Tải bản đầy đủ - 0 (trang)
Chapter 20.  The Mac OS X Server Firewall

Chapter 20.  The Mac OS X Server Firewall

Tải bản đầy đủ - 0trang

20.1.AFirewall'sPlaceinNetwork

Communication

Agoodwaytoachieveanunderstandingofhownetwork

communicationworksfromendtoendistoanalyzeeachofthe

logicalcomponentsrequiredforeffectivecommunication.An

abstracteddescriptionofthisprocessisprovidedbysomething

calledtheOpenSystemsInterconnection(OSI)ReferenceModel

(seeFigure20-1).

WithoutgoingintoexcruciatingdetailontheOSIReference

Model,itisimportanttonotethatfirewallsoperateataspecific

placewithinthismodel,andtheimplementationand

administrationofafirewallismoreorlessindependentofother

areasinthemodel.Forexample,itdoesn'tmatterwhich

specificEthernetcardisinuseona



Figure20-1.TheOSIReferenceModel.Firewalls

operateatlayers3and4.



server,orwhatsortofdataispassingthroughthenetwork.This

modelexiststohelpachieveahighdegreeoftransparencyor

abstractionbetweenlayers.Aslongasthevariouslayersinthe

modelinteractinwell-definedandagreed-uponways,the

specificnatureofagivencomponentdoesnotmatter.The

layersinthemodelhelpclearlydefinethelogicalfunctions

requiredforeffectivenetworkcommunication,whichhelps

ensurecompatibility.

Inagenericexampleofnetworkcommunicationbetweentwo

computersattachedtothesamephysicalnetwork,information

flowsfromLayer7downtoLayer1ononecomputer,atwhich

pointitistransportedacrosssomephysicalmedium,arrivesat

thedestinationcomputer,andmovesfromLayer1backupto

Layer7.Ateachlayer,differentpiecesofsoftwareorhardware

operateonthedataandpassittothenextlayer.

Networkcommunicationisfacilitatedinlargepartbyprotocol

suites,orstacks.OntheInternet,theprimaryprotocolsuiteis



IP(InternetProtocol),whichexistsattheNetworklayer(Layer

3).IPprovidesameansbywhichcomputerscanbe

distinguishedfromothercomputers;inaword,addressing.This

isalsowhererouteselectionoccurs;usingIPitispossibleto

knowwhetheranothercomputerisonalocalnetwork.This

featureprovidescriteriausedtodeterminewheretosenddata

togetitclosertothedestination.TheTransportlayer(Layer4)

includessubprotocolsofIPsuchasTCPorUDP,andthefirewall

hastheabilitytoinspecttheseprotocolsaswell.

Beforewecanunderstandhowafirewalldoesitsjob,it's

importanttounderstandwhatdatalookslikeatLayers3and4

oftheOSIreferencemodel,becausethisiswherefirewallsdo

theirwork.



20.1.1.Packet-SwitchedNetworking

AusefulmethodofdescribingthenatureoftheInternet(and

packet-switchednetworksingeneral)isbycomparisonto

circuit-switched(sometimescalledconnectionoriented)

networks.Thetelephonesystemisagoodexampleofacircuitswitchednetwork.Inacircuit-switchednetwork,thereisa

dedicatedchannel(inmostfamiliarcases,representedbya

physicalline)thatisusedforthedurationofaconversation.All

communicationduringthatconversationtravelsalongthesame

physicalpathbetweenthetwoendpoints.Becausethechannel

isdedicated,itcanbeusedforonlyoneconnectionatatime.

Inapacket-switchednetwork,bycontrast,thetransmission

medium(perhapsalsoaphysicalline)isnotdedicatedtoa

singleconnection,andmaybeusedtofacilitatemany

conversationswithdifferentendpointsatonce.Theinformation

payloadisbrokenupintochunksandsentacrossthenetwork

insmallpieces.Inordertosharethetransmissionmedium

betweenmultipleconversations,packet-switchednetworks

requireawaytoidentifywhichdatabelongstowhich



conversationsothatitcanberoutedcorrectly.Another

importantattributeofpacket-switchednetworksisthatthe

physicalpathtakenbyanygivenpacketcanchangeatanytime

foravarietyofreasons.Giventhemeshednatureofthe

Internet,thisdesigncanprovidesomedegreeoffault

tolerance,allowingdatatoberoutedaroundproblemareas

(suchasafibercut).OntheInternet,thereisnoguarantee

thatapacketwillreachitsdestination,andsoreliability

mechanismsareimplementedinLayer4(theTransportlayer),

mostnotablybyTransmissionControlProtocol(TCP).

ThetermpacketisthenamegiventodataatLayer3oftheOSI

model.Ageneraltermforlogicalchunksregardlessoflayeris

protocoldataunit,orPDU;atLayer3,PDUsarecalledpackets.

