14th Tutorial - Proxies, Firewalls, P2P
Bastian Blywis
Department of Mathematics and Computer Science Institute of Computer Science
2. Traffic Shaping 3. Firewalls
4. Secure Network Topology 5. Peer-To-Peer Networking 6. Movie Time
As you probably know, SSH can be used to create (se-cure) tunnels. Follow the steps to access the Telematics assignments over an SSH tunnel.
1. You need a console SSH client or some alternative, e.g., PuTTY: http://www.chiark.greenend.org. uk/~sgtatham/putty/download.html
2. Setup the SSH tunnel with some random local port and port 80 as endpoints between your host and some faculty computer, e.g., xian:
ssh -L LOCAL PORT:cst.mi.fu-berlin.de:80
?
3. Add the following mapping in the hosts file in you operating system:
127.0.0.1 cst.mi.fu-berlin.de 4. Open the following URL in a web browser:
http://cst.mi.fu-berlin.de:LOCAL PORT 5. Download one of the Telematics assignments 6. Use Wireshark or any alternative tool to capture the
data traffic between the two hosts
Explain why step 3 is required and what happens when it
is omitted.
?
– The server is a virtual host
– Host field in HTTP header is evaluated
– If the host entry is omitted, you are accessing the website without the tunnel (and
the randomly selected TCP port should be closed)
– The host entry resolves cst.mi.fu-berlin.de to localhost and thus the tunnel is
Explain the token and leaky bucket schemes and how
they are applied in computer networks.
?
?
– Token an leaky bucket are two algorithms two limit the data sent into the network – Token bucket
– 1 token added to bucket at rate r
– Bucket has maximum size b
– 1 packet may pass when a token is available (consumes token)
– Throughput is limited by token rate but bursts are possible
– In time t, ≤ (r × t + b) packets may pass
– Leaky Bucket
– Packets are added to bucket
– 1 packet per time unit leaks out of bucket, i.e., may pass
– If maximum size of bucket is reached, packets are dropped
– Enforces rigid output pattern at average rate
– Bursts are not possible
– Alternative: count bytes instead of packets
What are firewalls and on which layer(-s) of the ISO/OSI
reference model do they operate?
?
?
– Filtering service
– Implemented in software and/or hardware
– Protects particular subnetwork
– Filtering based on any header and payload data – Most often found as IP packet filters
– Many services:
– User control
– Access control
– Behavior control
– Direction control, load balancing
– Logging
Routing Routing
1
2
3
4
5
Upper stack layers
In Out
mangle
Netfilter packet flow; hook/table ordering
ebtables xtables (ip, ip6) routing decision input forward nat prerouting mangle raw nat broute brouting filter bridging decision bridge check raw nat prerouting prerouting
prerouting prerouting prerouting
prerouting mangle mangle mangle mangle input forward forward forward filter mangle conntrack conntrack forward forward forward local process filter input output postrouting output
postrouting postrouting interfaceoutput
mangle nat nat reroute check socket
lookup decisionrouting
conntrack output output output output nat postrouting postrouting mangle filter filter filter mangle raw filter filter nat nat xfrm (e.g. ipsec) decode xfrm encode mangle nat postrouting postrouting nat postrouting ingress egress
nat table only consulted for “NEW” connections
Network Layer
Link Layer
FORWARD PATH OUTPUT PATH
Protocol/Application Layer
INPUT PATH
by Jan Engelhardt, last updated 2009-11-27 based in part on Josh Triplett's graph
– Connect a LAN to the Internet
– 137.226.12.32/29 for your servers (max. 23
servers)
– 192.168.0.0/16 for internal/private network (max.
Service LAN world-wide
WWW server × ×
SMTP server × ×
SMTP and POP3 server ×
DNS server 1 × ×
DNS server 2 ×
DHCP server ×
Printer with network connection ×
Management server with administration tools ×
1. Create network topology, assign IP addresses to hosts
2. Define rule sets for both firewalls as follows
?
