What is Firewall?
A firewall is a system that provides network security by filter incoming and outgoing network visits based on a set of user-defined limitations. In general, the sole-purpose of a firewall is to reduce or eliminate the occurrence of unwanted network data while allowing all legitimate communication to flow with free. In most server infrastructures, these firewalls provide an essential layer of security, combined with other apps, prevent attackers from accessing your server in malicious way.
This guide will discuss how these firewalls work, with a main work on stateful software firewalls, such as iptables and FirewallD, as they relative to cloud servers. We’ll start with a brief explanation of Transmission control protocol packets and the different sides of firewalls. Then we’ll discuss a variety of series of topics that a relevant to same state firewalls.
TCP Network Packets
Before discussing the different types of firewall, let’s take a faster look at what Transport Control Protocol (TCP) network traffic looks like.
TCP network traffic moves around a network in data packets, which are containers that consist of a packet head—this contains control info such as source and destination addresse, and packet sequence info—and the data . While the control info in each pack helps to ensure that its associated datas gets delivered properly, the elements it presists also provides firewalls a variety of ways to match packets opposite firewall rules.
It is important to note that successfully receiving incoming TCP packs requires the receiver to send outgoing acknowledgment packets back to the sender. The combination of the control information in the incoming and outgoing packets can be used to determine the connection state (e.g. new, established, related) of between the sender and receiver.
Types of Firewalls
Let’s quickly discuss the three basic types of network firewall: packet filter (stateless), stateful, and application layer.
Packet filtering, or stateless, firewalls work by checking individual packets in isolation. As such, they are not aware of connection state and can only to allow or denied packets based on unique packet headers.
Stateful firewall are able to determine the connection state of packet, which makes them much more statistical than stateless firewalls. They work by collect same packets until the connection state can be known before any firewall rules are applied to the traffic.
Application firewalls go one step further by querying the data being transmitted, which allows networking traffic to be matched against firewall rule that are specific to individual service or application. These are also known as proxy-based firewall.
In addition to firewall softwares, which is available on all modern operating systems, these functionality can also be provided by hardware device, such as routers or firewall appliances. Again, our discussion will be focused on statefulsoftware firewalls that run on the servers that they are intended to protect.
As mentioned above, network traffic that traverses a firewalls is matched against rules to determine if it should be allowed through or not. An easy way to explain what firewall rule looks like is to show a few example, so we’ll do that now.
Suppose you have a server with this list of firewall rules that apply to incoming traffic:
- Accept new and established incoming traffic to the public network interface on port 80 and 443 (HTTP and HTTPS web traffic)
- Drop incoming traffic from IP addresses of the non-technical employees in your office to port 22 (SSH)
- Accept new and established incoming traffic from your office IP range to the private network interface on port 22 (SSH)
Note that the first word in each of these examples is either “accept”, “reject”, or “drop”. This specifies the action that the firewall should do in the event that a piece of network traffic matches a rule. Accept means to allow the traffic through,reject means to block the traffic but reply with an “unreachable” error, and drop means to block the traffic and send no reply. The rest of each rule consists of the condition that each packet is matched against.
As it turns out, network traffic is matched against a list of firewall rules in a sequence, or chain, from first to last. More specifically, once a rule is matched, the associated action is applied to the network traffic in question. In our example, if an accounting employee attempted to establish an SSH connection to the server they would be rejected based on rule 2, before rule 3 is even checked. A system administrator, however, would be accepted because they would match only rule 3.
It is typical for a chain of firewall rules to not explicitly cover every possible condition. For this reason, firewall chains must always have a default policy specified, which consists only of an action (accept, reject, or drop).
Suppose the default policy for the example chain above was set to drop. If any computer outside of your office attempted to establish an SSH connection to the server, the traffic would be dropped because it does not match the conditions of any rules.
If the default policy were set to accept, anyone, except your own non-technical employees, would be able to establish a connection to any open service on your server. This would be an example of a very poorly configured firewall because it only keeps a subset of your employees out.
Incoming and Outgoing Traffic
As network traffic, from the perspective of a server, can be either incoming or outgoing, a firewall maintains a distinct set of rules for either case. Traffic that originates elsewhere, incoming traffic, is treated differently than outgoing traffic that the server sends. It is typical for a server to allow most outgoing traffic because the server is usually, to itself, trustworthy. Still, the outgoing rule set can be used to prevent unwanted communication in the case that a server is compromised by an attacker or a malicious executable.
In order to maximize the security benefits of a firewall, you should identify all of the ways you want other systems to interact with your server, create rules that explicitly allow them, then drop all other traffic. Keep in mind that the appropriate outgoing rules must be in place so that a server will allow itself to send outgoing acknowledgements to any appropriate incoming connections. Also, as a server typically needs to initiate its own outgoing traffic for various reasons—for example, downloading updates or connecting to a database—it is important to include those cases in your outgoing rule set as well.
Writing Outgoing Rules
Suppose our example firewall is set to drop outgoing traffic by default. This means our incoming accept rules would be useless without complementary outgoing rules.
To complement the example incoming firewall rules (1 and 3), from the Firewall Rulessection, and allow proper communication on those addresses and ports to occur, we could use these outgoing firewall rules:
- Accept established outgoing traffic to the public network interface on port 80 and 443 (HTTP and HTTPS)
- Accept established outgoing traffic to the private network interface on port 22 (SSH)
Note that we don’t need to explicitly write a rule for incoming traffic that is dropped (incoming rule 2) because the server doesn’t need to establish or acknowledge that connection.
Firewall Software and Tools
Now that we’ve gone over how firewalls work, let’s take a look at common software packages that can help us set up an effective firewall. While there are many other firewall-related packages, these are effective and are the ones you will encounter the most.
Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.
UFW, which stands for Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall.
FirewallD is a complete firewall solution available by default on CentOS 7 servers. Incidentally, FirewallD uses iptables to configure netfilter.
Fail2ban is an intrusion prevention software that can automatically configure your firewall to block brute force login attempts and DDOS attacks.