::.. =[]= ..::     ::.. =[]= ..::     ::.. =[]= ..::     ::.. =[]= ..::

CgAn Course 6: Introduction to Firewalls

| November 8th, 2017 by Doemela | 1 Comment

See https://archive.cyberguerrilla.org/a/2017/cgan-teach-the-world-about-hacking-hacktivism/

About ports and IPs:
Machine attached to a network, using the tcp/ip suite of protocols, get assigned a unique IP address.
One external (or public) IP address assigned from the ISP (Internet Service provider) can be shared by many machines assigned unique internal (or private) IP adresses
This is achieved by using NAT (network address translation)
As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from a private address to the public address, when a reply is received the opposite happens.
example: A home-hub (router) get assigned the (public) IP by the ISP, the devices attached to the router get assigned internal (private) IPs like,, ..3, ..4

Any machine using the TCP/IP model makes its services available using numbered ports — one for each service that is available.
Once a client has connected to a service on a particular port, it accesses the service using a specific protocol.
A port number is a 16-bit unsigned integer, thus ranging from 0 to 65535
well-known ports (also known as system ports) are those from 0 through 1023.

Clients connect to a service at a specific IP address and on a specific port number.
For example, if a server machine is running a Web server and a file transfer protocol (FTP) server,
the Web server would typically be available on port 80, like 123.456.7.8:80,
and the FTP server would be available on port 21, like 123.456.7.8:21
a URL like http://www.example.com:8080/path/ specifies that the web browser connects to port 8080 of the HTTP server, instead of the standard port 80

A firewall is a hardware device or software application that sits between your computer and the Internet and blocks all Internet traffic from reaching your computer that you have not specifically requested.
Both have their advantages and disadvantages

Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them. The advantage of hardware-based firewalls is that they are separate devices running their own operating systems.

Most operating systems include a built-in (software) firewall feature that should be enabled for added protection even if you have an external firewall.
The advantage of software firewalls is their ability to control the specific network behavior of individual applications on a system.

Firewalls primarily help protect against malicious traffic, not against malicious programs (malware/viruses/rootkits), and may not protect you if you accidentally install malware on your computer

Each Firewall may have many different features, in terms of security the most important are inbound and outbound filtering, application protection, notifications, DMZ and stealth mode.

Filtering is when a firewall examines information passing through it and determines if that information is allowed to be transmitted and received or should be discarded based on rules or filters that have been created. This is the primary function of a firewall.
These filters can also be modified to allow certain computers on the Internet to reach your computer or for certain applications on your computer to transmit data to the Internet. How these rules should be modified is determined by your needs.

Application Integrity is when the firewall monitors the files on your computer for modification in the file or how they are launched.
When it detects such a change it will notify the user of this and not allow that application to run or transmit data to the Internet.

Stealth mode is when you are connected to the Internet and your computer can not be detected via probes to your computer
It is important for your firewall to not only block requests to reach your computer, but to also make it appear as if your computer does not even exist on the Internet.
Block outgoing ICMP echo-reply and destination-unreachable messages to hide your network

Notifications allow you to see the activity of what is happening on your firewall and for the firewall to notify you in various ways about possible penetration attempts on your computer.
Regardless of the firewall you use it is good practice to monitor the firewall logs occasionally.
By monitoring the logs of your firewall you can see what ports and services hackers are attempting to exploit.

DMZ (demilitarized zone) in firewalls refers to a part of the network that is neither part of the internal network nor directly part of the Internet and is excluded from any monitoring and filtering.

It is important to note that almost all Internet applications are created with the thought that there is no firewall in place that could change how these applications can communicate with the Internet.
In the majority of cases, these services can be enabled to work by changing certain settings in your firewall to allow incoming traffic to be received by your computer.

Type of Firewalls
There are three basic types of firewalls: packet filtering, application, and packet inspection, they are designed to control traffic flows.
The data travels through the internet in the form of packets. Each packet has a header which provides the information about the packet, its source and destination etc.

The packet filtering firewalls inspects these packets to allow or deny them. The information may or may not be remembered by the firewall.

If the information about the passing packets is not remembered by the firewall, then this type of filtering is called stateless packet filtering.

