Network Security from Basics to Practice Part 3: Understanding and Configuring Firewalls
The First Line of Defense in Network Security
Introduction: Firewalls, The First Line of Defense in Network Security
A firewall is one of the most fundamental yet critical components of network security. Just as a building's firewall prevents the spread of fire, a network firewall protects internal networks from external threats. Firewall technology began developing in earnest after the Morris Worm incident of 1988 and has become essential security infrastructure for all organizations today.
In this Part 3, we will systematically explore firewall concepts, various types, architecture design, and practical configuration methods for Linux and Windows.
1. What is a Firewall?
1.1 Definition and Role of Firewalls
A firewall is a network security system that monitors and controls network traffic based on predefined security rules. It acts as a barrier between a trusted internal network and an untrusted external network (typically the Internet).
Key functions of a firewall include:
- Traffic Filtering: Allows only permitted traffic and blocks the rest
- Access Control: Permits/denies access to specific IPs, ports, and protocols
- Logging and Monitoring: Records all network activity
- NAT (Network Address Translation): Hides internal IP addresses
- VPN Endpoint: Supports secure remote access
1.2 How Firewalls Work
Firewalls inspect packet header information (source/destination IP, port numbers, protocol, etc.) and compare it against predefined rules. When a match is found, the corresponding action (allow, deny, log) is performed.
Packet Arrival → Rule Matching → Matching Rule Found → Execute Action
↓
No Matching Rule → Apply Default Policy2. Types of Firewalls
2.1 Packet Filtering Firewall
The most basic form of firewall that operates at OSI Layers 3-4 (Network and Transport layers). It inspects each packet independently and filters based only on packet header information.
Advantages:
- Fast processing speed
- Low resource usage
- Simple implementation
Disadvantages:
- Does not track connection state
- Vulnerable to application-level attacks
- Vulnerable to IP spoofing attacks
2.2 Stateful Inspection Firewall
A firewall that tracks connection state and is currently the most widely used method. It maintains a session table to understand connection states (new connection, established connection, related connection).
State Table Example:
┌─────────────┬─────────────┬───────┬───────┬─────────┐
│ Source IP │ Dest IP │ SPort │ DPort │ State │
├─────────────┼─────────────┼───────┼───────┼─────────┤
│ 192.168.1.10│ 8.8.8.8 │ 45123 │ 53 │ ESTAB │
│ 192.168.1.20│ 142.250.1.1 │ 52341 │ 443 │ ESTAB │
│ 192.168.1.15│ 104.16.1.1 │ 38921 │ 80 │ TIME_WT │
└─────────────┴─────────────┴───────┴───────┴─────────┘Advantages:
- Accurate filtering based on connection state
- Automatic allowance of response packets simplifies rules
- Can detect DoS attacks
2.3 Application Level Gateway (Proxy Firewall)
Operates at OSI Layer 7 (Application layer), fully understands and inspects specific application protocols. Acts as a proxy between clients and servers.
Advantages:
- Deep Packet Inspection (DPI) capability
- Blocks application-level attacks
- User authentication features
- Content filtering
Disadvantages:
- Slower processing speed
- High resource usage
- Limited to supported protocols
2.4 Next-Generation Firewall (NGFW)
NGFW is a modern firewall that integrates various security features with traditional firewall capabilities. Representative products include Palo Alto Networks, Fortinet FortiGate, and Cisco Firepower.
Key Features of NGFW:
- Application Awareness: Application-based policies rather than port-based
- User Awareness: User/group-based policies rather than IP-based
- IPS (Intrusion Prevention System): Real-time threat detection and blocking
- SSL/TLS Inspection: Decryption and inspection of encrypted traffic
- Sandboxing: Isolated analysis of suspicious files
- Threat Intelligence: Real-time threat information integration
| Feature | Packet Filtering | Stateful | Application | NGFW |
|---|---|---|---|---|
| Operating Layer | L3-L4 | L3-L4 | L7 | L3-L7 |
| State Tracking | X | O | O | O |
| DPI | X | X | O | O |
| IPS Integration | X | X | X | O |
| Processing Speed | Fast | Fast | Slow | Medium |
3. Firewall Architecture
3.1 Screened Host Architecture
A structure combining a screening router and a bastion host. Access from external to internal networks must pass through the bastion host.
┌─────────────┐ ┌──────────────┐ ┌─────────────────┐
│ Internet │────│ Screening │────│ Bastion Host │────│ Internal Network │
│ │ │ Router │ │ │ │ │
└─────────────┘ └──────────────┘ └─────────────────┘ └──────────────────┘3.2 Screened Subnet Architecture (DMZ)
DMZ (Demilitarized Zone) is an isolated network zone located between external and internal networks. Servers that need to provide services externally, such as web servers and mail servers, are placed here.
