So, what should you do? (continued)
So, what does a firewall do?
It applies a set of comparison rules for handling packets of data from the Internet. Some firewalls are provided with a default ruleset. All should allow you to modify the rules, although some will be more sophisticated in their capabilities than others. Rule construction is probably best explained via an example.
Even better, if you’re using Windows, you should use one of the good two-way firewall programs that are available and easy to configure, such as the Sunbelt Personal Firewall or firewall combination programs such as
Trend Micro PC-cillin Internet Security 2006.
The following is an example of a "packet filter," which examines the addressing, protocol, port, and interface of the packet to determine its disposition. Although the ways to specify rules differ among the different firewall program, and they all may not allow you to do all of the same things, they all have this basic concept.
A sample ipchains (linux) rule to guard against trojan program Back Orifice on udp/31337:
ipchains -i eth0 -s 0.0.0.0/0 -p udp -d 24.4.x.y/32 31337 -j DENY -l
Translated: If the interface is eth0 (1st ethernet card), if the source is anywhere, if the protocol is udp, if the destination is 24.4.x.y/255.255.255.255 (all netmask bits set, so this exact address), if the destination port is 31337, then DENY access to the packet without a Destination Unreachable message, and log it.
Sample IPCHAINS Log Report
Sep 20 13:42:30 mymachine kernel: Packet log: hostile DENY eth0 PROTO=6
24.a.b.c:2006 24.x.y.z:31337 L=40 S=0x00 I=39426 F=0x0000 T=31 (#6) [where a,b,c,x,y,z are 0-254]
In contrast, if you’re using one of the Windows firewalls, configuration is a matter of "do I want this program to access the Internet?" By default, inbound ports will be blocked, other than for data packets that are in response to outbound packets from your computer.
The current state of the art is "stateful inspection." Beyond packet filtering, this type of firewall actually evaluates the contents of the packet. The goal is to make sure that incoming packets are supposed to be incoming — that they are either requested communications or continuations of those connection or connectionless communications. They examine the incoming packets to make sure they belong to currently valid transactions initiated by your computer.
Connection vs. Connectionless Protocols:
The tcp protocol establishes and uses a connection established between two machines, such that each expects packets and sends acknowledgments when they get them. This enables certainty of delivery of the packets, confirmation that the message was received, and resending or rerouting if necessary. Connections are established via a request (a tcp packet with the applicable port and the SYN flag set) and acceptance. The request also enables a firewall to recognize an attempt to connect — and to discard the attempt without response, or to respond if the rules permit it to do so.
On the other hand, udp and icmp are connectionless. The receiving machine listens for a packet. When a sending machine sends a packet, the listening machine responds. However, there is no certainty of delivery of the packet and no warning (other than timeout) that a single packet was not delivered (multiple packets in a response are sequenced so they can be put back together properly, therefore they have a key to identify missing packets).
Let the usefulness help you deciding what to log and what not to log. There is almost no need to log outbound packets from your site on normal ports, such as tcp/80 which is http, unless you are testing. Otherwise, you can fill your logs quickly. Similarly, inbound responses on tcp/80 are not very useful. However, you would want to log inbound tcp/80 packets which had the SYN flag set, since they are connection requests from the outside. There is little use in logging a packet if you’re not the destination specified. As @Home is configured, you will receive a lot of packets that don’t apply to you.