Managed Firewall Frequently Asked Questions

This document is intended as a primer on firewalls primarily directed at ServePath's dedicated server hosting clients. It is not meant to be comprehensive and it does not claim to be a treatise on the subject of firewalls or managed services.

Introduction to Firewalls
What is a firewall?
How does a firewall work?
What is a firewall policy?
What is a Packet Filter?
Will ServePath manage my software (host) based firewall?
Will ServePath manage my hardware based firewall? (NetScreen 5GT)

Windows Firewalls
How is my Windows Firewall configured?
What is Windows Firewall?
How do I start Windows Firewall?
What is a Windows Firewall Exception?
What is a Scope?
What is a Port?
How do I create an exception by Program?
How do I create an exception by Port?
How do I create an exception by Service?
Why can't I remote desktop to my server?
Why can't I ping my server?
Where can I find more information on Windows Firewalls?

Linux Firewalls - iptables
 How is my Linux Firewall (iptables) configured?
What is Iptables?
Do I have iptables on my Server?
How does iptables work?
How do I start iptables?
How do I use iptables?
How do I create a rule?
Is the ordering of the rules important?
What is a Target?
What is a User Defined chain?
How do I save my rules?
Where can I get more information on iptables?

Netscreen 5GT Firewalls
 How is my NetScreen 5GT Firewall configured?
What is a NetScreen 5GT?
What are the operational specifications?
What is a 10 User License?
What is a Session?
What is a Policy?
How does a Policy work?
How do I create a Policy?
How do I create a Policy for a Specific Port?
How do I change the Order of Policies?
How do I Access My NetScreen Management Page?
How do I Restrict Management Access to My NetScreen?
What is ServePath's Ingress Access List?
How do I Setup Screens?
Why does My Server have Intermittent Connectivity Issues?
How do I check the number of Active Users?
What is NetScreen's Port Mode?
How do I update the firmware?

Don't see your question? Contact Us!

Introduction to Firewalls

What is a firewall?
A firewall is a system, either hardware or software-based, that controls access between two or more networks. More specifically, a firewall can protect your internal network from unauthorized connections from an untrusted zone like the Internet.

How does a firewall work?
A firewall works by filtering network traffic by enforcing an access control policy. The firewall inspects each incoming or outgoing packet and compares its "attributes" to an access control policy set. When a match is made, the firewall executes the "action" described in the policy. Two examples of an action might be to accept a packet or to reject a packet. If no match is made, a default action is taken.

What is a firewall policy?
A firewall policy is a rule set up by an administrator that allows or disallows network traffic. Policies are arguably the most important part of a firewall. They are the rules that control the traffic in to and out of your network.

What is a Packet Filter?
A packet filter is a system, like a piece of software that inspects packets as they pass through it and determines based on some set of rules what to do with each packet. By this mechanism, a packet filtering firewall may protect your network by rejecting malicious traffic.

Will ServePath manage my software (host) based firewall?
In an effort to keep our network secure, ServePath has implemented a basic firewall on each system that allows for the minimal connectivity required to remotely administer the system. ServePath Support will only aid in the manner of opening ports, but will not do custom configurations. Example: If you have a mail server and do not know how to open ports 110/25, we will help you, but if you only want to open the ports to specific IP's, under specific circumstances, then you will need to do this customization on your own, or employ our Professional Services offering to do it for you.

Will ServePath manage my hardware based firewall? (NetScreen 5GT)
Yes, the NetScreen Firewalls are considered a "Managed Service", and simply by having one with us, you are entitled to have full support and customization of the general rules and policies. This DOES NOT include VPN setup. The firewall is capable of up to 10 VPN tunnels, but due to the complexity of VPN configurations we do not provide these for free. Please inquire about our Professional Services if you need VPN tunnels setup and do not have the expertise on-hand to do so.

Don't see your question? Contact Us!

