Semantics-Preserving Simplification of Real-World Firewall Rule Sets

(1)

Fakult ät f ür Informatik Technische Universit ät M ünchen

Semantics-Preserving Simplification of

Real-World Firewall Rule Sets

Formal Methods 2015

Cornelius Diekmann

*

_{Lars Hupel}

‡

_{Georg Carle}

*

Chair for Network Architectures and Services

‡

Chair for Logic and Verification

Technische Universit ¨at M ¨unchen

(2)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(3)

Introduction to Firewalls

Chain

INPUT

(policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(4)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(5)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain

DOS_PROTECT

(1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(6)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(7)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(8)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(9)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

(10)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(11)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(12)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(13)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(14)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(15)

Introduction to Firewalls

Chain INPUT (policy ACCEPT)

target

prot source

destination

DOS_PROTECT all

0.0.0.0/0

ACCEPT

all

0.0.0.0/0

state RELATED,ESTABLISHED

DROP

tcp

0.0.0.0/0

tcp dpt:22

DROP

tcp

0.0.0.0/0

multiport dports 21,873,5005,

. . .

DROP

udp

0.0.0.0/0

multiport dports 123,111,2049,

. . .

ACCEPT

all

192.168.0.0/16 0.0.0.0/0

DROP

all

0.0.0.0/0

Chain DOS_PROTECT (1 references)

target

prot source

destination

RETURN

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8 limit: avg 1/sec

. . .

DROP

icmp 0.0.0.0/0

0.0.0.0/0

icmptype 8

RETURN

tcp

0.0.0.0/0

tcp flags:0x17/0x04 limit:

. . .

DROP

tcp

0.0.0.0/0

tcp flags:0x17/0x04

...

(16)

Introduction to Firewalls

I

Firewalls are usually managed manually

I

... which is extremely error-prone

I

There are tools to analyze rulesets and discover errors

I

Margrave

I

ITVal

I

FIREMAN

I

Firewall Builder

I

Firewall Policy Advisor

I

ConfigChecker

(17)

Introduction to Firewalls

I

Firewalls are usually managed manually

I

... which is extremely error-prone

I

There are tools to analyze rulesets and discover errors

I

Margrave

I

ITVal

I

FIREMAN

I

Firewall Builder

I

Firewall Policy Advisor

I

ConfigChecker

(18)

Introduction to Firewalls

I

Firewalls are usually managed manually

I

... which is extremely error-prone

I

There are tools to analyze rulesets and discover errors

I

Margrave

I

ITVal

I

FIREMAN

I

Firewall Builder

I

Firewall Policy Advisor

I

ConfigChecker

(19)

Example: IPSpace Partition

Ruleset from the introduction

I

... treats all packets equally

I

... except for the last two rules

Expected output

I

192.168.0.0/16

is accepted

I

Everything else is dropped

ITVal

output

(20)

Example: IPSpace Partition

Ruleset from the introduction

I

... treats all packets equally

I

... except for the last two rules

Expected output

I

192.168.0.0/16

is accepted

I

Everything else is dropped

(21)

Problems in Firewall Analysis Tools

I

This talk is not about

ITVal

I

Many tools have similar problems

1 Complex Chain model

I

Calling to and returning from user-defined chains

(22)

Problems in Firewall Analysis Tools

I

This talk is not about

ITVal

I

Many tools have similar problems

2 Vast amount of primitive matches

I

Check

man iptables

I

Now check

man iptables-extensions

I

Now check if you have custom extensions running

I

Now think about future features

I

Supporting everything is infeasible

(23)

Summary

Problem

Tools cannot “understand” complex real-word rulesets

Our Solution

Semantics-preserving simplification

α

(24)

Agenda

1 Semantics

2 Simplification

(25)

Agenda

1 Semantics

2 Simplification

(26)

Syntax

I

Rule:

mexpr

,

action

I

Example:

icmp

∧

icmptype 8

∧

limit

:

avg1

/

sec

. . .,

Return

I

Ruleset:

rule list

I

Firewall state:

!

,

%

,

?

I

Primitive matcher:

γ

I

Primitive

→

Packet

→

Bool

(27)

Syntax

I

Rule:

mexpr

,

action

I

Example:

icmp

∧

icmptype 8

∧

limit

:

avg1

/

sec

. . .,

Return

I

Ruleset:

rule list

I

Firewall state:

!

,

%

,

?

