Measure the test taker's knowledge about Firewall principles to improve network security.

Article Title: improve network security by understanding the principles of Firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
With the development of the network, security technologies have emerged one after another. Currently, the most common and mature technologies are to use FIREWALL to improve security. The definition of FIREWALL is benevolent and wise, I personally agree that "the firewall system can be a router or a host, a main system, or a batch of main systems, isolates the network or subnet from the main system/* or local users */Abuse Protocols and services that may be out of the subnet. This also includes the application of reasonable filtering rules"
　　
From the perspective of external users, the simplest example is that we often try to connect to the remote host using TELNET or other means. After half a day, it is often "refuse connect"/*, of course, the other party may also restrict IP login */...... :(
　　
The classic FIREWALL differentiation method is to divide it into two types: application proxies and filtering gateways.
　　
I decided to save N words here: :) N articles have been written about FIREWALL principles and implementation technologies ...... You can find them everywhere, both in Chinese and English. If you are interested, I can also send you information
　　
OK. After reading the basic knowledge of FIREWALL, let's start to look at the problem from the perspective we are used. :) Some FIREWALL types can be identified by simple port scan. For example, CheckPoint's Firewall listens to TCP ports 256.257.258/* CheckPoint's for remote management */, microsoft's Proxy server usually listens to TCP ports 1080 and 1745. We can simply use NMAP to find nmap-n-vv-P0-P256 *. *. *. */24 I want to remind you that-P0 cannot be missing, because this option prohibits ICMP PING targets before scanning, and many firewalls will not respond to ICMP echo requests.
　　
Using the traceroute for unix or tracert for winnt & 98 command, if LINUX is used, you can add the-I option to send ICMP PACKET.
　　
The principle of TRACEROUTE is to send a series of UDP packets to the target host. The retention period of the first three data packets is set to 1. The first ROUTER that receives the packet returns a TTL dead message and discards it. Then, the second data packet is set to 2, the second ROUTER received returns a TTL dead message and discards it ...... Others.
　　
Generally, you can see the following situation:
1 XXX 192.168.55.1 ** ms
2 SSS 192.168.52.2
......
11 WWW 10.63.2.2
12 ZZZ 10.63.5.1
13 QQQ 172.16.11.1
We can guess 10.63.5.1 may be FIREWALL. /* Can only be a guess */if some ROUTER and FIREWALL settings do not reply to the icmp ttl death message, we will not be able to see its existence through TRACEROUTE.
1 XXX 192.168.55.1
2 SSS 192.168.52.2
......
11 WWW 10.63.2.2
12 ZZZ 10.63.5.1
13 QQQ 172.16.11.1
14 ***
15 ***
　　
Sometimes, we use NC to connect to port 21 or port 23 of the target. If it is under FIREWALL protection, you can see the FIREWALL information. Haha, the simplest example in China is that you can directly FTP to the super cool personal homepage of 163 to see "Skynet ......" . This is the most famous FIREWALL of the past.
　　
How can I know as much FIREWALL information as possible? I personally prefer NMAP as a SCANER. I think it is impeccable and always tells us as much as possible ...... /* It is recommended that you first check the NMAP description. You may also need to check the TCP three-way handshake */nmap always displays the service name, port number, status, and Protocol of the service. There are three statuses: 'Open', 'filtered', and 'unfiltered.
You don't need to say much about 'open'. Everyone knows that the target machine will accept your connection requests on this port. Generally, in NMAP, A filtered port indicates the following three conditions:
1. No SYN/ACK packet is received.
2. failed to receive RST/ACK packet
3. The system replies with an ICMP 3 type and 13 code, indicating that the destination computer cannot arrive. * The icmp 3 type indicates that the destination computer cannot arrive, you can use different codes to classify them into 13 situations, such as the network, host, protocol, and port ...... */
In the 'filtered' state, we can use TCPDUMP for specific analysis to find that the captured IP package clearly indicates unreachable. In NMAP, the blocked port information is represented by the type of a byte in the header position of the ICMP packet, and the information returned after the FIREWALL filter occupies 4 bytes in the IP packet.
