Security for the masses

Firewall Types

Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Packet Filter

Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. If a packet matches the packet filter rules the firewall will reject, discard it and send an error response or drop it, discard it without a response. Packet filters do not care if the packet is part of an existing connection and filtering occurs soley on the content of the packet itself, usually using a combination of source and/or destination IP address, its protocol and port number. This is a first generation firewall.

  • Itís inexpensive (can be implemented as a router ACL).
  • Itís fast and flexible.
  • It is transparent to users.
  • Access decisions are based only on address and port information.
  • It has no protection from IP or DNS address spoofing.
  • It doesnít support strong user authentication.
  • Configuring and maintaining ACLs can be difficult.
  • Logging information may be limited.

Application Layer Firewall

An application (OSI layer 7) layer Firewall also known as a proxy based firewall can understand certain applications and protocols such as DNS, HTML and FTP. It can also detect whether a protocol is connecting to a non standard port. An application layer firewall may intercept all packets passing between applications dropping those packets which are not consistent with the application. This is a second generation firewall.

  • Data packets arenít transmitted directly to communicating hosts, thereby masking the internal networkís design and preventing direct access to services on internal hosts.
  • It can be used to implement strong user authentication in applications.
  • It reduces network performance because every packet must be passed up to the Application Layer of the OSI model to be analyzed.
  • It must be tailored to specific applications. (This can be difficult to maintain or update for new or changing protocols.)

Stateful Inspection

Stateful inspection firewalls understand the context of the packet being filtered by keeping track of the connection information of data stream passing through it. This type of firewall operates at OSI layer 3, the network layer and is programmed to accept or reject packets based on the type of connection they match. Only packets that match a known connection stae will be allowed whilst others are rejected.

  • Speed. (After a connection is established, individual packets arenít analyzed.)
  • Support for many protocols.
  • Easy maintenance.
  • Dependence on trustworthiness of the communicating users or hosts. (After a connection is established, individual packets arenít analyzed.)
  • Limited logging information about individual data packets is available after the initial connection is established.


Iptables is an IP filter, so to understand how to use iptables one really must understand ip filters. An IP filter operates mainly in layer 2 of the TCP/IP stack. Iptables however has the ability to also work in layer 3, which most IP filters of today can. If the IP filter implementation strictly follows the definition, it would only be able to filter packets based on their IP headers namely source and destination address, protocol, etc. However, since the Iptables implementation is not perfectly strict, it is also able to filter packets based on other headers that lie deeper into the packet (TCP, UDP, etc), and shallower (MAC source address). A very good tutorial regarding iptables can be found :here

  • The connection-tracking feature of IP Table is a very useful thing. It can be used to prevent most TCP hijackings for non-IP Masqueraded clients This functionality can also prevent attackers from injecting spurious ICMP packets for cracking and probing.
  • Packets can now be matched based on MAC address, the local process's UID, Time To Live (TTL), or the rate of a class of packets being seend. These allow better detection and rejection of interlopers trying to inject packets or scan a system.
  • Iptables has the ability to REDIRECT packets and has a generalized DNAT feature that allows arbitrary changing of the destination IP address and port number.
  • To get logging, you must have two rules, one to match and LOG and one to match and DROP. This will not log the rule number that caused the logging.
  • Packets being routed through the system (not from or to the system) are not processed by either of the INPUT or OUTPUT chains, only the FORWARD and NAT chains.
  • IP Masqueraing (NAT) for many applications are not supported in IP Tables. These include games like Quake and Unreal Tournament, and services like Real Audio and ICQ.

Firewall Architectures

There are different ways to protect networks with firewalls. The four basic types of firewall architectures are screening router, dual-homed gateway, screened-host gateway, and screened-subnet. These architectures can be expanded to create very complex architectures depending on the network requirements.

Screening router

A screening router is the most basic type of firewall architecture. An external router is placed between the untrusted and trusted networks, and a security policy is implemented by using access control lists. Although a router functions as a gateway between a trusted and untrusted network, an attacker after being granted access to the trusted network may potentially be able to compromise every machine on the network.

  • Completely transparent.
  • Relatively simple and inexpensive.
  • Is difficult to configure and maintain.
  • May have difficulty handling certain traffic.
  • Has limited or no logging available.
  • Uses no user authentication.
  • Is difficult to mask the internal network structure.
  • Has a single point of failure.
  • Doesnít truly implement a firewall choke-point strategy

Dual-homed gateways

A dual-homed gateway or bastion host is a system with two network interfaces that sits between an untrusted and trusted network. A bastion host is a general term often used to refer to proxies, gateways, firewalls, or any server that provides applications or services directly to an untrusted network. A bastion host is typically a hardened system employing robust security mechanisms and is often connected to the untrusted network via an external screening router. The dual-homed gateway functions as a proxy server for the trusted network and may be configured to require user authentication. A dual-homed gateway offers a more fail-safe operation than screening routers because by default, data isnít normally forwarded across the two interfaces.

  • It operates in a fail-safe mode.
  • Internal network structure is masked.
  • Its use may inconvenience users.
  • Proxies may not be available for some services.
  • Its use may cause slower network performance.

Screened-host gateways

A screened-host gateway employs an external screening router and an internal bastion host. The screening router is configured so that the bastion host is the only host accessible from the untrusted network (such as the Internet). The bastion host provides any required Web services to the untrusted network, such as HTTP and FTP, as permitted by the security policy. Connections to the Internet from the trusted network are routed via an application proxy on the bastion host or directly through the screening router.

  • It provides distributed security between two devices.
  • It has transparent outbound access.
  • It has restricted inbound access.
  • Itís considered less secure because the screening router can bypass the bastion host for certain trusted services.
  • Masking the internal network structure is difficult.
  • It can have multiple single points of failure (router or bastion host).


The screened-subnet is perhaps the most secure firewall architecture. The screened-subnet employs an external screening router, a dual-homed (or multi-homed) host, and a second internal screening router. This implements the concept of a network DMZ (or demilitarized zone). Publicly available services are placed on bastion hosts in the DMZ.

  • Itís transparent to end users.
  • Itís flexible.
  • Internal network structure can be masked.
  • It provides defense in depth instead of relying on a single device to provide security for the entire network.
  • Is more expensive than other firewall architectures
  • Is more difficult to configure and maintain
  • Can be more difficult to troubleshoot