- Stop unathorised access
- Block unwanted ports
- Classify and mark connections and packets for QOS or Routing Policy
Firewall Functions:
- Filter packets using filter rules
- NAT: SRCNAT and DSTNAT to translate source and destination addresses
- Mangle: to mark connections and/or packets
- RAW: drop or bypass packets before reaching the connection tracking
- Service Ports: using NAT helpers
Chains:
- Input = to the router
- Output = from the router
- Forward = via the router
Firewall Basics:
- Rules process in order
- IF …. Then
- If no match, then the packet is accepted
- Always add a drop rule at the bottom of your rules
Firewall Actions:
- Passthrough = count packets/bytes
- Drop = Discard a packet
- Reject = Discard a packet but send ICMP message or TCP reset, TCP reset kills a TCP connection instantly
- Tarpit = Send ACK Flag but don’t open the connection
Connection States:
- New: The 1st packet observed by the Firewall will be new. The Firewall will check the packet and if allowed, the next packet going to the other direction of that stream will create an Established connection.
- Established: A stream of packets that successfully pass both both directions of the Firewall. Established packets will not be evaluated by the Firewall.
- Related: They are not considered part of the connection itself but related to it.
- Inavlid: Packets arrived out-of-order to the router or with invalid sequence number. Best advice is to always drop them.