firewall interview questions

Top 15 firewall interview questions

2199 Jobs openings for firewall

Block employee access to public cloud

First of all, let me state that this is not my idea and I don't want to discuss whether such an action is reasonable.

However, for a company, is there a way to prevent employees to access public cloud services? In particular, they should not be able to upload files to any place on the web.

Blocking HTTPS might be a first, simple, but very radical solution. Using a blacklist of IP addresses wouldn't suffice either. Probably, some kind of software is needed to filter the traffic on a content level. A proxy might be helpful, to be able to filter HTTPS traffic.

Theses are my thoughts so far. What do you think? Any ideas?

Source: (StackOverflow)

Which ports do I need to open in the firewall to use NFS?

I'm running Ubuntu 11.10 - setting up NFS to share a directory among many other servers. Which ports are required to be opened on the firewall?

Source: (StackOverflow)

What is the difference between a Source NAT, Destination NAT and Masquerading?

What is the difference between a Source NAT, Destination NAT and Masquerading?

For example, I thought IP Masqurading was what they used to call it in Linux? But what confuses me is that in our Astaro firewall there is IP Masquarading as well as NAT options. What's the difference between all these?

Source: (StackOverflow)

How do you PREPEND an iptables rather than APPEND?

Pretty basic question.. How do you PREPEND an iptables rather than APPEND?

I have DROP statements at the bottom of my rules. I have software to add new rules but adding rules after DROP statements isn't good. Every time I want to add a new rule I have to flush the table which is inefficient. Is there a way to prepend a rule i.e. add a rule to the top of the table rather than the bottom?

Many thanks.

Source: (StackOverflow)

iptables port redirect not working for localhost

I want to redirect all traffic from port 443 to the internal port 8080. I'm using this config for iptables:

iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp \
         --dport 443 -j REDIRECT --to-ports 8080

This works for all external clients. But if I'm trying to access the port 443 from the same maschine I'll get a connection refused error.

wget https://localhost

How can I extend the iptables rule to redirect local traffic too?

Source: (StackOverflow)

Will everyone having Globally Accessible IP's in IPv6 be kind of a security nightmare? [duplicate]

Possible Duplicate:
Switch to IPv6 and get rid of NAT? Are you kidding?

I'm thinking about the way that in IPv4 most of the time you have a single point to configure a firewall on, mainly your router, but if everybody has a Globally Accessible IP Address, doesn't that mean that each computer user is basically responsible for managing their own firewall?

(I mean I'll admit the same is true when using a public wifi access point, but still...)

Source: (StackOverflow)

How to setup simple firewall on Ubuntu?

Could somebody give some simple steps with configuration example how to setup simple firewall on Ubuntu (using console only)? Only ssh, http and https access should be allowed.

Source: (StackOverflow)

Enable Ping in Windows Server Firewall?

I've just installed Windows Server 2008 on a server and I'm able to connect through Remote Desktop but can't ping. Do I need to open an special port on the firewall to be able to ping a server?

Source: (StackOverflow)

Why not block ICMP?

I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script...

# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains

# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP

# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block all other traffic 
iptables -A INPUT -j DROP

For context, this machine is a Virtual Private Server Web app host.

In a previous question, Lee B said that I should "lock down ICMP a bit more." Why not just block it altogether? What would happen if I did that (what bad thing would happen)?

If I need to not block ICMP, how could I go about locking it down more?

Source: (StackOverflow)

How can I prevent a DDOS attack on Amazon EC2?

One of the servers I use is hosted on the Amazon EC2 cloud. Every few months we appear to have a DDOS attack on this sever. This slows the server down incredibly. After around 30 minutes, and sometimes a reboot later, everything is back to normal.

Amazon has security groups and firewall, but what else should I have in place on an EC2 server to mitigate or prevent an attack?

From similar questions I've learned:

  • Limit the rate of requests/minute (or seconds) from a particular IP address via something like IP tables (or maybe UFW?)
  • Have enough resources to survive such an attack - or -
  • Possibly build the web application so it is elastic / has an elastic load balancer and can quickly scale up to meet such a high demand)
  • If using mySql, set up mySql connections so that they run sequentially so that slow queries won't bog down the system

What else am I missing? I would love information about specific tools and configuration options (again, using Linux here), and/or anything that is specific to Amazon EC2.

ps: Notes about monitoring for DDOS would also be welcomed - perhaps with nagios? ;)

Source: (StackOverflow)

Windows equivalent of iptables?

