Building Your Own Low Cost Firewall
We've all heard the term "firewall" to describe making a network more secure, but what does this mean? Aren't Internet firewalls supposed to be complicated and expensive? Not at all! This page explains the basic firewall concept and how you can use IPNetRouter to implement a completely "bullet-proof" firewall.
"Firewall" is actually a generic term for a mechanism that enforces an access policy. The basic building blocks of network firewalls are IP routers with filtering and proxy servers.
A "classic" firewall configuration uses two routers with a "Bastion Host" between them. One or more proxy servers on the Bastion Host selectively authenticate and log specific requests. Since IPNetRouter runs as software on a Macintosh, you can combine the routing, filtering, and proxy function in a single machine.
Consider a Macintosh with two Ethernet interfaces (E0 and E1). IPNetRouter provides full IP filtering on each Ethernet interface, and routing between them. Here's a simple block diagram:
IPNetRouter provides one kind of built-in proxy service: Network Address Translation (aka NAT or IP Masquerading). NAT prevents access from the public Internet to your private LAN, while still allowing clients on your private LAN to access the public Internet. By itself, and with NO filters or port mapping entries added, IPNetRouter completely protects your CLIENT machines from outside access. (To understand how Network Address Translation works, refer to the Inbound Port Mapping page. ) For the gateway machine itself we strongly recommend that you do NOT run any servers or server type services (e.g. web sharing) UNLESS it is your intention to provide public access to these services.
In summary, just by running IPNetRouter as a NAT router, your network becomes very secure and you actually have quite a solid firewall in place. There is, however, the possibility of unauthorized and remote use of your gateway machine as a router or some other machine pretending to be your router. To prevent this we use packet filters.
A Full Firewall for users with a Static IP Address
Let's assume that:
- We have a static IP address for our gateway machine.
- Only the gateway machine will have access to BOTH the Internet and our private LAN and it is running an email server.
- Our client machines will access the gateway machine to retrieve/send email but NOT have access to the Internet.
- There will be no outside access from the Internet to any of our client machines.
- On the gateway machine, our Internet connection is via the built-in ethernet port and our private LAN is connected to the slot 1 ethernet port.
- We want to be absolutely sure that ONLY our designated client machines will be able to access our gateway machine(e.g. prevent IP spoofing ).
To create a firewall for this situation we must use filters.
Starting from the block diagram above we would configure the IP filters as follows:
- Set the filter on the Internet side to block any inbound packets whose source IP address matches the network number used for our LAN and the gateway itself. This insures any packets received by the gateway with the source IP address from our LAN must have come from our LAN (no IP spoofing from the public Internet is allowed).
- Set the filter on the Internet side to block any outgoing packets that don't originate from the gateway itself (source IP address must match the IP address of the gateway).
- Similarly, set the filter on the LAN side to block any outbound packets that don't originate from the gateway.
- Set the filter on the LAN side to block any inbound packets that are not from our LAN (source IP address does not match the network number of our LAN). This prevents machines on our LAN from trying to use a different network number (IP spoofing), and also prevents packets from our LAN being forwarded to the Internet since the filter on the Internet side will only pass packets that originate from the gateway, not from our LAN.
With this setup, no traffic can be routed directly between the Internet and our LAN. It must pass through a server on the gateway and then be resent from the gateway itself (only the gateway is allowed to originate traffic in both directions).
By putting a mail server on the gateway, hosts on our LAN and hosts on the public Internet can both send and receive email from this server, but can never talk to each other directly. We can now post company information on our "Intranet" using web servers on the LAN. The public Internet will never be able to see these servers since they are behind our firewall.
Here's what this setup might look like using IPNetRouter. Suppose we have been assigned a static IP address of 220.127.116.11 by our ISP, and will use IP addresses from the range 192.168.0.x for our LAN. The filters described above can be specified as follows.
(NOTE: the list window above has been expanded to show all 8 filters at once).
The 18.104.22.168 address is used on E0 (Ethernet Built-in) attached to the public Internet.
We use 192.168.0.1 on E1 (Ethernet Slot 1) attached to our LAN.
Filters are invoked from TOP to BOTTOM. Hence the strategy is to first add a filter which BLOCKS all traffic on a specific interface, then add a PASS filter which will permit specific connections (datagrams). This is typically refered to as "punching a hole" into a firewall.
How does this work? Let's examine the filter order as seen by IPNetRouter:
Filter Order (top to bottom)
||The first filter PASSes all packets RECEIVED on our slot 1 ethernet port which originated from our private subnet (only machines in our 192.168.0.1/24 subnet).
||Net Result of Filters 1 & 2: Only client machines connected through the slot 1 port within our designated 192.168.0.1/24 subnet can use the IPNetRouter gateway.
||2nd Filter: All other RECEIVED packets on this slot 1 interface are BLOCKed.
||3rd Filter: This filter PASSes all packets SENT from the gateway onto the private LAN.
||Net Result of Filters 3 & 4: Only packets originating from the gateway machine can be SENT out to our client machines.
||4th Filter: All other packets SENT out of the gateway onto the private LAN to any other machine are BLOCKed.
||5th Filter: This filter permits the gateway machine to SEND packets out to the Internet over the built-in ethernet port.
||Net Result of Filters 5 & 6: Only packets originating from the gateway machine can be SENT out to the Internet.
||Filter: All other packets SENT out of the gateway to the Internet are BLOCKed.
||This filter BLOCKs all packets from the Internet which claim to originate from the same IP address as our gateway.
||Net Result of Filter 7: Our gateway has a unique, public IP address. No other packets received should have this same IP address...if so, BLOCK them.
||This filter BLOCKs any packets received from the public Internet that claim to originate from our private LAN (192.168.0.1/24)
||Net Result of Filter 8: Our private subnet is strictly reserved to be used by client machines connected through the Slot 1 interface. All external attempts to use the gateway from a machine on the Internet and having an IP address within our private subnet will be BLOCKed.
