Configuring the firewall, Introduction, Firewall fundamentals – RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

118

RX1000/RX1100™

14. Configuring The Firewall

14.1. Introduction

This chapter familiarizes the user with:

• Enabling/Disabling The Firewall

• Elements of Firewall design

• How to configure the Firewall

• Checking Firewall configuration

14.2. Firewall Fundamentals

Firewalls are software systems designed to prevent unauthorized access to or from private networks.
Firewalls are most often used to prevent unauthorized Internet users from accessing private networks
(intranets) connected to the Internet.

When the RuggedRouter firewall is used, the router serves a gateway machine through which all
messages entering or leaving the intranet pass. The router examines each message and blocks those
that do not meet the specified security criteria. The router also acts as a proxy, preventing direct
communication between computers on the Internet and intranet. Proxy servers can filter the kinds of
communication that are allowed between two computers and perform address translation.

14.2.1. Stateless vs Stateful Firewalls

Firewalls fall into two broad categories: stateless and stateful (session-based).

Stateless or "static" firewalls make decisions about a traffic without regard to the history, simply
opening a "hole" for the traffic's type (based upon TCP or UDP port number). Stateless firewalling
is a relatively simple affair, easily handling web and email traffic. Stateless firewalls suffer from
disadvantages, however. All holes opened in the firewall always open, there is no opening and closing
connections based on outside criteria. Static IP filters offer no form of authentication.

Stateful firewalling adds considerable complexity the firewalling process by tracking the state of each
connection.

A stateful firewall also looks at each packet and apply tests, but the tests applied or “rules” may
be modified depending on packets that have already been processed. This is called “connection
tracking”. Stateful firewalls can also recognize that traffic on connected sets of TCP/UDP ports is from
a particular protocol and manage it as a whole.

14.2.2. Linux® netfilter, iptables And The Shoreline Firewall

The RuggedRouter employs a stateful firewall system known as netfilter, a set of loadable kernel
modules that provides capabilities to allow session-based packet examination. The netfilter system is
an interface built into the Linux kernel that allows the IP network stack to provide access to packets.

The netfilter system uses rulesets, collections of packet classification rules that determine the outcome
of examination of a specific packet. The rules are defined by iptables, a generic table structure syntax
and utility program for the configuration and control of netfilter.