verified iptables firewall analysis › pub › diekmann › networking2016.pdf · i understanding...
TRANSCRIPT
![Page 1: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/1.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Verified iptables Firewall AnalysisIFIP Networking 2016
Cornelius Diekmann, Julius Michaelis, Maximilian Haslbeck, and Georg Carle
Wednesday, May 18, 2016
C. Diekmann – Verified iptables Firewall Analysis 1
![Page 2: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/2.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Theorem Proving
I This work: v 3 years, v 500 pages of manual proof
About Isabelle/HOLI Interactive proof assistant
I “theorem prover” 6= automated theorem proverI Computers are good at replaying proofs
I Computers are bad at finding proofs
I Can we trust Isabelle?I LCF-sytle mathematical micro kernel → code fits on screen
I Over 20 years without a bug that affected a user’s proof
I Ask your formal methods colleague
I How to Common Criteria EAL 7? → Use Isabelle (c.f. CC Appendix)
C. Diekmann – Verified iptables Firewall Analysis 2
![Page 3: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/3.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Theorem Proving
I This work: v 3 years, v 500 pages of manual proof
About Isabelle/HOLI Interactive proof assistant
I “theorem prover” 6= automated theorem proverI Computers are good at replaying proofs
I Computers are bad at finding proofs
I Can we trust Isabelle?I LCF-sytle mathematical micro kernel → code fits on screen
I Over 20 years without a bug that affected a user’s proof
I Ask your formal methods colleague
I How to Common Criteria EAL 7? → Use Isabelle (c.f. CC Appendix)
αA
βλ →
C. Diekmann – Verified iptables Firewall Analysis 2
![Page 4: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/4.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Theorem Proving
I This work: v 3 years, v 500 pages of manual proof
About Isabelle/HOLI Interactive proof assistant
I “theorem prover” 6= automated theorem proverI Computers are good at replaying proofs
I Computers are bad at finding proofs
I Can we trust Isabelle?I LCF-sytle mathematical micro kernel → code fits on screen
I Over 20 years without a bug that affected a user’s proof
I Ask your formal methods colleague
I How to Common Criteria EAL 7? → Use Isabelle (c.f. CC Appendix)
αA
βλ →
C. Diekmann – Verified iptables Firewall Analysis 2
![Page 5: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/5.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Theorem Proving
I This work: v 3 years, v 500 pages of manual proof
About Isabelle/HOLI Interactive proof assistant
I “theorem prover” 6= automated theorem proverI Computers are good at replaying proofs
I Computers are bad at finding proofs
I Can we trust Isabelle?I LCF-sytle mathematical micro kernel → code fits on screen
I Over 20 years without a bug that affected a user’s proof
I Ask your formal methods colleague
I How to Common Criteria EAL 7? → Use Isabelle (c.f. CC Appendix)
αA
βλ →
C. Diekmann – Verified iptables Firewall Analysis 2
![Page 6: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/6.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Problem StatementLet’s get practical
I Configuring firewalls is hard
I Understanding ruleset of previous administrator→ almost impossible
I Let’s just consider packet filtering without modification
I Linux/netfilter iptables firewallI In use for over 10 years → rulesets of that ageI Over 200 packet matching options
C. Diekmann – Verified iptables Firewall Analysis 3
![Page 7: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/7.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Problem StatementLet’s get practical
I Configuring firewalls is hard
I Understanding ruleset of previous administrator→ almost impossible
I Let’s just consider packet filtering without modification
I Linux/netfilter iptables firewallI In use for over 10 years → rulesets of that ageI Over 200 packet matching options
C. Diekmann – Verified iptables Firewall Analysis 3
![Page 8: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/8.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Problem StatementLet’s get practical
I Configuring firewalls is hard
I Understanding ruleset of previous administrator→ almost impossible
I Let’s just consider packet filtering without modification
I Linux/netfilter iptables firewallI In use for over 10 years → rulesets of that ageI Over 200 packet matching options
C. Diekmann – Verified iptables Firewall Analysis 3
![Page 9: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/9.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Problem StatementLet’s get practical
I Configuring firewalls is hard
I Understanding ruleset of previous administrator→ almost impossible
I Let’s just consider packet filtering without modification
I Linux/netfilter iptables firewallI In use for over 10 years → rulesets of that ageI Over 200 packet matching options
C. Diekmann – Verified iptables Firewall Analysis 3
![Page 10: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/10.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 11: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/11.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 12: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/12.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 13: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/13.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 14: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/14.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 15: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/15.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 16: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/16.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 17: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/17.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 18: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/18.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 19: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/19.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 20: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/20.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 21: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/21.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 22: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/22.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 23: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/23.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Fun Examples*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1745:334865]:DEFAULT_INPUT - [0:0]:DOS_PROTECT - [0:0]-A INPUT -j DOS_PROTECT-A INPUT -j DEFAULT_INPUT-A DEFAULT_INPUT -i lo -j ACCEPT-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A DEFAULT_INPUT -p tcp -m multiport --dports 3262,3240:3259,21,. . . -j DROP-A DEFAULT_INPUT -p tcp -m multiport --dports 22,23 -j DROP-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT-A DEFAULT_INPUT -j DROP-A DEFAULT_INPUT -i eth0 -j DROP-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit 1/sec -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROP-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . --limit-burst 100 -j RETURN-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags . . . -j DROPCOMMIT C. Diekmann – Verified iptables Firewall Analysis 4