┌─────────────────────────────────┐
│ DMZ Zone │
│ ┌─────────┐ ┌─────────┐ │
┌─────────┐ │ │Web Server│ │Mail Server│ │ ┌───────────────┐
│ Internet│─────────│ └─────────┘ └─────────┘ │─────────│Internal Network│
└─────────┘ │ ┌─────────┐ ┌─────────┐ │ │ │
│ │ │ DNS │ │ FTP │ │ │ ┌──────────┐ │
│ │ └─────────┘ └─────────┘ │ │ │App Server│ │
│ └─────────────────────────────────┘ │ │DB Server │ │
│ │ │ └──────────┘ │
│ ┌────────┴────────┐ └───────────────┘
└──────────────│ External Firewall│
└─────────────────┘
│
┌────────┴────────┐
│ Internal Firewall│
└─────────────────┘DMZ Design Principles:
- DMZ servers cannot connect directly to internal network
- Only connections from internal to DMZ are allowed (when necessary)
- Minimize communication between DMZ servers
- Open only required ports for each server
4. Linux iptables/nftables Basics
4.1 iptables Overview
iptables is a firewall tool that uses the Linux kernel's netfilter framework. It is organized in a hierarchical structure of tables, chains, and rules.
Main Tables:
- filter: Packet filtering (default table)
- nat: Network address translation
- mangle: Packet header modification
- raw: Connection tracking exceptions
Default Chains in filter Table:
- INPUT: Packets coming into the local system
- OUTPUT: Packets going out from the local system
- FORWARD: Packets passing through the system (routing)
4.2 Basic iptables Commands
# View current rules
sudo iptables -L -n -v
# View rules for specific table
sudo iptables -t nat -L -n -v
# Add rule (Append)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Insert rule at specific position
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
# Delete rule
sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT
# Delete all rules in chain
sudo iptables -F INPUT
# Set default policy
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT4.3 Practical iptables Rules Example
#!/bin/bash
# Basic Server Firewall Script
# Clear existing rules
iptables -F
iptables -X
# Set default policies (whitelist approach)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (from specific IP only)
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# Allow ICMP (ping) with rate limiting
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "iptables-dropped: " --log-level 4
# Drop everything else (explicit, though already default policy)
iptables -A INPUT -j DROP
# Save rules
iptables-save > /etc/iptables/rules.v44.4 nftables - Successor to iptables
nftables is the modern firewall framework replacing iptables. It provides more concise syntax and improved performance.
# nftables basic configuration example
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow loopback
iif lo accept
# Allow established connections
ct state established,related accept
# Allow SSH
tcp dport 22 accept
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Allow ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Log and drop
log prefix "nftables-dropped: " drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}5. UFW (Uncomplicated Firewall) Configuration
UFW is a frontend tool that makes it easy to manage iptables on Ubuntu/Debian systems.
5.1 Basic UFW Commands
# Check UFW status
sudo ufw status verbose
# Enable/Disable UFW
sudo ufw enable
sudo ufw disable
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow ports
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow access from specific IP
sudo ufw allow from 192.168.1.0/24 to any port 22
# Deny specific port
sudo ufw deny 3306/tcp
# Delete rule
sudo ufw delete allow 80/tcp
# Delete by rule number
sudo ufw status numbered
sudo ufw delete 3
# Use application profiles
sudo ufw app list
sudo ufw allow 'Nginx Full'
sudo ufw allow 'OpenSSH'5.2 Advanced UFW Configuration
# Rate limiting (brute force prevention)
sudo ufw limit ssh/tcp
# Allow only on specific interface
sudo ufw allow in on eth0 to any port 80
# Logging configuration
sudo ufw logging on
sudo ufw logging medium # off, low, medium, high, full
# IPv6 configuration (/etc/default/ufw)
# IPV6=yes6. Windows Firewall
6.1 Windows Defender Firewall GUI Settings
Windows provides Windows Defender Firewall by default. It can be configured through Control Panel or the Windows Security app.
Main Settings Paths:
- Control Panel > System and Security > Windows Defender Firewall
- Windows Security > Firewall & network protection
- Windows Defender Firewall with Advanced Security (wf.msc)
6.2 Firewall Management with PowerShell
# Check firewall status
Get-NetFirewallProfile
# Enable/Disable firewall for specific profile
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Query inbound rules
Get-NetFirewallRule -Direction Inbound | Where-Object {$_.Enabled -eq 'True'}
# Add new inbound rule (Allow HTTP)
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
# Add new inbound rule (Allow SSH from specific IP only)
New-NetFirewallRule -DisplayName "Allow SSH from Internal" -Direction Inbound -Protocol TCP -LocalPort 22 -RemoteAddress 192.168.1.0/24 -Action Allow
# Delete rule
Remove-NetFirewallRule -DisplayName "Allow HTTP"
# Disable rule
Disable-NetFirewallRule -DisplayName "Allow HTTP"
# Add outbound rule (Block specific port)
New-NetFirewallRule -DisplayName "Block Telnet Outbound" -Direction Outbound -Protocol TCP -RemotePort 23 -Action Block
# Export all rules
netsh advfirewall export "C:\firewall-backup.wfw"
# Import rules
netsh advfirewall import "C:\firewall-backup.wfw"6.3 Firewall Management with netsh
REM Check firewall status
netsh advfirewall show allprofiles
REM Enable firewall
netsh advfirewall set allprofiles state on
REM Open port
netsh advfirewall firewall add rule name="Open HTTP" dir=in action=allow protocol=tcp localport=80
REM Delete rule
netsh advfirewall firewall delete rule name="Open HTTP"
REM Query all inbound rules
netsh advfirewall firewall show rule name=all dir=in7. Firewall Policy Design Principles
7.1 Principle of Least Privilege
Use a whitelist approach where only necessary traffic is allowed and everything else is blocked.