I

Primitive matcher:

γ

I

Primitive

→

Packet

→

Bool

I

Semantics:

(28)

Syntax

I

Rule:

mexpr

,

action

I

Example:

icmp

∧

icmptype 8

∧

limit

:

avg1

/

sec

. . .,

Return

I

Ruleset:

rule list

I

Firewall state:

!

,

%

,

?

I

Primitive matcher:

γ

I

Primitive

→

Packet

→

Bool

I

Semantics:

(29)

Determinism

If

γ,

p

`

rs

,

s

⇒

t

and

γ,

p

`

rs

,

s

⇒

t

0 then

t

=

t

0

(30)

Agenda

1 Semantics

2 Simplification

(31)

Rewriting simple actions

I

Remove

Log

actions

I

Unfolding custom chains

I

Eliminates

Call

/

Return

I

Linux kernel only accepts acyclic call graphs

(32)

Rewriting simple actions – Unfolding custom chains

Example

Chain INPUT

X

a

Chain X

Return

b

Accept

c

Result

(33)

Simplification – Summary

I

Actions left:

Accept

,

Drop

I

Semantics are preserved

γ,

p

`

simplify

rs

,

t

⇒

t

0 iff

γ,

p

`

rs

,

t

⇒

t

0 I

Remaining problems

1 Unknown primitives matches

2 Complex nested match-expressions after unfolding unsupported by

iptables

(34)

Simplification – Summary

I

Actions left:

Accept

,

Drop

I

Semantics are preserved

γ,

p

`

simplify

rs

,

t

⇒

t

0 iff

γ,

p

`

rs

,

t

⇒

t

0 I

Remaining problems

1 Unknown primitives matches

2 Complex nested match-expressions after unfolding unsupported by

iptables

(35)

Unknown primitives

I

Lifting to ternary logic

I

Kleene’s 3-valued logic

I

Primitive matcher may now return

unknown

I

Default decision strategy:

in-doubt-allow

or

in-doubt-deny

γ,

p

`

rs

,

s

⇒

allow

t

γ,

p

`

rs

,

s

⇒

deny

t

(36)

Unknown primitives

Let

m

u

be an unknown match.

in-doubt-allow

(

m

u

,

Accept

)

→

(

True

,

Accept

)

(

m

u

,

Drop

)

→

(

False

,

Drop

)

;

more permissive ruleset

Example

(37)

Closure Property

p

|

γ,

p

`

rs

,

?

⇒

_deny

!

⊆

p

|

γ,

p

`

rs

,

?

⇒

!

⊆

p

|

γ,

p

`

rs

,

?

⇒

_allow

!

(38)

Normalization

I

Impossible:

# iptables (tcp

∨

udp) -j ACCEPT

(39)

Normalization

Problem

iptables supports only negation-normal form with the

∧

connective

Solution

I

normalize

: rule

→

rule list

where all rules share the same action

I

Example (exclude

ip

from accessing an HTTP server)

src

ip

∧ ¬

(

tcp

∧

port

80 )

,

Accept

≡

(40)

Agenda

1 Semantics

2 Simplification

(41)

Evaluation

I

Ruleset 1

I

Shorewall firewall on a home router;

∼

500 rules.

I

Unfolding: firewall does not unconditionally drop packets from

private IP ranges

I

Ruleset 2

I

Small firewall script found online (

networking.ringofsaturn.com

)

I

Most rules are dead; contrary to documented behavior

I

Author probably confused:

-I

(insert at top) and

-A

(append at tail)

I

Ruleset 3 & 4 & 5

I

Main firewall of our lab

I

Snapshot 2013:

_∼

2800 rules

I

Firewall Builder: import errors

I

ITVal: erroneous results

I

After simplification: success

Upper closure:

∼

1000 rules

Lower closure:

∼

500 rules

I

Snapshot 2014:

∼

4000 rules

(42)

Evaluation

I

Ruleset 1

I

Shorewall firewall on a home router;

∼

500 rules.

I

Unfolding: firewall does not unconditionally drop packets from

private IP ranges

I

Ruleset 2

I

Small firewall script found online (

networking.ringofsaturn.com

)

I

Most rules are dead; contrary to documented behavior

I

Author probably confused:

-I

(insert at top) and

-A

(append at tail)

I

Ruleset 3 & 4 & 5

I

Main firewall of our lab

I

Snapshot 2013:

_∼

2800 rules

I

Firewall Builder: import errors

I

ITVal: erroneous results

I

After simplification: success

Upper closure:

∼

1000 rules

Lower closure:

∼

500 rules

I

Snapshot 2014:

∼

4000 rules

(43)

Evaluation

I

Ruleset 1

I

Shorewall firewall on a home router;

∼

500 rules.