Windows Firewalls

How is my Windows Firewall configured?
Upon deployment, ServePath ensures that there are minimal allowances for connections to the server. This is to aid in deterring potential system compromises/hacks. Below is an outline of how the firewall is configured upon deployment:

  • ICMP (Ping) is permitted from anywhere
  • HTTP/HTTPS (Web Services on ports 80/443) are permitted from anywhere
  • RemoteDesktop (Port 3389) is permitted from anywhere for remote administration.
  • If you had a control panel installed, the ports required to administrate the service will allow connections from anywhere.

What is Windows Firewall?
Windows Firewall is a built-in, host-based, stateful firewall that is included in Windows 2003 SP1.

How do I start Windows Firewall?

  • Double click the Windows Firewall shortcut on your desktop.
  • Under the General Tab, select ON
  • Click OK.

What is a Windows Firewall Exception?
In short, an exception is a port, service, or application that is allowed to receive unsolicited traffic. By default Windows Firewall blocks all outside sources from connecting to your server. However, it is useful, and sometimes necessary, to allow connections from outside sources. In these cases, you must create a Windows Firewall exception. Exceptions can be specified by program, service, port, interface, or a combination of these.

What is a scope?
The scope setting in an exception controls from which addresses unsolicited traffic is allowed to originate. By default, the scope includes all sources.

What is a Port?
A port is a logical endpoint representing a service or application that listens for and receives IP packets.

How do I create an exception by Program?

  • Double click the Windows Firewall shortcut on your desktop.
  • Under the Exceptions tab, click Add Program.
  • Select from the list the program that you would like to allow to receive communications from outside sources.
  • Click OK.

How do I create an exception by Port?

  • Double click the Windows Firewall shortcut on your desktop.
  • Under the Exceptions tab, click Add Port.
  • Specify a name and port number you would like to accept connections on from outside sources.
  • Click OK.

How do I create an exception by Service?

  • Double click the Windows Firewall shortcut on your desktop.
  • Under the Advanced tab, select the appropriate interface in Network Connections Settings, eg. Local Area Connection 1.
  • Click Settings.
  • Under the Services tab, select the services you would like to allow.
  • Click OK.

Why can't I remote desktop to my server?
By default, Windows Firewall does not allow remote desktop connections. To allow remote desktop connections, you must add an exception.

Why can't I ping my server?
By default, Windows Firewall does not allow ICMP requests from outside sources. To allow ICMP echo requests:

  • Double click the Windows Firewall shortcut on your desktop
  • Under the Advanced Tab, in ICMP, click Settings
  • Check "Allow incoming echo request"
  • Click OK

Where can I find more information on Windows Firewalls?
http://www.microsoft.com/technet/itsolutions/network/wf/default.mspx

Don't see your question? Contact Us!

Linux Firewalls - iptables

How is my Linux Firewall (iptables) configured? Upon deployment, ServePath ensures that there are minimal allowances for connections to the server. This is to aid in deterring potential system compromises/hacks. Below is an outline of how the Firewall is configured upon deployment:

  • ICMP (Ping) is permitted from anywhere
  • HTTP/HTTPS (Web Services on ports 80/443) are permitted from anywhere
  • SSH (Port 22) is permitted from anywhere for remote administration
  • If you had a control panel installed, the ports required to administrate the service will allow connections from anywhere

What is iptables?
Iptables is a tool used to set up, maintain, and inspect the tables of IP packet rules in the Linux kernel. You can set up an internet firewall based on stateful packet filtering with Iptables on your Linux server.

Do I have iptables on my Server?
You must be running a kernel compiled with packet filtering capabilities. Iptables can then insert and delete rules from the kernel's packet filtering table. ServePath servers are deployed with packet filtering compiled in.

In addition to this, iptables may be a kernel module called iptable_filter.o which is automatically loaded when you first run iptables. Or it can be compiled into the kernel permanently.

How does iptables work?
The kernel starts with 3 built-in lists, aka. chains, called INPUT, OUTPUT, and FORWARD. A chains is just a check list of rules. The kernel takes each incoming or outgoing packet and tries to match it against each rule in the chain. When a match is made, the kernel executes the TARGET specified in the rule and then stops. If no match is found, the kernel executes the chain policy, which is usually to DROP the packet.