Good Example:
- Default policy: Block all inbound traffic (DROP)
- Exception: Explicitly allow only required services
Bad Example:
- Default policy: Allow all traffic (ACCEPT)
- Exception: Block only dangerous ports (blacklist)7.2 Defense in Depth
Build multiple layers of security rather than relying on a single firewall.
- Network Perimeter Firewall: External/internal network boundary
- Segment Firewall: Between internal network segments
- Host-based Firewall: Individual servers/workstations
7.3 Rule Order Optimization
Firewall rules are processed sequentially from top to bottom. For efficient rule ordering:
- Place most frequently matched rules at the top
- Explicit deny rules before allow rules
- More specific rules before general rules
- Default deny rule at the end
7.4 Documentation and Change Management
All firewall rules must be documented, and changes should go through an approval process.
Firewall Rule Documentation Template:
┌────────┬────────────┬──────────┬────────┬────────────┬────────────┬──────────┐
│ Rule ID│ Source │ Dest │ Port │ Protocol │ Action │ Notes │
├────────┼────────────┼──────────┼────────┼────────────┼────────────┼──────────┤
│ FW-001 │ Any │ DMZ-WEB │ 443 │ TCP │ Allow │ HTTPS │
│ FW-002 │ Internal │ DMZ-DB │ 3306 │ TCP │ Allow │ MySQL │
│ FW-003 │ Admin-Net │ Any │ 22 │ TCP │ Allow │ SSH │
│ FW-999 │ Any │ Any │ Any │ Any │ Deny + Log │ Default │
└────────┴────────────┴──────────┴────────┴────────────┴────────────┴──────────┘8. Firewall Log Analysis
8.1 Importance of Logs
Firewall logs are essential for security incident detection, forensic analysis, and regulatory compliance. For effective log management:
- Log all blocked traffic
- Log important allowed traffic
- Ensure sufficient retention period (minimum 90 days, recommended 1 year)
- Centralized log management (SIEM integration)
8.2 Linux Firewall Log Analysis
# Check iptables logs
tail -f /var/log/kern.log | grep "iptables"
tail -f /var/log/syslog | grep "iptables-dropped"
# Top 10 blocked IP addresses
grep "iptables-dropped" /var/log/syslog | \
awk '{for(i=1;i<=NF;i++) if($i ~ /SRC=/) print $i}' | \
cut -d= -f2 | sort | uniq -c | sort -rn | head -10
# Top 10 blocked destination ports
grep "iptables-dropped" /var/log/syslog | \
awk '{for(i=1;i<=NF;i++) if($i ~ /DPT=/) print $i}' | \
cut -d= -f2 | sort | uniq -c | sort -rn | head -10
# Block count by time period
grep "iptables-dropped" /var/log/syslog | \
awk '{print $1, $2, $3}' | \
cut -d: -f1,2 | uniq -c8.3 Windows Firewall Log Analysis
# Enable firewall logging
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogAllowed True -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
# Log file location
# C:\Windows\System32\LogFiles\Firewall\pfirewall.log
# Analyze logs with PowerShell
Get-Content "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" |
Where-Object { $_ -match "DROP" } |
Select-Object -Last 100
# Statistics of blocked connection source IPs
Get-Content "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" |
Where-Object { $_ -match "DROP" } |
ForEach-Object { ($_ -split '\s+')[4] } |
Group-Object | Sort-Object Count -Descending | Select-Object -First 108.4 Patterns to Watch in Log Analysis
The following patterns require attention when discovered:
- Port Scan: Connection attempts to multiple ports from the same source
- Brute Force Attack: Repeated connection attempts to SSH (22), RDP (3389) ports
- Abnormal Outbound Connections: Unusual traffic from internal to external
- Non-standard Port Usage: Normal services connecting to non-standard ports
- Night/Weekend Traffic Spikes: Abnormal activity during off-hours
9. Summary and Next Episode Preview
In this episode, we explored firewall concepts, various types, architecture design, and practical configuration methods for Linux and Windows. As the first line of defense in network security, proper design and continuous management of firewalls are essential.
Key Takeaways:
- Configure firewalls using a whitelist approach (default deny, allow only what's needed)
- Utilize stateful inspection or higher features for sophisticated filtering
- Network segmentation through DMZ
- Documentation and change management for all rules
- Continuous monitoring through log analysis
In Part 4, we will learn about IDS/IPS (Intrusion Detection/Prevention Systems). We will cover Snort and Suricata installation and configuration, detection rule creation, and SIEM integration.