Otherexamplesofpacketsareparcelsthatmovethroughthe

postalsystem,orevenautomobilesontheroad.Ineachcase,

thereareunitsthatmovethroughoutthesystem,sharingthe

transmissionmediumwithotherunitsthatmayhaveadifferent

sourceordestination,andbeingroutedbasedprimarilyonthe

destination.

InthecaseoftheInternet,andtheOSIreferencemodelin

general,anotherimportantfunctionisencapsulation.This

processaddsaheadertothedataunit.Aheadercontains

informationaboutthepayloadoftheunit,andisprependedto

theunititself.Familiarexamplesofencapsulationincludethe

addresslabelsplacedonapackagetobesnail-mailed,the

wrappingplacedaroundthepackage,andperhapsasmaller

boxaroundtheiteminsidethepackage.

InformationbeingsentfromacomputerflowsdownfromLayer

7toLayer1,andeachlayerencapsulatesthedatahandedtoit

fromtheabovelayerbyaddingaheader.Oncethedatareaches

thedestinationmachine,ittravelsfromLayer1toLayer7,and

ateachlayer,theappropriateheaderisdecapsulatedand

interpretedbyprotocolsoperatinginthatlayer.Agivenheader

isgenerallyusedonlybyprotocolsthatoperateatthesameor

adjacentlayerinwhichthatheaderwasadded.Forexample,an



IPfirewallpaysattentiontoheadersusedonlyatLayers3and

4(SeeFigures20-2and20-3).Afirewalldoesitsjobbyacting

uponinformationfoundinpacketheaders.



Figure20-2.AnEthernetframecontaininganIP

packetoftypeTCP;inthiscase,partofanSSH

session.TheIPheaderportionishighlighted.



20.1.2.FilteringPackets

Apacketfilterisamorespecifictermthanfirewall,becauseit

revealsmoreabouttheinnerworkings:itoperatesatLayer3,

filteringpackets.InthecaseofMacOSXandMacOSXServer,

thepacketfilterinuseiscalledipfw,whichstandsforIP

Firewall.Otherpacketfiltersvaryinsupportedfeaturesand

administrationdetails,butthegeneralideaisthesame.This

chapterfocusessquarelyonipfw,asthat'swhatAppleincludes.



ipfwoperatesbyinspectingeachpacketasitmovesthrough

thesystem,inboundandoutbound.Aftereachpacket

inspection,ipfwconsultsalistofrules.Theruleseachhavea

number,andareevaluatedinascendingorderuntilaruleis

foundthatfits,ormatchesthepacket.Oncearulematches,

thatrule'sactionistaken,andipfwmovesontothenext

packet,startingbackatthebeginningoftheruleset.Abasic

rulehas



Figure20-3.SameEthernetframeasinFigure

20-2,butwiththeTCPheaderhighlighted.



threeprimaryfunctionalcomponents:rulenumber,action,and

criteriausedtomatchpacketstotherule.Thelistofavailable

criteriaandactionsissomewhatlong;however,effective

firewallconfigurationsareoftenrelativelysimple.

Perhapsthebestplacetobeginunderstandinghowpacketfilter

rulesworkisbylookingatthedefaultrulesthatshipwithMac



OSXServer.We'llcoverhowtoviewandsetrulesshortly,but

fornow,openaTerminalwindowandexecutethefollowing

commandtoproducealistofthecurrentrules:

andre@core[~]sudoipfwshow

0100000allowipfromanytoanyvialo0

0101000denyipfromanyto127.0.0.0/8

0102000denyipfrom224.0.0.0/4toanyin

0103000denytcpfromanyto224.0.0.0/4in

1230000allowtcpfromanytoany22in

1230100allowudpfromanytoany22in

1230200allowtcpfromanytoany311in

1230300allowtcpfromanytoany625in

1230400allowtcpfromanytoany687in

1230500allowicmpfromanytoanyinicmptype0

1230600allowigmpfromanytoanyin

6320000denyicmpfromanytoanyinicmptype0

6330000denyigmpfromanytoanyin

6500000denytcpfromanytoanyinsetup

6553500allowipfromanytoany



Thenumberinthefirstcolumnistherulenumber(remember

thatrulesareevaluatedinascendingorder).Thesecondand

thirdcolumnsarecountersthatrepresentthenumberof

packetsandbytesmatchedbyeachrule.Thecountersareall

emptybecausethefirewallserviceisnotyetenabled.The

remainingelementsspecifytheaction(allowordenyinthis

example),followedbyanexpressionthatdefineswhichpackets

willmatchtherule.Notethatsomeoftherulesincludemore

elementsthanothers,whilesomeruleslookverysimilarto

eachother.

ThesearethedefaultfirewallrulesusedinPantherServer.A

recommendedformforapacketfilterrulesetistoallowonly

thedesiredpacketstopass,andthendenywhatisn'twanted



byusinga"catchall"rulethatwouldmatcheverythingthatisn't

expresslyallowedbyahigher-priorityrule.Thisapproachis

evidentinthestructureofthedefaultruleset.Itisasecure

defaultthatapproximatesthesecurityofbeingbehindaNAT

router,thoughitdoesstopshortofthe"defaultdeny"

commonlyfoundattheendofpacketfilterconfigurations;we

"allow"instead.AnyincomingTCPconnectionsexceptthose

thatfacilitateremoteadministrationoftheserverareblocked.

