Fachbereich 2 IT-Security

Prof. Dr. Martin Kappes (I/II)

Exercise Chapter “Firewalls”

Task 1:

Describe the following terms briefly in 3-4 sentences.

1. Firewall

2. Packet Filter

3. Application Level Gateway

4. Demilitarized Zone

5. Tunnel

Task 2:

Explain how a Packet Filter works.

Task 3:

Explain what Network Address Translation is and how it works.

Task 4:

Describe inherent weaknesses and vulnerabilities in the concept “Firewall”.

Task 5:

1. Describe how a static packet filter distinguishes between incoming and outgoing TCP-
connections. Denote the corresopnding rules in pseudonotation or verbally.

1
 2. Describe how a dynamic packet filter distinguishes between incoming and outgoing
TCP-connections. Denote the corresopnding rules in pseudonotation or verbally.

Task 6:

In the following, we consider a router connecting the networks 10.1.1.0/24 and 192.168.5.0/24
with a static packet filter. All packets are processed against a chain with the following rules:

Nr. IP Source Address IP Destination Address Protocol set Flags considered Flags Action
1 10.1.1.0/24 192.168.5.1 TCP SYN SYN ACK DROP
2 10.1.1.9 192.168.5.0/24 TCP SYN ACK SYN ACK DROP
3 10.1.1.0/24 192.168.5.2 TCP SYN ACK SYN ACK ACCEPT
4 10.1.1.7 192.168.5.0/24 TCP SYN ACK SYN ACK DROP
5 192.168.0.0/16 10.1.1.8 TCP ACK ACK DROP
Default: ACCEPT

Assuming typical behavior (i.e. each TCP segment is transmitted in one IP packet), analyze
whether a TCP connection setup between the following hosts is successful or not.
For EVERY packet sent during connection setup, specify which of the rules is applied to
the packet. Note: Usually, more than one packet is sent.

1. TCP connection setup from 10.1.1.5 to 192.168.5.1

2. TCP connection setup from 192.168.5.3 to 10.1.1.7

3. TCP connection setup from 192.168.5.2 to 10.1.1.7

4. TCP connection setup from 10.1.1.9 to 192.168.5.4

5. TCP connection setup from 192.168.5.9 to 10.1.1.8

2
 Practical Exercises Chapter “Firewalls”

Task 1:

Write a simple java-program operating as server on TCP port 80. The program should
answer any incoming requests by sending back the following information to the client and
then close the connection:
Connection Information:
Client connecting from [client ip address, client side port]
Server from [server ip address, server side port]

Task 2:

Set up a network as follows:

10.2.4.37

172.16.2.5 10.2.4.1
172.16.2.0/24 10.2.4.0/24
(öffentliches Verbindungsnetz) (Institutionsnetz)

172.16.2.4

Router

192.168.1.5

192.168.1.0/24
(Institutionsnetz)

192.168.1.100

All machines in the network must run Linux. Use the commands ifconfig and route for
configuration. Test the functionality of the network by using ping between 192.168.1.100
and 10.2.4.37.

Task 3:

Add another machine 172.16.2.20 with Default Gateway 172.16.2.5 into network 172.6.2.0/24.
Rerun the ping-experiment from above and run wireshark on 172.16.2.20. Also, ping
192.168.1.100 and 10.2.4.37 from 172.16.2.20 and use wireshark to observe the resulting
network traffic. What happens?

3
Task 4:

Run the java-program on 10.2.4.37 and use firefox on 192.168.1.100 to connect to it.
Observe the corresponding network traffic from 172.16.2.20.

Task 5:

 Study Linux Netfilter in detail.

 Create and test rules blocking ICMP traffic on one of the routers.

 Create a static packet filter on the router for the 192.168.1.0/24 network such that
TCP segments are filtered out based on SYN and ACK flags. Filter out outgoing TCP
segments with set SYN flag, then delete that rule and filter out incoming segments
with set SYN and ACK flag. What happens?

 Create a static packet filter configuration such that outgoing TCP connections from
the 192.168.1.0/24 network are posible but incoing connections are blocked. Check the
configuration by running according tests.

Task 6:

 Study how the conntrack module can be used. Install the cli-tools for it if necessary.
Examine conntrack’s output when establishing and closing connections. Explain what
the individual fields in this file stand for.

 Use dynamic filtering rules based on the conntrack module to achive the same setup
as in the previous exercise.

Task 7:

Create a (personal) firewall on 192.168.1.100. First, block incoming TCP connections while
allowing outgoing connections with static then with dynamic filtering rules. Which chains
have to be used and why?

Task 8:

 Study the functionalities of source and destination NAT.

 Create a Source NAT on 192.168.1.5 mapping all outgoing connections to address

4
  Create a Destination NAT on 10.2.4.1 mapping all incoming connections to 10.2.4.1:8080
to 10.2.4.37:80 and test its function.

Task 9:

Change the scenario as follows: Modify the IP Address of 192.16.1.100 to 172.16.2.45 (Default
Gateway 172.1.2.5) and convert the router 192.168.1.5/172.16.2.4 into a bridge by deleting
the IP Addresses from both interfaces and then enable bridging between them using brctl.
Now, use the bridge as firewall and conduct the experiments from the previous ecxcercises
again. Discuss security advantages and disadvantages of this scenario.