FirewallBuilder

This is one of the simplest, most basic tasks you may want your firewall to do: block all the traffic while letting certain protocols through. Let's assume that we have a network consisting of just the firewall "firewall1" and a few hosts behind it. We want to let SMTP through to the mail server from the Internet and block everything else. All we need to do is put the following rules in the Global Policy:

Figure 14.13. Example of a Rule Permitting Only Certain Protocols to the Server and Blocking Everything Else.

Rule #0 allows SMTP through to the server, while rule #1 blocks and logs everything else. It is worth mentioning that this policy also blocks all the access to firewall itself, including access to it from internal hosts.

We do not need any additional rules to take care of "reply" packets coming back from the server to clients because our underlying firewall software supports stateful inspection and "understands" that such packets should be let through.

Here is the iptables script generated for these two simple rules:

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Rule 0 (global)
# 
$IPTABLES -A OUTPUT -p tcp -m tcp  -d 192.168.1.100  \
     --dport 25  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp -m tcp  -d 192.168.1.100 \
     --dport 25  -m state --state NEW  -j ACCEPT 
# 
# Rule 1 (global)
# 
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT  -m state --state NEW  -j RULE_1 
$IPTABLES -A INPUT  -m state --state NEW  -j RULE_1 
$IPTABLES -A FORWARD  -m state --state NEW  -j RULE_1 
$IPTABLES -A RULE_1  -j LOG  --log-level info --log-prefix "RULE 1 -- DENY "
$IPTABLES -A RULE_1  -j DROP 
      

The generated iptables rules were placed in both OUTPUT and FORWARD chains because the option "Assume firewall is part of any" was turned on in the "Advanced" settings dialog of this firewall object. This option directs the policy compiler to assume that the object "Any" matches the firewall itself as well. In other words, using "Any" in Source of the rule was equivalent to using a combination of any address and the firewall. The resultant iptables commands should be placed in the OUTPUT chain to match packets generated by the firewall and FORWARD to match packets crossing the firewall. If you turn this option off, the program will only generate iptables rules in the FORWARD chain for this rule.

Here is the code generated for PF for the same rule:

# Rule  0 (global)
# 
pass  quick inet proto tcp  from any  to 192.168.1.100 port 25 keep state 
# 
# Rule  1 (global)
# 
block  log  quick inet  from any  to any 
      

In PF, we do not have to worry about chains and there is no option "Assume firewall is part of any" because there is no difference.

Here is the code generated for PIX for the same rule:

! Rule  0 (global)
! 
access-list outside_acl_in  remark 0 (global)
access-list outside_acl_in permit tcp any host 192.168.1.100 eq 25 
access-list dmz50_acl_in  remark 0 (global)
access-list dmz50_acl_in permit tcp any host 192.168.1.100 eq 25 
access-list inside_acl_in  remark 0 (global)
access-list inside_acl_in permit tcp any host 192.168.1.100 eq 25 
! 
! Rule  1 (global)
! 
access-list outside_acl_in  remark 1 (global)
access-list outside_acl_in deny   ip any any log 0 interval 300 
access-list dmz50_acl_in  remark 1 (global)
access-list dmz50_acl_in deny   ip any any log 0 interval 300 
access-list inside_acl_in  remark 1 (global)
access-list inside_acl_in deny   ip any any log 0 interval 300 
      

In PIX, all access lists must be attached to interfaces of the firewall. Since the rule did not specify source address, the program has to generate access lists that would match any source, which means they should be attached to all interfaces of the firewall. Since my PIX test object has three interfaces: outside, inside and dmz, I ended up with ACL lines in three access lists, one for each interface.