When a packet arrives the kernel first looks at the destination of the packet. If the packet is destined for this server, the packet is passed to the INPUT chain and is processed there. Otherwise, if forwarding is enabled the packet is sent to the FORWARD chain for processing. If forwarding is not enabled, the packet is dropped. Finally, for packets leaving the server, the kernel passes the packets to the OUTPUT chain for processing.

How do I start iptables?
As root, /etc/init.d/iptables start. Likewise, you can stop iptables using /etc/init.d/iptables stop

How do I use iptables?
Please consult man iptables for a more complete description.

  • Create a new chain: /sbin/iptables -N
  • Delete an empty chain: /sbin/iptables -X
  • Change the policy for a built-in chain: /sbin/iptables -P
  • List the rules in a chain: /sbin/iptables -L
  • Flush the rules out of a chain: /sbin/iptables -F. If you don't specify a chain, all are flushed.
  • Zero the packet and byte counters on all rules in a chain: /sbin/iptables -Z
  • Append a new rule to a chain: /sbin/iptables -A
  • Insert a new rule at some position in a chain: /sbin/iptables -I
  • Replace a rule at some position in a chain: /sbin/iptables -R
  • Delete a rule at some position in a chain: /sbin/iptables -D

How do I create a rule?

    Rules are at the heart of packet filtering. By example, allowing SSH in iptables use:
  • '-A INPUT' appends rule to INPUT chain.
  • '-p tcp' specifies TCP protocol.
  • '-dport 22' specifies destination port 22, aka. SSH.
  • '-j ACCEPT' specifies the target ACCEPT
    Rules can be created to match(or not match) by:
  • Source address
  • Destination address
  • Inversion ("not .", ie. Negation)
  • Protocol
  • Interface
  • Fragments
  • TCP extensions
  • State

Is the ordering of the rules important?
Yes. Remember that the kernel traverses a chain from top to bottom, one rule at a time. If and when it finds a match, it executes the Target and stops. Two or more rules in a chain may match a packet, but it is the first rule that matches that matters.

What is a Target?
When a rule is matched, a packet's fate is determined by the rule's target. Two simple built-in targets are DROP and ACCEPT.

What is a User Defined chain?
In addition to the built-in chains, you can create user-defined chains. When a rule, whose target is a user-defined chain, is matched, the packet is passed to the user-defined chain for processing. If no match is made there, it resumes traversal in the previous (calling) chain.

How do I save my rules?
Any firewall rules added are stored in the kernel. To make them persistent across reboots, use iptables-save and iptables-restore.

Where can I get more information on iptables?
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html

Don't see your question? Contact Us!

Netscreen 5GT Firewalls

How is my NetScreen 5GT Firewall Configured?
Upon deployment, ServePath ensures that there are minimal allowances for connections to the server. This is to aid in deterring potential system compromises/hacks. Below is an outline of how the Firewall is configured upon deployment:

  • ICMP (Ping) is permitted from anywhere
  • HTTP/HTTPS (Web Services on ports 80/443) are permitted from anywhere
  • RemoteDesktop (Port 3389) is permitted from anywhere for remote administration
  • SSH (Port 22) is permitted for from anywhere for remote administration
  • If you had a control panel installed, the ports required to administrate the service will allow connections from anywhere.

What is a NetScreen 5GT?
The NetScreen 5GT is a hardware-based VPN firewall.

What are the operational specifications?

  10 User License Unlimited License
Number of Interfaces 10 Unrestricted
Max Throughput 75Mbps FW / 20Mbps 3DES VPN 75Mbps FW / 20Mbps 3DES VPN
Max Sessions 2000 2000
Max VPN Tunnels 10 10
Max Policies 100 100
Max Security Zones 2 (in default mode) 2 (in default mode)

What is a 10 User License?
A 10 User License allows for a maximum of 10 IP addresses in the Trusted interfaces. This means that if you bind more than 10 IP's behind the NetScreen (even if you aren't using them) that the device will start dropping packets as connections request an 11th IP. Please know that even if you aren't using the IP's, standard network protocols (i.e. SNMP) will use them and these count as connections as far as the NetScreen is concerned.

