Introduction
The firewalling subsystem is the component that blocks
network traffic. It is unrelated to the intrusion detection
component, and is therefore controlled by a different configuration
file.
The technology behind virtually all firewalls are "port"
and "IP address" filters. The port
number generally identifies the type of traffic, so blocking
ports blocks certain kinds of traffic.
Overall Format
The following lists the major sections within the file.
MANUAL
filters are those set by the user, whereas auto filters are
those set automatically by the intrusion detection system. Port filters
are separated into two sections, the low ports are below 1024, the
high ports are 1024 or above. Each section can be configured
either to "ACCEPT" or "REJECT" matching traffic by default.
This means that if a section is labeled "ACCEPT" by default,
any rules within that section that also "ACCEPT" are unnecessary.
They are retained, however, because the user might change the section
to "REJECT", at which point the "ACCEPT" rules become necessary,
and the "REJECT" rules become redundant.
- [PARMS]
-
This controls special filters, such as those that block
certain attacks against the system at a layer below
port/address filters. See article q000077
for more information on these filters.
- [MANUAL IP ACCEPT]
-
This section is for all IP address filters set
by the user in the "Trusted Addresses" dialog.
- [MANUAL UDP low REJECT]
-
UDP port filters below 1024.
- [MANUAL UDP high ACCEPT]
-
UDP port filters 1024 and above.
- [MANUAL TCP low REJECT]
-
TCP port filters below 1024.
- [MANUAL TCP high ACCEPT]
-
TCP port filters 1024 and above.
- [auto IP xxx]
-
- [auto UDP low xxx]
-
- [auto UDP high xxx]
-
- [auto TCP low xxx]
-
- [auto TCP high xxx]
-
The same as the above section, except for
automatically set filters. The user should not
edit these sections.
Rule format
Each rule has the format:
[ACCEPT/REJECT], [port/ip-address], name, timestamp, expiration
An example would be:
REJECT, 137, NETBIOS Name Service, 1999-07-22 20:26:53, PERPETUAL
The name and timestamp field is not used; it is provided to make the
rules easier to read by humans.
The expiration field is very important. It gives a timestamp
when the rule expires. Once that time is reached, the rule
is removed from the file. When the intrusion detection sybsystem
sets auto rules, it gives them a timestamp when they expire
in the future.
Examples
The following articles demonstrate solving specific problems
by reconfiguring the filters:
- q000012
-
Allowing access to an FTP and HTTP server.
- q000017
-
Getting an ICQ client to function at "Paranoid" level.
- q000021
-
General server issues.
- q000030
-
Blocking IP addresses.
- q000066
-
LapLink.
- q000069
-
Home network filtering.
- q000070
-
NTP/SNTP time synchronization.
- q000077
-
Special filters.
Common Ports
Here is a list of common ports you might want to open in
the firewall. Remember, you should only open up the absolute
minimum ports needed to run the system.
| UDP 67 | bootp/DHCP | DHCP server |
| UDP 137 | NetBIOS | WINS server |
| UDP 520 | RIP | Router Information |
