Fachbereich 2 IT-Security
Prof. Dr. Martin Kappes (I/II)
Exercise Chapter “Firewalls”
Task 1:
Describe the following terms briefly in 3-4 sentences.
1. Firewall
2. Packet Filter
3. Application Level Gateway
4. Demilitarized Zone
5. Tunnel
Task 2:
Explain how a Packet Filter works.
Task 3:
Explain what Network Address Translation is and how it works.
Task 4:
Describe inherent weaknesses and vulnerabilities in the concept “Firewall”.
Task 5:
1. Describe how a static packet filter distinguishes between incoming and outgoing TCP-
connections. Denote the corresopnding rules in pseudonotation or verbally.
1
� 2. Describe how a dynamic packet filter distinguishes between incoming and outgoing
TCP-connections. Denote the corresopnding rules in pseudonotation or verbally.
Task 6:
In the following, we consider a router connecting the networks [Link]/24 and [Link]/24
with a static packet filter. All packets are processed against a chain with the following rules:
Nr. IP Source Address IP Destination Address Protocol set Flags considered Flags Action
1 [Link]/24 [Link] TCP SYN SYN ACK DROP
2 [Link] [Link]/24 TCP SYN ACK SYN ACK DROP
3 [Link]/24 [Link] TCP SYN ACK SYN ACK ACCEPT
4 [Link] [Link]/24 TCP SYN ACK SYN ACK DROP
5 [Link]/16 [Link] TCP ACK ACK DROP
Default: ACCEPT
Assuming typical behavior (i.e. each TCP segment is transmitted in one IP packet), analyze
whether a TCP connection setup between the following hosts is successful or not.
For EVERY packet sent during connection setup, specify which of the rules is applied to
the packet. Note: Usually, more than one packet is sent.
1. TCP connection setup from [Link] to [Link]
2. TCP connection setup from [Link] to [Link]
3. TCP connection setup from [Link] to [Link]
4. TCP connection setup from [Link] to [Link]
5. TCP connection setup from [Link] to [Link]
2
� Practical Exercises Chapter “Firewalls”
Task 1:
Write a simple java-program operating as server on TCP port 80. The program should
answer any incoming requests by sending back the following information to the client and
then close the connection:
Connection Information:
Client connecting from [client ip address, client side port]
Server from [server ip address, server side port]
Task 2:
Set up a network as follows:
[Link]
[Link] [Link]
[Link]/24 [Link]/24
(öffentliches Verbindungsnetz) (Institutionsnetz)
[Link]
Router
[Link]
[Link]/24
(Institutionsnetz)
[Link]
All machines in the network must run Linux. Use the commands ifconfig and route for
configuration. Test the functionality of the network by using ping between [Link]
and [Link].
Task 3:
Add another machine [Link] with Default Gateway [Link] into network [Link]/24.
Rerun the ping-experiment from above and run wireshark on [Link]. Also, ping
[Link] and [Link] from [Link] and use wireshark to observe the resulting
network traffic. What happens?
3
�Task 4:
Run the java-program on [Link] and use firefox on [Link] to connect to it.
Observe the corresponding network traffic from [Link].
Task 5:
� Study Linux Netfilter in detail.
� Create and test rules blocking ICMP traffic on one of the routers.
� Create a static packet filter on the router for the [Link]/24 network such that
TCP segments are filtered out based on SYN and ACK flags. Filter out outgoing TCP
segments with set SYN flag, then delete that rule and filter out incoming segments
with set SYN and ACK flag. What happens?
� Create a static packet filter configuration such that outgoing TCP connections from
the [Link]/24 network are posible but incoing connections are blocked. Check the
configuration by running according tests.
Task 6:
� Study how the conntrack module can be used. Install the cli-tools for it if necessary.
Examine conntrack’s output when establishing and closing connections. Explain what
the individual fields in this file stand for.
� Use dynamic filtering rules based on the conntrack module to achive the same setup
as in the previous exercise.
Task 7:
Create a (personal) firewall on [Link]. First, block incoming TCP connections while
allowing outgoing connections with static then with dynamic filtering rules. Which chains
have to be used and why?
Task 8:
� Study the functionalities of source and destination NAT.
� Create a Source NAT on [Link] mapping all outgoing connections to address
[Link] and observe what happens.
4
� � Create a Destination NAT on [Link] mapping all incoming connections to [Link]:8080
to [Link]:80 and test its function.
Task 9:
Change the scenario as follows: Modify the IP Address of [Link] to [Link] (Default
Gateway [Link]) and convert the router [Link]/[Link] into a bridge by deleting
the IP Addresses from both interfaces and then enable bridging between them using brctl.
Now, use the bridge as firewall and conduct the experiments from the previous ecxcercises
again. Discuss security advantages and disadvantages of this scenario.