![Page 24: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/24.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
More Fun Examples
-A FORWARD -p tcp -m tcp --sport 410:415 ←↩
-m time --timestart 06:59 --timestop 23:59 ←↩
--days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
-A FORWARD -p tcp -m time --timestart 06:59 ←↩
--timestop 23:59 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat ←↩
-m string --string X-Kazaa-User -j DROP
-A FORWARD -s 192.168.1.1 -p tcp --syn ←↩
-m mac --mac 00:60:08:76:35:51 ←↩
-m connlimit --connlimit-above 15 -j REJECT
Get all the data athttps://github.com/diekmann/net-network/
C. Diekmann – Verified iptables Firewall Analysis 5
![Page 25: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/25.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
More Fun Examples
-A FORWARD -p tcp -m tcp --sport 410:415 ←↩
-m time --timestart 06:59 --timestop 23:59 ←↩
--days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
-A FORWARD -p tcp -m time --timestart 06:59 ←↩
--timestop 23:59 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat ←↩
-m string --string X-Kazaa-User -j DROP
-A FORWARD -s 192.168.1.1 -p tcp --syn ←↩
-m mac --mac 00:60:08:76:35:51 ←↩
-m connlimit --connlimit-above 15 -j REJECT
Get all the data athttps://github.com/diekmann/net-network/
C. Diekmann – Verified iptables Firewall Analysis 5
![Page 26: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/26.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
More Fun Examples
-A FORWARD -p tcp -m tcp --sport 410:415 ←↩
-m time --timestart 06:59 --timestop 23:59 ←↩
--days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
-A FORWARD -p tcp -m time --timestart 06:59 ←↩
--timestop 23:59 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat ←↩
-m string --string X-Kazaa-User -j DROP
-A FORWARD -s 192.168.1.1 -p tcp --syn ←↩
-m mac --mac 00:60:08:76:35:51 ←↩
-m connlimit --connlimit-above 15 -j REJECT
Get all the data athttps://github.com/diekmann/net-network/
C. Diekmann – Verified iptables Firewall Analysis 5
![Page 27: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/27.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Requirements
I Requirement 1: A simple model for packet filtering
I Requirement 2: Applicable to real-world
C. Diekmann – Verified iptables Firewall Analysis 6
![Page 28: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/28.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Requirements
I Requirement 1: A simple model for packet filtering
I Requirement 2: Applicable to real-world
C. Diekmann – Verified iptables Firewall Analysis 6
![Page 29: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/29.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Simple Firewall Model
simple-fw [] p = ?
simple-fw((m, Accept) :: rs) p = if matchm p then ! else simple-fw rs p
simple-fw((m, Drop) :: rs) p = if matchm p then % else simple-fw rs p
where match can only match onI in/out interface, including support for the ‘+’ wildcard
I src/dst IP address range in CIDR notation, e.g. 192.168.0.0/24
I protocol (*, or any numeric protocol identifier)
I src/dst interval of ports, e.g. 0:65535
C. Diekmann – Verified iptables Firewall Analysis 7
![Page 30: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/30.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Main Theorem
{p. new p ∧ Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆
{p. new p ∧ simple-fw (translate-oapprox rs) = ! }
C. Diekmann – Verified iptables Firewall Analysis 8
![Page 31: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/31.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Main Theorem
{p. new p ∧ Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆
{p. new p ∧ simple-fw (translate-oapprox rs) = ! }
C. Diekmann – Verified iptables Firewall Analysis 8
![Page 32: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/32.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 33: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/33.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher
packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 34: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/34.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher
packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 35: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/35.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 36: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/36.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 37: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/37.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 38: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/38.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 39: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/39.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 40: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/40.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Iptables Semantics
primitive matcher packet
Γ , γ , p `⟨rs , s
⟩⇒ t
background ruleset
ruleset
start state(e.g. ? )
final state(e.g. ! , % )
I Arbitrary function: γ :: (primitive ⇒ packet ⇒ B)
I C. Diekmann, L. Hupel, and G. Carle, Semantics-Preserving Simplification ofReal-World Firewall Rule Sets, in Formal Methods (FM). Springer, pp. 195–212.Jun. 2015
C. Diekmann – Verified iptables Firewall Analysis 9
![Page 41: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/41.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}I Set of all packets accepted by the real firewall
{p. simple-fw rs ′ = !
}I Set of all packets accepted by the simple firewall
I rs 6= rs ′
C. Diekmann – Verified iptables Firewall Analysis 10
![Page 42: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/42.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}I Set of all packets accepted by the real firewall
{p. simple-fw rs ′ = !
