Putting It All Together

This section is designed to demonstrate the process of developing a filter set; filters are elaborated as we go on, rather than being produced in final form. We aren't attempting to show a complete filter set for any site. Every site is different, and you can get burned by packet filtering if you don't understand all the details and implications of its use in your particular environment. We want people to carefully consider and understand what they're doing -- not blindly copy something out of a tutorial (even ours!) without a careful consideration of how relevant and appropriate it is for their own situation. In any case, a full solution for a site requires considering packet filtering, proxying, and configuration issues. That process is illustrated in "Two Sample Firewalls".

Let's start with a simple example: allowing inbound and outbound SMTP (so that you can send and receive electronic mail) and nothing else. You might start with the following rule set.

• Rules A and B allow inbound SMTP connections (incoming email).
• Rules C and D allow outbound SMTP connections (outgoing email).
• Rule E is the default rule that applies if all else fails.

TIP: We assume in this example that, for each packet, your filtering system looks at the rules in order. It starts at the top until it finds a rule that matches the packet, and then it takes the action specified.

Figure 8-8 shows this case.

Figure 8-8. Packet filtering: inbound SMTP (sample packets 1 and 2)

• Rule A permits incoming packets from the sender's SMTP client to your SMTP server (represented by packet number 1 in the preceding table).
• Rule B permits the responses from your server back to the sender's client (represented by packet number 2 in the preceding table).

Figure 8-9 shows this case.

Figure 8-9. Packet filtering: outbound SMTP (sample packets 3 and 4)

• Rule C permits outgoing packets from your SMTP client to their SMTP server (represented by packet number 3 above).
• Rule D permits the responses from their server back to your client (represented by packet number 4 above).

Figure 8-10 shows this case.

Figure 8-10. Packet filtering: inbound SMTP (sample packets 5 and 6)

• Rules A and B together do what you want to allow inbound SMTP connections.
• Rules C and D together do what you want to allow outbound SMTP connections.
• But Rules B and D together end up allowing all connections where both ends are using ports above 1023, and this is certainly not what you intended.

What can you do about this? Well, what if you also looked at the source port in making your filtering decisions? Here are those same five basic rules with the source port added as a criterion.

And here are those same six sample packets, filtered by the new rules.

As you can see, when the source port is also considered as a criterion, the problem packets (numbers 5 and 6, representing an attack on your web proxy server) no longer meet any of the rules for packets to be permitted (rules A through D). The problem packets end up being denied by the default rule.

OK, now what if you're dealing with a slightly smarter attacker? What if the attacker uses port 25 as the client port on his end (he might do this by killing off the SMTP server on a machine he controls and using its port, or by carrying out the attack from a machine that never had an SMTP server in the first place, like a PC) and then attempts to open a connection to your web proxy server? Here are the packets you'd see.

Figure 8-11 shows this case.

As you can see, the packets would be permitted, and the attacker would be able to make connections through your proxy server (as we discuss in "The World Wide Web", this would certainly be annoying and could be disastrous).

So what can you do? The solution is to also consider the ACK bit as a filtering criterion. Again, here are those same five rules with the ACK bit also added as a criterion.

Figure 8-11. Packet filtering: inbound SMTP (sample packets 7 and 8)

The only differences in this rule set are in rules B and D. Of these, rule D is the most important because it controls incoming connections to your site. Rule B applies to connections outgoing from your site, and sites are generally more interested in controlling incoming connections than outgoing connections.

Rule D now says to accept incoming packets from things that are supposedly SMTP servers (because the packets are coming from port 25) only if the packets have the ACK bit set; that is, only if the packets are part of a connection started from the inside (from your client to his server).

If someone attempts to open a TCP connection from the outside, the very first packet that he or she sends will not have the ACK bit set; that's what's involved in "opening a TCP connection". (See the discussion of the ACK bit in "TCP" of the "Protocols Above IP" discussion in "Packets and Protocols ".) If you block that very first packet (packet 7 in the preceding example), you block the whole TCP connection. Without certain information in the headers of the first packet -- in particular, the TCP sequence numbers -- the connection can't be established.

Why can't an attacker get around this by simply setting the ACK bit on the first packet? Because the packet will get past the filters, but the destination will believe the packet belongs to an existing connection (instead of the one with which the packet is trying to establish a new connection). When the destination tries to match the packet with the supposed existing connection, it will fail because there isn't one, and the packet will be rejected.

TIP: As a basic rule of thumb, any filtering rule that permits incoming TCP packets for outgoing connections (that is, connections initiated by internal clients) should require that the ACK bit be set.