Thedefaultrulesetalsoallowsourservertomakeunrestricted

outgoingconnections,theresponsestowhichareallowed;for

example,anadminlogsintotheconsoleandhitsaremoteweb

site.Thispacketfilterrulesetisasecureandfunctionaldefault

forMacOSXServer.



Alltrafficisallowedwhenthefirewallisdisabled,anditisdisabledby

default.However,thefirewallisonlyafirstlineofdefense.Just

becausetrafficisnotblockedatthenetworklayerdoesn'tmeanthatit

can'tbedeniedathigherlayers.Awell-configuredserverispretty

securewithoutafirewall,becausejustabouteveryserviceprovides

waystocontrolwhocanaccessthatservice.



Asanintroductiontounderstandingipfwpacketfilterrules,let's

takeacloselookatthedefaultruleset:



01000

ThisruleallowsanyIPpacketsontheinterfacelo0,whichis

thelocalloopbackinterface.lo0isavirtualinterfacethatis

usedonlytosendtrafficbetweenservicesrunningonthe

localmachine.Thisruleisfirstbecausemanypackets

matchthisrule,andwewantthosepacketstobe

dispatchedasquicklyaspossible.



01010

DenyanyIPpacketsbeingsenttotheaddress127.0.0.1

(theaddressofthelocalloopback).Weknowthatany

legitimatelocaltrafficwouldhavebeenmatchedbythefirst

rule,soanythingthatmatchesthisruleistreatedasan

attemptbyanexternalsourcetospooftheIPofthelocal

loopback,andisdropped.



01020

DropanyincomingIPtraffic(IPincludesTCP,UDP,and

ICMP)originatingfromamulticastaddress.Multicasttraffic

thatyoumightwant(suchasRendezvous)originatesfrom

otherhosts,notfromthe224/4range.



01030

DropanyincomingTCPtrafficsenttoamulticastaddress.

Multicasttrafficthatyoumightwant(Rendezvous)isUDP,

notTCP,soitwillnotbeblockedbythisrule.



12300through12304

Theserules"pokeholes"foressentialservicesforremote

administration.TheseareSSH(port22),ServerAdmin

(311and687),andDirectoryService(625,providesremote

directoryaccess).Theserulesareheresothatyoucan

enablethefirewallservicewithoutchangingthedefault

configuration.Plus,itdoesn'tlockyouout.



12305

AllowincomingICMP(InternetControlMessageProtocol,

oneofIP'ssubprotocols)echorepliesfromanywhere,which

allowspingresponsesbackin.Thereareseveraltypesof

ICMPpackets;type0is"echoreply,"whichistheresponse

ahostwillsendafterreceivingan"echorequest"(aka

ping).



12306

AllowincomingICMP,usedbymulticast-enabledroutersto

trackmulticastgroupmembership.



63200

Denyincomingpingreplies.Appleconsidersthisruleand

thenexttwounmodifiable,andtheysupportthe"allow

whatyouwantanddenyeverythingelse"mindset.Inthe

caseofthedefaultruleset,thisruleshouldnevermatch,

duetorule12305.Thisruleisheretodisallowping

functionalityunlessitisexplicitlyallowedbyahigherpriorityrule.Asasidenote,thisseemslikeastrangething

todo,asthisrulewon'tstoptheserverfrombeingpinged

fromelsewhere;itonlystopsusfrombeingabletoseeping

results.



63300

DenyincomingICMP(butthistrafficisallowedbyahigherpriorityruleinthedefaultruleset).



65000

BlockanyincomingTCPpacketsthatareattemptingto

establishanewsession.The"setup"optionattheend

causesthisruletomatchonlyTCPpacketsthatare

attemptingtoopenanewTCPsession.Thisrule'sresultis

similartowhathappensinaNATsituation;TCPsessions

thattraversethefirewallareallowedonlyifinitiatedfrom

insidethenetwork.

Sofar,wehaveseenonlyfairlybasicipfwrules.Theactionsin

theseruleshavebeenonlyallowordeny,thoughthereareother

actions.Table20-1liststheotheractionsthatcanbetaken,

withshortdescriptionsofeach.

Table20-1.Ruleactionsforipfw.

Action



Description



allow



Letthepacketthrough



deny



Don'tallowthepacket



unreach



Denythepacketandtrytonotifythesenderthatitwasdenied



reset



DenythepacketandsendaTCPreset(similartounreach)



count



Updatecounters(usefulforcollectingstats/reporting)



check-state



Usedforstatefulpacketinspection



divert



Sendpackettoanotherportonthelocalmachine



tee



Sendacopyofthepackettoanotherportonthelocalmachine



fwd



Usedfortransparentproxying



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 20.  The Mac OS X Server Firewall

Tải bản đầy đủ ngay(0 tr)

×