The information returned by 'unfiltered' is the most controversial among the major security BBS. In the NMAP description, simply put, unfiltered appears only when most of the scan ports are in the 'filtered' state. In fact, it only appears when scanning N multiple ports and receiving an RST/ack packet. In the 'unfiltered' status, our SCAN may pass through FIREWALL and TARGET tells us that this port is not listened, in other words, it is not opened. Or FIREWALL replies with an RST/ACK, which often appears when scanning some FIREWALL such as CheckPoint (with the REJECT rule, when it returns an RST/ack packet from the target and returns an incorrect IP address. When we run TCPDUMP at the same time, we can see that an RST/ACK package is returned. /* I personally think this is a very good solution */
　　
Some SCANER can help us
Hping, a very practical stuff. It sends an ICP packet to the target port and reports a response packet. It can generate multiple outputs based on different conditions. With HPING, we can clearly describe the FIREWALL control rules.
When a PORT is opened and a connection is received, HPING will tell us that 'flags = Sa' means that a SYN/ACK packet is received.
When we use HPIHG to scan *. *. *. * port 23 receives an 'ICMP Unreachable type 13 form *. *. *. * ', usually a packet filtering router is encountered. If the other party is CISCO, it is likely that there is this line in the configuration file "access-list 101 deny tcp any 23! Telnet "when we receive an RST/ACK package/* 'flags = A' */, it generally represents two possibilities:
1. The package passes FIREWALL and the TARGET does not open this port.
2. FIREWALL rejects the package (like CheckPoint's reject rule)
If you first scan the port 23 of an IP address and receive an 'ICMP Unreachable type 13 form *. *. *. * ', then you scan another port such as 22 and receive an RA package/* 'flags = Sa' */. Through comprehensive judgment, we can conclude that, it is because port 22 is not enabled, rather than being rejected by filtering rules.
Finally, when FIREWALL completely blocks a PORT, we usually cannot receive any response packet. It tells us two meanings.
1. The package cannot reach the TARGET and is lost on the way
2. Most of the reasons are that FIREWALL's filtering rules decide to discard it.
　　
Firewalk is also a very good tool that helps us find the PORT opened behind FIREWALL. It uses an ip TTL calculated to expire one hop past the firewall. in fact, it is still used to respond to an "icmp ttl expired intransit" message. If the package is rejected by Firewall' ACL, no response or an icmp type 13 will be returned. However, when using firewall for scanning, some FIREWALL will return you an icmpttl expired packet when rejecting packet expires, we will see that all the ports are open: (the above are some of the firewall scan technologies I have mastered. I hope to help you understand the situation behind FIREWALL as much as possible, and you are welcome to discuss them.
　　
In addition, I will briefly discuss how to break through/webshell. I will write it out later, I strongly recommend THC's article about cracking the FIREWALL backdoor !!!
The following is a combination of THC articles and my own experience. There are many THC articles that I don't know very well. I 'd like to discuss them with you.
1. Many FIREALL interfaces, such as CHECKPOINT, are opened by default in dns lookups (UDP53), DNS zone transfers (TCP53), and RIP (UDP 520) allow arbitrary HOST connections, by using this, we can specify that our Trojan program runs on this PORT, and then ...... Sometimes, packet filtering can check stateful packets. In this case, we cannot execute our own commands using the DNS port, but there are other methods ......
2. Many firewalls of ICMP and UDP Allow icmp echo. Icmp echo reply, UDP packet passing through, such as checkpoing dns, haha, You can encapsulate your data by using ICMP packet, You can execute the command through FIREWALL, the existing software in this area is LOKI & lokid (client & server). I will write it to you after I have a bit of cake ...... UDP Backdoor programs include daemonshell-udp, which is also from [THC]-The Hacker's Choice.
3. Use CGI to keep backdoors. Haha, the ROUTER filter is amazing. As long as HTTP access is allowed, it will not be able to prevent CGI backdoors. It is easy to find these backdoors on the Internet, such as the backdoor written by GH, But it seems very similar, except for the author's name/
4. Open a SHELL backdoor at a high level. There are many domestic shells in this area. The main principle is that some FIREWALL does not check the PORT at a high level, so such backdoors can be placed.
5. Using the. forward file, the sendmail service will not be much less than HTTP ...... Execute your SHELL script and decide what you want to do. :) a similar method is to use crontab. The most important thing is to see what commands you want them to execute ......
6. RPC service. Haha, many FIREWALL allow RPC services. By using RPC's EXPLOITS, you can get in and out of nowhere ......