
incoming and outgoing traffic that flows through your system.
|
||||
The firewall uses one or more sets of <quote>rules</quote> to
|
||||
A firewall can use one or more sets of <quote>rules</quote> to
|
||||
inspect the network packets as they come in or go out of your
|
||||
network connections and either allows the traffic through or
|
||||
blocks it. The rules of the firewall can inspect one or more
|
||||
blocks it. The rules of a firewall can inspect one or more
|
||||
characteristics of the packets, including but not limited to the
|
||||
protocol type, the source or destination host address, and the
|
||||
source or destination port.</para>
|
||||
|
||||
<para>Firewalls greatly enhance the security of your network, your
|
||||
applications and services. They can be used to do one or more of
|
||||
<para>Firewalls can greatly enhance the security of a host or a
|
||||
network. They can be used to do one or more of
|
||||
the following things:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
|
@ -77,24 +77,24 @@
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The differences between the firewall software products
|
||||
<para>The differences between the firewalls
|
||||
built into &os;</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>How to use and configure the OpenBSD
|
||||
<application>PF</application> firewall software.</para>
|
||||
<application>PF</application> firewall.</para>
|
||||
</listitem>
|
||||
|
||||
|
||||
<listitem>
|
||||
<para>How to use and configure the
|
||||
<application>IPFILTER</application> software.</para>
|
||||
<para>How to use and configure
|
||||
<application>IPFILTER</application>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>How to use and configure the
|
||||
<application>IPFW</application> software.</para>
|
||||
<para>How to use and configure
|
||||
<application>IPFW</application>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
|
|
@ -108,51 +108,30 @@
|
|||
|
||||
</sect1>
|
||||
|
||||
<sect1 id="firewalls-rulesets">
|
||||
<title>Firewall Rule Set Types</title>
|
||||
<sect1 id="firewalls-concepts">
|
||||
<title>Firewall Concepts</title>
|
||||
|
||||
<para>Constructing a software application firewall rule set may
|
||||
seem to be trivial, but most people get it wrong. The most
|
||||
common mistake is to create an <quote>exclusive</quote> firewall
|
||||
rather than an <quote>inclusive</quote> firewall.</para>
|
||||
<para>There are two basic ways to create firewall rulesets:
|
||||
<quote>inclusive</quote> or <quote>exclusive</quote>. An
|
||||
exclusive firewall allows all traffic through except for the
|
||||
traffic matching the ruleset. An inclusive firewall does the
|
||||
reverse. It only allows traffic matching the rules through and
|
||||
blocks everything else.</para>
|
||||
|
||||
<para>An exclusive firewall allows all services through except for
|
||||
those matching a set of rules that block certain
|
||||
services.</para>
|
||||
<para>Inclusive firewalls are generally safer than exclusive
|
||||
firewalls because they significantly reduce the risk of allowing
|
||||
unwanted traffic to pass through the firewall.</para>
|
||||
|
||||
<para>An inclusive firewall does the reverse. It only allows
|
||||
services matching the rules through and blocks everything else.
|
||||
This way you can control what services can originate behind the
|
||||
firewall destined for the public Internet and also control which
|
||||
services originating from the public Internet may access your
|
||||
network. Inclusive firewalls are much, much safer than exclusive
|
||||
firewalls.</para>
|
||||
|
||||
<para>When you use your browser to access a web site there are
|
||||
many internal functions that happen before your screen fills
|
||||
with the data from the target web site. Your browser does not
|
||||
receive one large file containing all the data and display
|
||||
format instructions at one time. Each internal function accesses
|
||||
the public Internet in multiple send/receive cycles of packets
|
||||
of information. When all the packets containing the data finally
|
||||
arrive, the data contained in the packets is combined together
|
||||
to fill your screen. Each service (<acronym>DNS</acronym>,
|
||||
<acronym>HTTP</acronym>, etc) has its own port number. The port
|
||||
number 80 is for <acronym>HTTP</acronym> services. So you can
|
||||
code your firewall to only allow web page session start requests
|
||||
originating from your <acronym>LAN</acronym> to pass through the
|
||||
firewall out to the public Internet.</para>
|
||||
|
||||
<para>Security can be tightened further by telling the firewall to
|
||||
monitor the send/receive cycles of all the packets making up
|
||||
that session until the session completes. These are called
|
||||
stateful capabilities and provides the maximum level of
|
||||
protection.</para>
|
||||
|
||||
<para>A firewall rule set that does not implement stateful
|
||||
capabilities on all the services being authorized is an insecure
|
||||
firewall that is still open to many of the most common methods
|
||||
of attack.</para>
|
||||
<para>Security can be tightened further using a <quote>stateful
|
||||
firewall</quote>. With a stateful firewall the firewall keeps
|
||||
track of which connections are opened through the firewall and
|
||||
will only allow traffic through which either matches a existing
|
||||
connection or opens a new one. The disadvantage of a stateful
|
||||
firewall is that it can be vulnerable to Denial of Service
|
||||
(<acronym>DoS</acronym>) attacks if a lot of new connections are
|
||||
opened very fast. With most firewalls it is possible to use a
|
||||
combination of stateful and non-stateful behavior to make an
|
||||
optimal firewall for the site.</para>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="firewalls-apps">
|
||||
|
|
|
|||
Loading…
Reference in a new issue