?
inetnum: 137.226.0.0 - 137.226.255.255
netname: ACHSES
descr: Rechen- und Kommunikationszentrum der RWTH Aachen descr: Wendling Weg 10; 52074 Aachen; Germany
country: DE admin-c: GS199 tech-c: GS199 status: ASSIGNED PI mnt-by: DFN-LIR-MNT mnt-lower: DFN-LIR-MNT mnt-routes: DFN-MNT mnt-irt: IRT-DFN-CERT
1 TCP * * 137.226.12.34 80 (WWW) ALLOW 2 TCP 137.226.12.34 80 (WWW) * * ALLOW 3 TCP * * 137.226.12.33 25 (SMTP) ALLOW 4 TCP 137.226.12.33 25 (SMTP) * * ALLOW 5 UDP * * 137.226.12.35 53 (DNS) ALLOW 6 UDP 137.226.12.35 53 (DNS) * * ALLOW 7 TCP 137.226.12.32 * * 80 (WWW) ALLOW 8 TCP * 80 (WWW) 137.226.12.32 * ALLOW 9 TCP * * * * DENY
– Rule 1 and 2 allow hosts in the Internet to get access to the WWW server
– Rule 3 and 4 allow hosts in the Internet to get access to the SMTP server – Rule 5 and 6 allow DNS requests from the Internet
– Rule 7 and 8 allow WWW connections from the local network. Because of the NAT module integrated into the other firewall, packets from the local network have the IP address 137.226.12.32.
Stateful Firewall
Nr Protocol Src IP Src Port Dest IP Dest Port State Action 1 TCP 192.168.0.0/16 * * 80 SYN ALLOW 2 TCP * 80 192.168.0.0/16 * ESTAB ALLOW 3 TCP 192.168.0.70 * 137.226.12.32/29 22 SYN ALLOW 4 TCP 137.226.12.32/29 22 192.168.0.70 * ESTAB ALLOW 5 TCP 192.168.0.4 * 137.226.12.33 25 SYN ALLOW 6 TCP 137.226.12.33 25 192.168.0.4 * ESTAB ALLOW 7 TCP 137.226.12.33 * 192.168.0.4 25 SYN ALLOW 8 TCP 192.168.0.4 25 137.226.12.33 * ESTAB ALLOW 9 UDP 192.168.03 * 137.226.12.35 53 - ALLOW 10 UDP 137.226.12.35 * 192.168.0.3 53 - ALLOW 11 * * * * * - DENY
– Rule 1 and 2 allow WWW connections initialized from the local network
– Rule 3 and 4 allow the administrator to establish SSH connections into the subnet
137.226.12.32/29
– Rule 5 and 6 allow SMTP connections between both SMTP servers, which are
initialized by the internal SMTP server
– Rule 7 and 8 allow SMTP connections between both SMTP servers, which were initialized by the SMTP server in the DMZ
– Rule 9 and 10 allow DNS traffic between both DNS servers
1. Discuss the peer-to-peer (P2P) networking principle 2. Name and explain properties to classify P2P
networks
?
?
– Different approach to networking than client-server principle – Every participation node is client and server: servent
– Goal: no single point of failure, self organized, data distribution and storage
– P2P networks are overlay networks
– Most often application layer protocols
– Different addressing scheme in overlay than in network layer
– Paths in overlay can be suboptimal regarding network topology
Classification of P2P Networks:
– Structure
– Structured: content distributed according to some algorithm
– Unstructured: content placed randomly in the network
– Topology
– Centralized
– Decentralized
– Watch the movie Warriors of the Net: download
How often is the protocol stack traversed when a host is connected to a network and the user tries to view a
website in the browser?
?
?
There is no definite answer because it depends on the configuration. Let’s consider the following:
– The hostname of the webserver is not statically configured – DHCP is used for auto-configuration
– Ethernet is used on layer 1 and 2
– Default gateway and DHCP and DNS server are not the same host – The station has not sent any packets previously
1. Auto address configuration
1.1 → DHCP (Discovery)/UDP (Port 67)/IP (Broadcast)/Ethernet (Broadcast) 1.2 ← DHCP (Offer)/UDP/IP (Broadcast)/Ethernet (Broadcast)
1.3 → DHCP (Request)/UDP (Port 67)/IP (Broadcast)/Ethernet
1.4 ← DHCP (Acknowledgement)/UDP/IP (Broadcast)/Ethernet (Broadcast)
2. Domain name resolution
2.1 → ARP (Request)/Ethernet (Broadcast) [Resolving layer 2 address of DNS server] 2.2 ← ARP (Reply)/Ethernet
2.3 → DNS (Query)/UDP (Port 53)/IP/Ethernet 2.4 ← DNS (Response)/UDP/IP/Ethernet
3. Establishing TCP connection
3.1 → ARP (Request)/Ethernet (Broadcast) [Resolving layer 2 address of gateway] 3.2 ← ARP (Reply)/Ethernet
3.3 → TCP (SYN, Port 80)/IP/Ethernet 3.4 ← TCP (SYN, ACK)/IP/Ethernet 3.5 → TCP (ACK, Port 80)/IP/Ethernet
4. Download of website
4.1 → HTTP (GET)/TCP (Port 80)/IP/Ethernet 4.2 ← DATA/HTTP/TCP/IP/Ethernet