Dumb question:

Is there an equivalent of iptables on Windows? Could I install one via cygwin?

The real question: how can I accomplish on Windows what I can accomplish via iptables? Just looking for basic firewall functionality (e.g. blocking certain IP addresses)

Source: (StackOverflow)

Is it possible to change an "Unidentified Network" into a "Home" or "Work" network on Windows 7

I have a problem with Windows 7 RC (7100).

I frequently use a crossover network cable on WinXP with static IP addresses to connect to various industrial devices (e.g. robots, pumps, valves or even other Windows PCs) that have Ethernet network ports.

When I do this on Windows 7, the network connection is classed as an "Unidentified Network" in Networks and Sharing Center and the public firewall profile is enforced by Windows. I do not want to change the public profile and would prefer to use the Home or Work profile instead.

For other networks like Home and Work I'm able to click on them and change the classification. This is not available for unidentified networks.

My questions are these:-

  1. Is there a way to manual override the "Unidentified Network" classification?
  2. What tests are performed on the network that fail, therefore classifying it as an "Unidentified Network"

By googling (hitting mainly vista issues) it seems that you need to ensure that the default gateway is not I've done this. I've also tried to remove IPv6 but this does not seem possible on Windows 7.


For those still having problems here is the answer to my issue and the possible reasons why:-

Win7 keeps a list of the networks you visit by (I am assuming, but don’t know for sure) the MACID of the device pointed to by the Default Gateway. The default gateway is usually the constant device in a network (i.e. the NAT or router) so can be used to uniquely identify one network from another.

The default gateway in the IPv4 properties panel must therefore point to an actual endpoint so windows can then keep track of it. If there is a device at the end of the Default Gateway windows will identify it and track it remembering its settings.

The ways you can therefore fool Win7 is to either point the default gateway to your own IP address, or the IP address of the target device you’re communicating with. This will have the side effect of expecting that target device to start routing packets for IP destinations that are outside your subnet. So some applications on Win7 will try to communicate with the internet, these will be passed on to the default gateway (either back you the same IP address or a target device that is not a router) and thus will eventually timeout because neither can route packets. Which you can usually live with. This gets slightly complicated when you mix a this type of connection with a real connection to the internet via WIFI. The wired network card usually has priority when routing because of the “interface metric” so some applications might not connect correctly.

Source: (StackOverflow)

Why would I need a firewall if my server is well configured?

I admin a handful of cloud-based (VPS) servers for the company I work for.

The servers are minimal ubuntu installs that run bits of LAMP stacks / inbound data collection (rsync). The data is large but not personal, financial or anything like that (ie not that interesting)

Clearly on here people are forever asking about configuring firewalls and such like.

I use a bunch of approaches to secure the servers, for example (but not restricted to)

  • ssh on non standard ports; no password typing, only known ssh keys from known ips for login etc
  • https, and restricted shells (rssh) generally only from known keys/ips
  • servers are minimal, up to date and patched regularly
  • use things like rkhunter, cfengine, lynis denyhosts etc for monitoring

I have extensive experience of unix sys admin. I'm confident I know what I'm doing in my setups. I configure /etc files. I have never felt a compelling need to install stuff like firewalls: iptables etc.

Put aside for a moment the issues of physical security of the VPS.

Q? I can't decide whether I am being naive or the incremental protection a fw might offer is worth the effort of learning / installing and the additional complexity (packages, config files, possible support etc) on the servers.

To date (touch wood) I've never had any problems with security but I am not complacent about it either.

Source: (StackOverflow)

What steps do you take to secure a Debian server? [closed]

I am installing a Debian server which is connected directly to the Internet. Obviously I want to make it as secure as possible. I would like you guys/gals to add your ideas to secure it and what programs you use for it.

I want part of this question to cover what do you use as a firewall? Just iptables manually configured or do you use some kind of software to aid you? What's the best way? Block everything and allow only what is needed? Are there maybe good tutorials for beginners to this topic?

Do you change your SSH port? Do you use software like Fail2Ban to prevent bruteforce attacks?

Source: (StackOverflow)

How to check if a port is blocked on a Windows machine?

On the Windows platform, what native options to I have to check if a port (3306, for example) on my local machine (as in localhost), is being blocked?

Source: (StackOverflow)