If the firewall remembers the information about the previously passed packets, then that type of filtering is stateful packet filtering (packet inspection). This type of filtering is also known as Dynamic packet filtering.

Statuful inspection uses an intelligent way to block out unauthorized traffic. It analyzes data to make sure connection requests occur in the proper sequence.

Packets that aren’t part of an authorized session are rejected.

An application firewall is an enhanced firewall that limits access by applications to the operating system (OS)
Also known as “proxy firewalls” deal with network traffic by passing all packets through a separate application that examines data at an application level.
An application firewall prevents the execution of programs or DLL (dynamic link library) files which have been tampered with and does not allow any suspected malicious code to execute.

It can accept or reject packets based on addresses, port information and application information. For instance, you can set the firewall to filter out all incoming packets belonging to EXE files, which are often infected with viruses and worms

Packet-based, application and stateful inspection used to be distinctly different types of firewalls, but today nearly all modern firewall appliances are hybrids which provide packet-based, proxy and stateful inspection fire-walling.


you have a Windows machine and would like to be able to remotely connect to your Remote Desktop from another computer.
Remote Desktop uses TCP port 3389 to accept incoming connections.

You would then change the rules on your Windows firewall to allow incoming connections to TCP port 3389, allowing you to connect to your computer remotely.

you have a Linux based firewall running IPtables and want to block access to Facebook.com
after finding the ip address of facebook.com ( facebook.com CIDR (ip address blocks for large companies) is
To prevent outgoing access, enter:
# iptables -A OUTPUT -p tcp -d -j DROP
If you have decided that you no longer want to block requests from specific IP address/hostname, you can delete the blocking rule with the following command:
# iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

you have Ubuntu linux machine running UFW (uncomplicated firewall running on iptables) and you want to alow SSH (ssh runs on port 22)

# sudo ufw allow 80 or
# sudo ufw allow ssh

*NOTE: most modern firewalls will allow adding a program/application without giving the port number
references and further reading:
http://www.vicomsoft.com/knowledge/reference/firewalls1.html (1998, old but still relevant and good diagrams)