I

Unfolding: firewall does not unconditionally drop packets from

private IP ranges

I

Ruleset 2

I

Small firewall script found online (

networking.ringofsaturn.com

)

I

Most rules are dead; contrary to documented behavior

I

Author probably confused:

-I

(insert at top) and

-A

(append at tail)

I

Ruleset 3 & 4 & 5

I

Main firewall of our lab

I

Snapshot 2013:

_∼

2800 rules

I

Firewall Builder: import errors

I

ITVal: erroneous results

I

After simplification: success

(44)

(45)

(46)

(47)

Specifying Primitive Matchers in Ternary Logic

(48)

Semantics (1)

S

KIP

γ,

p

`

[]

,

t

⇒

t

A

CCEPT

match

m p

γ,

p

`

[(

m

,

Accept

)]

,

?

⇒

!

D

ROP

match

m p

γ,

p

`

[(

m

,

Drop

)]

,

?

⇒

%

R

EJECT

match

m p

γ,

p

`

[(

m

,

Reject

)]

,

?

⇒

%

¬

match

m p

(49)

Semantics (2)

S

EQ

γ,

p

`

rs

1 ,

?

⇒

t

γ,

p

`

rs

₂

,

t

⇒

t

0 γ,

p

`

rs

1 :::

rs

2 ,

?

⇒

t

0 L

OG

match

m p

γ,

p

`

[(

m

,

Log

)]

,

?

⇒

?

E

MPTY

match

m p

γ,

p

`

[(

m

,

Empty

)]

,

?

⇒

?

(50)

Semantics (3)

Background ruleset

Γ

:

chain name

→

rule list

C

ALL

R

ESULT

match

m p

γ,

p

`

Γ

c

,

?

⇒

t

γ,

p

`

[(

m

,

Call

c

)]

,

?

⇒

t

C

ALL

R

ETURN

match

m p

Γ

c

=

rs

1 ::: (

m

0 ,

Return

) ::

rs

2

0 _`

⇒

(51)

Ruleset 3 (excerpt, 22 of 2800 rules displayed)

1 C h a i n F O R W A R D ( p o l i c y A C C E P T ) 2 t a r g e t p r o t opt s o u r c e d e s t i n a t i o n 3 L O G _ D R O P all - - 1 2 7.0.0.0/8 0.0.0.0/0 4 A C C E P T tcp - - 1 3 1.1 5 9.1 4.2 0 6 0.0.0.0/0 m u l t i p o r t s p o r t s3 8 9,6 3 6 5 A C C E P T tcp - - 1 3 1.1 5 9.1 4.2 0 8 0.0.0.0/0 m u l t i p o r t s p o r t s3 8 9,6 3 6 6 A C C E P T udp - - 1 3 1.1 5 9.1 4.2 0 6 0.0.0.0/0 udp spt:8 8 7 A C C E P T udp - - 1 3 1.1 5 9.1 4.2 0 8 0.0.0.0/0 udp spt:8 8 8 A C C E P T tcp - - 1 3 1.1 5 9.1 4.1 9 2/2 7 0.0.0.0/0 tcp spt:3 2 6 0 9 A C C E P T tcp - - 1 3 1.1 5 9.1 4.0/2 3 1 3 1.1 5 9.1 4.1 9 2/2 7 tcp dpt:3 2 6 0 10 A C C E P T tcp - - 1 3 1.1 5 9.2 0.0/2 4 1 3 1.1 5 9.1 4.1 9 2/2 7 tcp dpt:3 2 6 0 11 A C C E P T udp - - 1 3 1.1 5 9.1 5.2 5 2 0.0.0.0/0 12 A C C E P T udp - - 0.0.0.0/0 1 3 1.1 5 9.1 5.2 5 2 m u l t i p o r t d p o r t s4 5 6 9,5 0 0 0:6 5 5 3 5 13 A C C E P T all - - 1 3 1.1 5 9.1 5.2 4 7 0.0.0.0/0 14 A C C E P T all - - 0.0.0.0/0 1 3 1.1 5 9.1 5.2 4 7 15 A C C E P T all - - 1 3 1.1 5 9.1 5.2 4 8 0.0.0.0/0 16 A C C E P T all - - 0.0.0.0/0 1 3 1.1 5 9.1 5.2 4 8 17 tcp - - 0.0.0.0/0 1 3 1.1 5 9.1 4.0/2 3 s t a t e NEW tcp dpt:2 2f l a g s: 0x1 7/0x0 2 r e c e n t: SET n a m e: r a t e s s h s i d e: s o u r c e 18 tcp - - 0.0.0.0/0 1 3 1.1 5 9.2 0.0/2 3 s t a t e NEW tcp dpt:2 2f l a g s: 0x1 7/0x0 2 r e c e n t: SET n a m e: r a t e s s h s i d e: s o u r c e 19 m a c _9 6 all - - 1 3 1.1 5 9.1 4.0/2 5 0.0.0.0/0 20 L O G _ D R O P all - - !1 3 1.1 5 9.1 4.0/2 5 0.0.0.0/0 21 22 C h a i n L O G _ D R O P (2 1 r e f e r e n c e s ) 23 t a r g e t p r o t opt s o u r c e d e s t i n a t i o n