Filtering is performed before Network Address Translation (NAT) for transmitted datagrams, and after NAT for received datagrams. This allows you to filter on the "Actual LAN Address" as opposed to the "Apparent Gateway Address".
A More Practical Firewall for users with a Static IP Address
If you carefully followed the example above, you will note that this is an absolute firewall. Not only will it prevent outside users from getting in to your LAN, but it will also prevent any client machines from getting out to the Internet! This is the way most good network administrators start building a firewall:
1. First prevent all access.
2. Then permit any specific access on a case by case basis (commonly called "punching holes in a firewall").
Most users of IPNetRouter, however, want all client machines to have access to the Internet, while preventing any intrusions into their client machines or unauthorized use of their router (i.e. spoofing). If you followed the example above, and understand the net results of invoking all of the eight filters, you will see that the way to let our client machines to access the Internet is to remove filter lines 3, 4, 5 and 6 of the above example.
This is what the IP Filtering window would look like (once again assuming the fixed IP address you have been assigned is 22.214.171.124):
A More Practical Firewall for users with a Dynamic IP Address
Cable modem users are often assigned a dynamic IP address (through DHCP from their ISP), but still want the protection of a firewall while letting all their client machines access to the Internet. In this case, we simply replace the filter with the fixed IP address (second line from the bottom) with an entry for a dynamic IP address. To do this, just enter 0.0.0.1/32 in the Source Net edit box. Your IP Filtering window should appear similar to this:
And if you really want to be a stickler....
There is one additional filter which can be added to the top of each of the above examples which will even further secure your private LAN. Most of the time this is not necessary, since most users of IPNetRouter are also the administrator of their own small private LAN. This filter simply ensures that no one else on the private LAN is claiming to be the gateway machine (which is not an easy thing to do anyway...since you would have to spoof packets). This filter would look like this:
With this filter, all packets RECEIVED on the slot 1 interface and claiming to be from 192.168.0.1 (our IPNetRouter address) would be BLOCKed.
But, as mentioned previously, if you are in control of all the machines on your private LAN, there is very little use or need for this additional filter.
Building a Firewall and using the DHCP Server within IPNetRouter
If you are using the DHCP server within IPNetRouter to dynamically assign IP addresses on your private LAN, then you have to add yet one more PASS filter to any of the above examples. The reason is that we are BLOCKING all incoming packets into the Slot 1 ethernet interface which are not originating from the local 192.168.0.1/24 subnet...and our client machines do not yet have an IP address in this subnet range (remember, these client machines are using DHCP to get an IP address assigned to them).
To remedy this, we add the following filter which permits incoming DHCP discover and request messages:
This filter PASSes all UDP protocol port 68 messages (DHCP negotiation messages) which are received on our internal ethernet interface so that the DHCP server within IPNetRouter can handle them.
Order of NAT, Filtering, and Routing
Proxy instance Proxy instance
Consider a packet travelling from the Internet to the LAN (left to right). Following the diagram above the order of processing is:
- Packet originates from Internet
- NAT on Internet side of gateway (reverse IP masquerading)
- Filtering on Internet side of gateway
- Routed by IP
- Filtering on LAN side of gateway
- NAT on LAN side of gateway (no operation).
- Packet delivered to LAN
For packets from the LAN to the Internet, the order is reversed. Following the diagram from right to left:
- Packet originates from LAN
- NAT on LAN side of gateway if Local NAT is enabled
- Filtering on LAN side of gateway
- Routed by IP
- Filtering on Internet side of gateway
- NAT (IP masquerading) on Internet side of gateway
- Packet sent on to destination on Internet
The Single Ethernet case is similar except that Local NAT is not available. Specifically, the instance of the Proxy module enabled
for IP masquerading is now also processing packets between IP and the LAN. It does not translate datagrams to or from our "Private Network" so that IP masquerading will work correctly in this configuration.
It's a Wrap
Firewalls don't have to be complicated or expensive. A firewall is simply a mechanism for enforcing an access policy. The first step in choosing a firewall is to consider what access policies you wish to enforce. Using IPNetRouter, you can turn an existing Mac into a rock solid firewall router...for a lot less $ than any other commercial hardware based firewall router.
Just remember: first BLOCK...then PASS (and you only have to enter PASS filters when you want to punch holes in your Firewall).
There's lots of information about "firewalls" available on the web. Visit your favorite web search engine for more information.
Copyright 2000 by Sustainable Softworks.