[Mink] thanks for coming
[Mink] today we will have a look at the general idea of a Firewall, why and how to use it
[Mink] it is of course a very big topic, so we will just do an intrudaction, and it will be for all OSs
[Mink] lots of theory , i’m afraid
[Mink] anyway, you can start reading the material : https://pad.riseup.net/p/r.dcc28d11439c3bb0d7a97a03116796bf
[Chanlog] Title: Riseup Pad (at pad.riseup.net)
[l0t3D_] okay
[Mink] we’ll give about 10 minutes to read it (no rush) and then we’ll take it from there
[Mink] hello NhCK0 and TheEnvious , we just started reading the pad in the topic
[TheEnvious] hai Mink πŸ™‚
[NhCK0] Hello Mink, thank you
[Mink] welcome
[NhCK0] Thank you πŸ™‚
[nix] hello guys
[RedAcor] Reading: https://pad.riseup.net/p/r.dcc28d11439c3bb0d7a97a03116796bf
[Chanlog] Title: Riseup Pad (at pad.riseup.net)
[Mink] to really use a firewall, we first need to understand what’s an IP and what’s a “port”
[TheEnvious] RedAcor, the course is on the pad ? Or just a link ?
[TheEnvious] RedAcor, and hai πŸ™‚
[l0t3D_] Mink, how do you enable Stealth Mode?
[Mink] TheEnvious, we will read the pad first, then we’ll do a Question& Answer session
[Mink] l0t3D_, that really depend, usually it’s an option on the router
[l0t3D_] okay
[Aeolus] lol
[Aeolus] pls 10 mins
[TheEnvious] All fai box have stealth mode enabled by default…
[Aeolus] to read chat distracts me
[Aeolus] and makes me nervous
[Mink] me too πŸ™‚
[RedAcor] [Mink] just filling time.. , all those concept are the same, at home or in a big corporation
[RedAcor] [Mink] of course a big corp would have very expensive hardware router/switches/firewalls
[Mink] lol, tx RedAcor
[RedAcor] πŸ™‚
[JumPer] That iptable commands are for windows only?
[Aeolus] linux lol
[Mink] no JumPer , iptables is a linux firewall
[Mink] very powerfull
[JumPer] ohkay
[RedAcor] And very optional
[NhCK0] Linux is better than Windows for privacy and security πŸ˜‰
[Mink] yes, and on that note, I wouldn’t reccomand using the internal windows firewall
[Aeolus] RedAcor by saying very optional you suggest there is better linux software?
[Mink] believe or not iptables is very easy and simple compared to other linux firewalls
[RedAcor] Nah, i meant it has good shits to set.
[Aeolus] ok read it
[l0t3D_] done
[l0t3D_] Mink what would you recommend
[Aeolus] i believe we should first continue with the course
[Aeolus] then ask question
[RedAcor] Yeah.
[JumPer] yup
[Mink] before taking questions on the firewalls, i’d like to know if the concepts of internal/external IP and ports is clear
[n1ck1] y
[l0t3D_] so every computer connected to the internet has 2 IP’s right?
[Aspire] im really sorry
[Mink] as is often the case, there is no “best firewall”, everything depends on your requirements,
[Mink] not quite l0t3D_
[RedAcor] Aspire read and catch them: https://pad.riseup.net/p/r.dcc28d11439c3bb0d7a97a03116796bf
[Chanlog] Title: Riseup Pad (at pad.riseup.net)
[l0t3D_] one public and one private
[Mink] in a typical setup, the router would have the public IP address given by the ISP, everything else connected to the router will have an internal ip
[Arkhangel] gotcha
[JumPer] As there are limited number of public IPv4 IP’s and internet connected devices are increasing , the concept of private IP was introduced.
[Mink] yes JumPer
[Mink] otherwise your phone/tablet/smart tv would have to have their own public IP address
[l0t3D_] so the IP that is used on the internet is the internal one right?
[Mink] external/public l0t3D_
[JumPer] if you have two internet connected devices right now which are on your wifi i.e same network and not using any proxy/vpn on those devices then go to google on both devices and search “ip”. You’ll get same public in result in both devices
[JumPer] *public ip
[l0t3D_] ohh okay
[x] yes, Internet see us with our public ip
[n1ck1] will it take to finish the numbers and will IPv6 be needed?
[Arkhangel] y
[JumPer] This conversion of ip from private to public and vice-versa is done by NAT about which you can read more later on in detail
[l0t3D_] hai Arkhangel
[Arkhangel] hi l0t3D_ ^^
[Mink] n1ck1, , they decided to start “recycling” old ipv4 addresses not in use, but will happen soon
[l0t3D_] and which IP is used to identify you, which would be used in an attack for example
[n1ck1] Mink tks, I thought it would take a long time yet
[Mink] thing is now lots of devices are getting online with the IOT (internet of things) so it’s accellerating
[Mink] and many countries are getting online that weren’t before, like African countries and Asian
[Aeolus] we are fucked with ipv6
[Mink] yep
[Aeolus] i have disabled it from kernel
[Aeolus] but one day it will find us :p
[Mink] ok, let’s go on
[JumPer] public IP’s are unique , private IP’s are not unique. So public IP’s are used to identify uniquely. ISP keep logs of which IP is assigned to which device at what date andtime
[Mink] why use a firewall?
[Mink] everyone understand that?
[x] yes
[JumPer] yes
[l0t3D_] yeah
[n1ck1] the firewall always existed or was it a necessity and when?