24 LOG all - - 0.0.0.0/0 0.0.0.0/0 l i m i t: avg 1 0 0/ min b u r s t5 LOG f l a g s0

(52)

Ruleset 3 – Upper Closure (excerpt)

1 C h a i n F O R W A R D ( p o l i c y A C C E P T ) 2 t a r g e t p r o t s o u r c e d e s t i n a t i o n 3 D R O P all 1 2 7.0.0.0/8 0.0.0.0/0 4 A C C E P T tcp 1 3 1.1 5 9.1 4.2 0 6/3 2 0.0.0.0/0 5 A C C E P T tcp 1 3 1.1 5 9.1 4.2 0 8/3 2 0.0.0.0/0 6 A C C E P T udp 1 3 1.1 5 9.1 4.2 0 6/3 2 0.0.0.0/0 7 A C C E P T udp 1 3 1.1 5 9.1 4.2 0 8/3 2 0.0.0.0/0 8 A C C E P T tcp 1 3 1.1 5 9.1 4.1 9 2/2 7 0.0.0.0/0 9 A C C E P T tcp 1 3 1.1 5 9.1 4.0/2 3 1 3 1.1 5 9.1 4.1 9 2/2 7 10 A C C E P T tcp 1 3 1.1 5 9.2 0.0/2 4 1 3 1.1 5 9.1 4.1 9 2/2 7 11 A C C E P T udp 1 3 1.1 5 9.1 5.2 5 2/3 2 0.0.0.0/0 12 A C C E P T udp 0.0.0.0/0 1 3 1.1 5 9.1 5.2 5 2/3 2 13 A C C E P T all 1 3 1.1 5 9.1 5.2 4 7/3 2 0.0.0.0/0 14 A C C E P T all 0.0.0.0/0 1 3 1.1 5 9.1 5.2 4 7/3 2 15 A C C E P T all 1 3 1.1 5 9.1 5.2 4 8/3 2 0.0.0.0/0 16 A C C E P T all 0.0.0.0/0 1 3 1.1 5 9.1 5.2 4 8/3 2 17 D R O P all !1 3 1.1 5 9.1 4.0/2 5 0.0.0.0/0

(53)

Ruleset 3 – Lower Closure (excerpt)

1 C h a i n F O R W A R D ( p o l i c y A C C E P T ) 2 t a r g e t p r o t s o u r c e d e s t i n a t i o n 3 D R O P all 1 2 7.0.0.0/8 0.0.0.0/0 4 A C C E P T udp 1 3 1.1 5 9.1 5.2 5 2/3 2 0.0.0.0/0 5 A C C E P T all 1 3 1.1 5 9.1 5.2 4 7/3 2 0.0.0.0/0 6 A C C E P T all 0.0.0.0/0 1 3 1.1 5 9.1 5.2 4 7/3 2 7 A C C E P T all 1 3 1.1 5 9.1 5.2 4 8/3 2 0.0.0.0/0 8 A C C E P T all 0.0.0.0/0 1 3 1.1 5 9.1 5.2 4 8/3 2 9 D R O P all 1 3 1.1 5 9.1 4.9 2/3 2 0.0.0.0/0 10 D R O P all 1 3 1.1 5 9.1 4.6 5/3 2 0.0.0.0/0

11 . . .(unfolded DROPs from chain mac 96) 12 D R O P all !1 3 1.1 5 9.1 4.0/2 5 0.0.0.0/0