Firewall SPI and Packet Filter
Zeroshell, by using the Netfilter and Linux iptables, can be configured to act as a firewall protecting the LAN from attacks and port scans from the WAN. Zeroshell can operate as both a Packet Filter, i.e. filtering based on the conditions (rules) set on the packet headers, and as a Stateful Packet Inspection (SPI) i.e. filtering the packets based on their correlation with already opened connections or other already transited packets.
The rules are collected in lists called chains. The preset chains include the INPUT chain whose rules apply to packets input in the Zeroshell box and directed to its local processes; the OUTPUT chain, the rules of which are applied to the packets output by the box and generated by local processes; the FORWARD chain which is applied to packets in transit in the box and thus destined to undergo routing or bridging. It should be observed that in the latter case it is possible to establish whether the rule must only be applied to packets in routing, only to packets in bridging or indifferently to one and the other. In order to make the programming of the firewall rules more modular, new lists (user defined chains) may be created which can be the target of the preset ones or others set by the administrator.
The possible targets, i.e. the actions to be carried out on a packet where it meets the criteria defined in the rules, include:
- ACCEPT: the packet passes the firewall and continues on towards its destination;
- DROP: the packet is dropped and therefore never reaches its destination. The sender is not sent a message indicating a failure to deliver;
- REJECT: like DROP, only the sender will receive an ICMP selected by the administrator warning of the failure to deliver;
- CHAIN: in this case a user defined chain is specified which will take control. If the packet does not meet the criteria of any rule, control returns to the calling chain;
- RETURN: control returns to the calling chain or if the RETURN is invoked by a preset chain, the packet follows the default policy.
For the preset chains the so-called Default Policy is set which can be ACCEPT or DROP and is applied to packets which do not meet any rule.
The packet filter type criteria include:
- Input: represents the network interface from which the packet enters the firewall. It can be an ethernet interface, VPN, point-to-point, a bridge, a bond or a 802.1Q VLAN applied to one of the previous interfaces;
- Output: represents the network interface from which the packet leaves the firewall. It can be an ethernet interface, VPN, point-to-point, a bridge, a bond or a 802.1Q VLAN applied to one of the previous interfaces;
- Source IP: represents the source IP address of the packet. It can be expressed in the form of the single IP, subnet or interval;
- Destination IP: represents the destination IP address of the packet. It can be expressed in the form of the single IP, subnet or interval;
- Fragments: indicates that it involves the second or subsequent fragment of an IP packet;
- Source MAC: indicates the source MAC address of the packet;
- Protocol Matching: these are filters on layer 4 (transport) and depending on the protocol selected. In particular in the case of TCP they include: source port, destination port, options and connection flags (SYN, ACK, FIN, RST, URG, PSH);
- Time Matching: represents the time and day of the week in which the filter is applied.
The Stateful Packet Inspection criteria include:
- NEW: this is a packet belonging to a new connection in layer 4;
- ESTABLISHED: this is a packet belonging to an already established connection;
- RELATED: this is a packet correlated to an already established connection; Generally it is an ICMP;
- INVALID: this is an incorrectly formed packet;
It should be observed that each criteria can be negated and that the packet filter criteria can operate at the same time as SPI criteria, making the firewall rules very flexible.