What is a Session?
A session is a network connection.

What is a Policy?
Arguably the most important aspect of the firewall, a policy permits, denies, or tunnels traffic between two security zones.

How does a Policy work?
When a packet is received, NetScreen traverses its policy set starting with the first policy and progresses until it finds a match. When a packet matches a policy that policy executes the action specified in it. An example of an action would be to reject a packet. It is important to order your policies effectively, usually from specific to general. By default, a newly created policy appears at the bottom of a policy set list.

How do I create a Policy?

  • Policy >
  • Select a zone from the "From" drop down, eg. Untrust
  • Select a zone from the "To" drop down, eg. Trust
  • Click "New" button at top right
  • Fill appropriate fields in form; click OK to create new policy
  • Note: Required are source address, destination address, service, and action

How do I create a Policy for a Specific Port?
a. To create a policy for a specific port you must first create a custom service.
Note: there are several ways to do this besides the method mentioned here.

  • Objects > Services > Custom > Click New in the top right corner
  • Service Name: Specify something meaningful, eg. PORT 12345
  • Choose appropriate Transport Protocol, eg. TCP
  • Specify Destination Port Low, e.g. 12345
  • Specify Destination Port High, e.g. 12345
  • Click Ok
  • Follow instructions under "how do I create a policy" indicating newly created service name from above.
  • Note: NetScreen provides predefined services that cover most common services running on their standard ports.

How do I change the Order of Policies?
As mentioned before, the ordering of policies is important. A general policy that comes before a specific policy may preclude it and is called policy shadowing. To place a newly created policy in the most effective location you may change its position up or down the policy list.

  • Policies > locate policy to be moved
  • Click either the circular arrow icon or the straight arrow icon in the column named Move
  • Follow directions to move
  • Note: both icons move policies, but have different user interfaces and can be considered equivalent.

How do I Access My NetScreen Management Page?
Instructions on how to access your NetScreen's management page are emailed to you at the time of deployment of your NetScreen.

How do I Restrict Management Access to My NetScreen?
Configuration > Admin > Permitted IPs

What is ServePath's Ingress Access List?
ServePath support is typically provided originating from one of the below networks. If the firewall is blocking these, support may not be able to log in and help.
69.59.136.128/26
216.93.160.0/24

How do I Setup Screens?
To enable NetScreen 5GT's built-in defense mechanisms for common internet attacks, Screening > Screen. ServePath deploys NetScreen's with selected defense mechanisms enabled for the Untrust zone.

Why does My Server have Intermittent Connectivity Issues?
This could be a licensing issue. Please check the number of active users. For 10 User licenses, if you have 10 listed active users, an 11th user, aka. IP address. will not be allowed to send or receive traffic. You can either remove an active user with the "remove" from list option, or you can upgrade to an Unlimited User license.

How do I check the number of Active Users?
The 10 User License allows for a maximum of 10 IP addresses in the Trusted interfaces. To check how many Active Users, Reports > Active Users. Here you can also check the number of sessions for each IP.

What is NetScreen's Port Mode?

  • Configuration > Port Mode
    Note: DO NOT CHANGE THIS SETTING. It should be Trust-Untrust.
  • For staff, by default the NetScreen is deployed in Trust-Untrust mode which is the 5GT's default mode. DO NOT CHANGE THIS SETTING. Doing so will remove all existing configurations and will require a system reset.

How do I update the firmware?

Current Firmware at this writing is 5.3.0r1.0
Firmware version is viewable in Home page of WebUI.

  • Configuration > Update > ScreenOS/Keys
  • Firmware Update (ScreenOS) (selected by default)
  • Load File: ftp://ftp.servepath.com/pub/firmware/netscreen
  • Click Apply
  • NetScreen will reboot
  • Log back in to verify upgrade.

Don't see your question? Contact Us!