[ Pobierz całość w formacie PDF ]
.As the number of rules grows, the performance of thefirewall deterioriates as more and more tests are conducted on each datagram and managability becomes an issue.Secondly, it is not possible to enable and disable sets of rules atomically; instead, you are forced to expose yourselfto attack while you are in the middle of rebuilding your ruleset.The design of IP Firewall Chains helps to alleviate these problems by allowing the network administrator to createarbitrary sets of firwewall rules that we can link to the three inbuilt rulesets.We can use the -N option of ipchainsto create a new chain with any name we please of eight characters or less.(Restricting the name to lowercase lettersonly is probably a good idea.) The -j option configures the action to take when a datagram matches the rulespecification.The -j option specifies that if a datagram matches a rule, further testing should be performed againsta user-defined chain.We'll illustrate this with a diagram.Consider the following ipchains commands:ipchains -P input DENYipchains -N tcpinipchains -A tcpin -s ! 172.16.0/16ipchains -A tcpin -p tcp -d 172.16.0/16 ssh -j ACCEPTipchains -A tcpin -p tcp -d 172.16.0/16 www -j ACCEPTipchains -A input -p tcp -j tcpinipchains -A input -p allWe set the default input chain policy to deny.The second command creates a user-defined chain called tcpin.The third command adds a rule to the tcpin chain that matches any datagram that was sourced from outside ourlocal network; the rule takes no action.This rule is an accounting rule and will be discussed in more detail inChapter 10.The next two rules match any datagram that is destined for our local network and either of the ssh orwww ports; datagrams matching these rules are accepted.The next rule is when the real ipchains magic begins.Itcauses the firewall software to check any datagram of protocol TCP against the tcpin user-defined chain.Lastly, weadd a rule to our input chain that matches any datagram; this is another accounting rule.They will produce thefollowing Firewall Chains shown in Figure 9-4.Figure 9-4.A simple IP chain rulesetOur input and tcpin chains are populated with our rules.Datagram processing always beings at one of theinbuilt chains.We'll see how our user-defined chain is called into play by following the processing path of differenttypes of datagrams.First, let's look at what happens when a UDP datagram for one of our hosts is received.Figure 9-5 illustrates the flow through the rules.Figure 9-5.The sequence of rules tested for a received UDP datagramThe datagram is received by the input chain and falls through the first two rules because they match ICMP andTCP protocols, respectively.It matches the third rule in the input chain, but it doesn't specify a target, so itsdatagram and byte counters are updated, but no other action takes place.The datagram reaches the end of theinput chain, meets with the default input chain policy, and is denied.To see our user-defined chain in operation, let's now consider what happens when we receive a TCP datagramdestined for the ssh port of one of our hosts.The sequence is shown in Figure 9-6.Figure 9-6.The rules flow for a received TCP datagram for sshThis time the second rule in the input chain does match and it specifies a target of tcpin, our user-definedchain.Specifying a user-defined chain as a target causes the datagram to be tested against the rules in that chain, sothe next rule tested is the first rule in the tcpin chain.The first rule matches any datagram that has a sourceaddress outside our local network and specifies no target, so it too is an accounting rule and testing falls through tothe next rule.The second rule in our tcpin chain does match and specifies a target of ACCEPT.We have arrivedat target, so no further firewall processing occurs.The datagram is accepted.Finally, let's look at what happens when we reach the end of a user-defined chain.To see this, we'll map the flowfor a TCP datagram destined for a port other than than the two we are handling specifically, as shown in Figure 9-7.Figure 9-7.The rules flow for a received TCP datagram for telnet The user-defined chains do not have default policies.When all rules in a user-defined chain have been tested, andnone have matched, the firewall code acts as though a RETURN rule were present, so if this isn't what you want,you should ensure you supply a rule at the end of the user-defined chain that takes whatever action you wish.In ourexample, our testing returns to the rule in the input ruleset immediately following the one that moved us to ouruser-defined chain.Eventually we reach the end of the input chain, which does have a default policy and ourdatagram is denied.This example is very simple, but illustrates our point.A more practical use of IP chains would be much morecomplex [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • czarkowski.pev.pl

    •