Contact:http://www.packetnexus.com
Internet Firewalls: Frequently Asked Questions Matt Curtin Marcus J. Ranum cmcurtin@interhack.net mjr@nfr.com Date: 2000/12/01 19:48:21 Revision: 10.0 This document available in Postscript and PDF. Contents Contents 1 Administrativia 1.1 About the FAQ 1.2 For Whom Is the FAQ Written? 1.3 Before Sending Mail 1.4 Where Can I find the Current Version of the FAQ? 1.5 Where Can I Find Non-English Versions of the FAQ? 1.6 Contributors 1.7 Copyright and Usage 2 Background and Firewall Basics 2.1 What is a network firewall? 2.2 Why would I want a firewall? 2.3 What can a firewall protect against? 2.4 What can't a firewall protect against? 2.5 What about viruses? 2.6 Will IPSEC make firewalls obsolete? 2.7 What are good sources of print information on firewalls? 2.8 Where can I get more information on firewalls on the Internet? 3 Design and Implementation Issues 3.1 What are some of the basic design decisions in a firewall? 3.2 What are the basic types of firewalls? 3.2.1 Network layer firewalls 3.2.2 Application layer firewalls 3.3 What are proxy servers and how do they work? 3.4 What are some cheap packet screening tools? 3.5 What are some reasonable filtering rules for a kernel-based packet screen? 3.5.1 Implementation 3.5.2 Explanation 3.6 What are some reasonable filtering rules for a Cisco? 3.6.1 Implementation 3.6.2 Explanations 3.6.3 Shortcomings 3.7 What are the critical resources in a firewall? 3.8 What is a DMZ, and why do I want one? 3.9 How might I increase the security and scalability of my DMZ? 3.10 What is a `single point of failure', and how do I avoid having one? 3.11 How can I block all of the bad stuff? 3.12 How can I restrict web access so users can't view sites unrelated to work? 4 Various Attacks 4.1 What is source routed traffic and why is it a threat? 4.2 What are ICMP redirects and redirect bombs? 4.3 What about denial of service? 4.4 What are some common attacks, and how can I protect my system against them? 4.4.1 SMTP Server Hijacking (Unauthorized Relaying) 4.4.2 Exploiting Bugs in Applications 4.4.3 Bugs in Operating Systems 5 How Do I... 5.1 Do I really want to allow everything that my users ask for? 5.2 How do I make Web/HTTP work through my firewall? 5.3 How do I make SSL work through the firewall? 5.4 How do I make DNS work with a firewall? 5.5 How do I make FTP work through my firewall? 5.6 How do I make Telnet work through my firewall? 5.7 How do I make Finger and whois work through my firewall? 5.8 How do I make gopher, archie, and other services work through my firewall? 5.9 What are the issues about X11 through a firewall? 5.10 How do I make RealAudio work through my firewall? 5.11 How do I make my web server act as a front-end for a database that lives on my private network? 5.12 But my database has an integrated web server, and I want to use that. Can't I just poke a hole in the firewall and tunnel that port? 5.13 How Do I Make IP Multicast Work With My Firewall? A Some Commercial Products and Vendors B Glossary of Firewall-Related Terms C TCP and UDP Ports C.1 What is a port? C.2 How do I know which application uses what port? C.3 What are LISTENING ports? C.4 How do I determine what service the port is for? C.5 What ports are safe to pass through a firewall? C.6 The behavior of FTP C.7 What software uses what FTP mode? C.8 Is my firewall trying to connect outside? C.9 The anatomy of a TCP connection References 1 Administrativia 1.1 About the FAQ The Firewalls FAQ is currently undergoing revision. The maintainers welcome input and comments on the contents of this FAQ. Comments related to the FAQ should be addressed to firewalls-faq@interhack.net. Before you send us mail, please be sure to see sect