Understanding IP Packet Screening
The IP packet screening facility, implemented as part of the IRIX kernel, reads rules you create (and default Gauntlet Firewall rules) and processes packets accordingly.
Use the packet screening facility to discard packets, pass packets on to the proxies,or bypass the proxies entirely.
You can configure the Gauntlet firewall to screen packets based on these options:
- source IP address
- destination IP address
- source port
- destination port
Using these options, you can configure the Gauntlet Firewall to allow a UDP-based service through on a particular port.
For example, a host on one side of your Gauntlet Firewall could use ntpdate, which uses a UDP-based protocol, to set the time on a host on your service network.
The Gauntlet Firewall default packet screening rules implement IP-spoofing checks.
These rules deny any packets that appear on the outside interface of the firewall with source IP addresses that match IP addresses of hosts on the inside, trusted network.
The Gauntlet Firewall logs packets denied by the packet screening facility.
These logging capabilities are more extensive than those provided without the Gauntlet firewall in place.
However, the packet screening facility does not normally log packets permitted through the screen.
You do not receive as much logging information when using packet screening as when using an application proxy.
How Packet Screening Works
- The packet screening facility is part of the IRIX kernel. When the boot process for the firewall begins, the packet screening rules are empty. This causes the firewall to refuse all traffic. As part of the boot process, the packet screening facility loads its screening rules from configuration files.
- Each time the firewall receives a packet, the kernel compares header information in the packet to appropriate screening rules and determines what to do with the packet.
- If header information does not match any of the rules, the firewall drops the packet. This is in keeping with the “that which is not permitted is denied” philosophy of the Gauntlet Firewall.
How Packet Screening Rules Work
The packet screening facility understands two different sets of rules: local and forward. Together, these rules cover any packets the Gauntlet Firewall receives.
Local rules apply to any packet destined for the Gauntlet Firewall itself. For example, if the Gauntlet Firewall receives a ping request from an untrusted host for the outside interface of the firewall, the packet screening facility uses local rules to determine what to do with ping packets.
Forward rules apply to any packets destined for hosts other than the Gauntlet Firewall.
For example, if the Gauntlet Firewall receives a TELNET request from a trusted host to connect with an untrusted host (telnet dialin.bigu.edu),the packet screening facility uses forward rules to determine what to do with TELNET packets.
Packet Screening Action Rules
- Each packet screening rule specifies one of three actions: deny, permit, or absorb.
- A deny rule instructs the Gauntlet Firewall to drop the packet and log information. The kernel does not notify the packet sender that it dropped the packet. The default Gauntlet Firewall forward and local screening rules include rules to detect IP spoofing. These rules deny packets that appear on the outside interfaces of the Gauntlet Firewall pretending to come from inside by presenting source IP addresses that match the IP addresses of hosts on the inside, trusted network.
A permit rule instructs the Gauntlet Firewall to process the packet. If the packet is destined for the Gauntlet Firewall itself, the firewall accepts the packet. The kernel passes handling of the packet to the appropriate program, such asone of the proxies. If the packet is destined for another host, the firewall routes the packet to the destination host, bypassing the proxies.
Local screening rules include a rule that allows the Gauntlet Firewall to accept packets destined for the IP address of each interface. For example, the firewall is listed in DNS as the mail exchanger for your domain.
Local screening rules on the firewall include rules that permit the Gauntlet Firewall to accept these packets.If your security policy permits, you could create a forward screening rule that permits the firewall to forward ICMP packets. This screening rule allows you to use the ping and traceroute networking tools to monitor hosts on your internal network on either side of the firewall.
- An absorb rule instructs the Gauntlet Firewall to process the packet as if the packet were destined for the firewall itself. Absorb rules are generally included as part of the forward rules. The local rules affect only those packets that are destined for the Gauntlet Firewall itself. Including an absorb rule in the local rules is redundant.
- The Gauntlet Firewall includes default absorb rules that implement transparency from the inside to the outside. These absorb rules tell the packet screening facility to absorb the packet and process the packet locally, even though the destination IP address is some other system.
For example, a user on a trusted host wants to access her account at Big University directly.The default route for the trusted network goes through the Gauntlet Firewall.
If there is no absorb rule in place, the packet screen uses the permit and deny rules in the forward rules to determine what to do with the packet. The kernel never passes the packet to the proxies.
- And, if the forward rules contain an absorb rule, the packet screen accepts the packet for delivery locally. The packet screening facility processes the packet according to the local rules, and passes the packet onto the appropriate proxy service on the firewall itself.
The TELNET proxy uses its own rules to determine if the trusted host can TELNET to the untrusted host.
Packet Screening Field Rules
The packet screening rules allow you to permit or deny network traffic, based on several values in packet headers:
- source IP addresses
- destination IP addresses
- network interface
- source ports
- destination ports