[Mink] before the internet wasn’t really an issue, an antivirus was much more important
[Mink] now is the number one priority for security
[Mink] a firewall will stop (in theory) a number of different attacks
[Mink] from stopping a rootkit to send back data, to ddos
[Mink] as always security has a cost
[Mink] blocking services could not be what you wanted to do
[Mink] a wrong firewall rule could break a webserver
[JumPer] do our home modems/routers have firewalls ? what about android phones?
[Mink] even lock you away from your own computer (it happened to me :] )
[l0t3D_] how so Mink?
[x] each operating system has it fw
[Mink] JumPer, no, you can install a firewall on a rooted android devices
[JumPer] aight
[Mink] l0t3D_, simple, i blocked an ssh service, while i was connected with.. ssh and the firewall kicked me out
[l0t3D_] oh okay πŸ˜€
[JumPer] so u had to contact someone at facility with physical access to gain access again?
[Mink] yes JumPer
[JumPer] nice πŸ˜€
[Mink] luckily wasn’t a critical machine, just a testbox
[Mink] anyway, the standard to make a new firewall is to deny all traffic, the start opening ports as needed
[x] when a packet travels the internet
[Mink] *then
[x] it always have my host mac address?
[Mink] in a word, yes x
[x] thanks!
[Aeolus] ufw by default blocks all incoming traffic
[Aeolus] is that enough?
[Mink] ah Aeolus , but what about Outgoing traffic?
[Aeolus] thats the point
[l0t3D] ghost l0t3D_ pls
[Aeolus] its possible that
[Aeolus] a commercial program tries to auto update
[Mink] what if you install a compromised program? it will be free to send back all sort of stuff
[Aeolus] yes indeed. it will allow all traffic issued from me right?
[Aeolus] back and forth
[Mink] meh, if you made good rules
[Aeolus] one more
[Aeolus] its good to disable ICMP ?
[Mink] Aeolus, , you are referring to a basic “packet filtering” firewall, where only the IP adresses are taken in consideratioin
[Aeolus] i understand
[Mink] depends Aeolus , some apps need ICMP to work, better to allow ICMP but only if it’s not been used too much
[Mink] example, ping, uses icmp, and many consoles/games use it to check if the games servers are fast enough/alive
[Mink] thats the main reason modern firewall appliances are hybrids which provide packet-based, proxy and stateful inspection firewalling
[Aspire] how a firewall recognises the difference between a malicious connection and a good one?
[l0t3D_] firewalls don’t do DPI?
[JumPer] what’s DPI ?
[n1ck1] if an error occurs during the transmission of the packages the icmp that signals and asks for the package with error again? right?
[Mink] in a number of ways, like what port uses, what protocol, what kind of content is in the packets
[seamymsg] deep packet inspection
[l0t3D_] Deep packet inspection
[Aspire] ok
[Mink] not all firewall have those functions
[Mink] remember, security has a cost
[Mink] it can slow or halt traffic
[Mink] it can slow or halt the machine it’s running on as well (very hypothetical)
[l0t3D_] it would be better though, right?
[Mink] no l0t3D_ , would you like me to have Remote Desktop while you are doing your banking?
[Mink] or rather have the connession dropped?
[l0t3D_] connection drop
[Mink] yep
[Mink] there is a lot of different type of traffic going around
[l0t3D_] how is DPI like having remote desktop?
[Mink] l0t3D_, i have left out alot of firewall feture just not to confuse, and DPI i don’t remember mentioning
[Mink] *features
[l0t3D_] okay
[l0t3D_] and SPI is stateful firewall right?
[Mink] yes
[l0t3D_] okay thanks Mink
[Mink] buth does definition keep changing as firewalls (and attacks and vulnerabilities) keep changing
[Mink] my advice is to concentrate on the concepts, not the single features
[JumPer] Can’t believe it’s been an hour already
[Mink] fuck, we nearly out of time
[Mink] lol, yes
[Aeolus] Mink maby we cover features in other lesson?
[Aeolus] continue with the concept?
[Mink] ok, no panic, no rush
[Mink] i’d like that Aeolus , remember this is the first round of those lesson, we still don’t know if people are liking it and what works or not
[Aeolus] yes i agree it is something to be discussed another time
[Mink] ok, questions] doubts? insults?
[Aeolus] i am covered
[l0t3D_] me too, thanks
[Mink] good
[Mink] don’t be shy
[Aeolus] i see the external resources are good deal
[Mink] unfortunately this topic is a lot of theory and not much to practice together
[Mink] ok, then i declare this lesson done
[Mink] thank you very much
[l0t3D_] thanks for the lesson Mink
[JumPer] thanks man
[RedAcor] Thanks for lesson, Mink
* RedAcor hands flower to Mink
[Mink] pleasure
[seamymsg] easy to follow, and read, good energy [3
[Aeolus] we should deffinitely repeat course with features and more theory

(Visited 238 times, 1 visits today)

One Response to CgAn Course 6: Introduction to Firewalls

  1. November 11, 2017 at 02:37
    Aidan Romero says:

    FTP is complex to set up. Whereas, Binfer can be run on any machine without separate server or client components. See FTP replacement.

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.