}I Set of all packets accepted by the simple firewall
I rs 6= rs ′
C. Diekmann – Verified iptables Firewall Analysis 10
![Page 43: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/43.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}I Set of all packets accepted by the real firewall
{p. simple-fw rs ′ = !
}I Set of all packets accepted by the simple firewall
I rs 6= rs ′
C. Diekmann – Verified iptables Firewall Analysis 10
![Page 44: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/44.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆{
p. simple-fw ( translate-oapprox rs) = !
}
Main Contribution (#1)
C. Diekmann – Verified iptables Firewall Analysis 11
![Page 45: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/45.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆{
p. simple-fw ( translate-oapprox rs) = !
}
Main Contribution (#1)
C. Diekmann – Verified iptables Firewall Analysis 11
![Page 46: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/46.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆{
p. simple-fw ( translate-oapprox rs) = !
}
Main Contribution (#1)
C. Diekmann – Verified iptables Firewall Analysis 11
![Page 47: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/47.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Towards the Main Theorem
{p. Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆{
p. simple-fw ( translate-oapprox rs) = !
}
Main Contribution (#1)
C. Diekmann – Verified iptables Firewall Analysis 11
![Page 48: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/48.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Main Theorem
{p. new p ∧ Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆
{p. new p ∧ simple-fw (translate-oapprox rs) = ! }
C. Diekmann – Verified iptables Firewall Analysis 12
![Page 49: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/49.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Main Theorem
{p. new p ∧ Γ, γ, p `
⟨rs, ?
⟩⇒ !
}⊆
{p. new p ∧ simple-fw (translate-oapprox rs) = ! }
C. Diekmann – Verified iptables Firewall Analysis 12
![Page 50: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/50.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 51: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/51.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 52: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/52.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 53: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/53.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 54: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/54.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 55: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/55.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 56: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/56.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT DROP [0:0]:FOO - [0:0]-A FORWARD -s 10.0.0.0/8 -j FOO-A FOO ! -s 10.0.0.0/9 -j DROP-A FOO -p tcp --bar -j ACCEPTCOMMIT
$ ./fffuu iptables-save.txt
target prot source destinationDROP all 10.128.0.0/9 0.0.0.0/0ACCEPT tcp 10.0.0.0/8 0.0.0.0/0DROP all 0.0.0.0/0 0.0.0.0/0
C. Diekmann – Verified iptables Firewall Analysis 13
![Page 57: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/57.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Part 2: Ruleset Analysis
C. Diekmann – Verified iptables Firewall Analysis 14
![Page 58: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/58.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound
I Covers complete IPv4 address spaceI Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 59: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/59.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound
I Covers complete IPv4 address spaceI Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 60: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/60.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound
I Covers complete IPv4 address spaceI Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 61: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/61.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound
I Covers complete IPv4 address spaceI Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 62: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/62.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound: If some flow is not in the graph, your firewall definitely blocks it
I Covers complete IPv4 address spaceI Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 63: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/63.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound: If some flow is not in the graph, your firewall definitely blocks itI Covers complete IPv4 address space
I Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 64: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/64.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound: If some flow is not in the graph, your firewall definitely blocks itI Covers complete IPv4 address spaceI Minimal
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 65: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/65.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Ruleset Analysis
I Who can possibly access whom over ssh?
I Visualize as matrix or graph
I Proven propertiesI Sound: If some flow is not in the graph, your firewall definitely blocks itI Covers complete IPv4 address spaceI Minimal: Cannot be compressed further
C. Diekmann – Verified iptables Firewall Analysis 15
![Page 66: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/66.jpg)
Example: Firewall of our lab (2016)
{224.0.0.0..239.255.255.255}
{0.0.0.0..126.255.255.255} ∪ {128.0.0.0..131.159.13.255}∪{131.159.16.0..131.159.19.255} ∪ {131.159.22.0..138.246.253.4}∪{138.246.253.11..185.86.231.255} ∪ {185.86.236.0..188.1.239.85}∪{188.1.239.87..188.95.232.63} ∪ {188.95.232.224..188.95.232.255}∪{188.95.240.0..192.48.106.255} ∪ {192.48.108.0..223.255.255.255}∪{240.0.0.0..255.255.255.255}
{131.159.14.0..131.159.14.7} ∪ {131.159.14.12..131.159.14.25}∪131.159.14.27 ∪ {131.159.14.29..131.159.14.33}∪{131.159.14.38..131.159.14.39} ∪ 131.159.14.41∪{131.159.14.43..131.159.14.51} ∪ {131.159.14.53..131.159.14.55}∪{131.159.14.57..131.159.14.59} ∪ {131.159.14.61..131.159.14.68}∪131.159.14.70..131.159.14.82} ∪ {131.159.14.84..131.159.14.103}∪{131.159.14.105..131.159.14.124} ∪ {131.159.14.126..131.159.14.136}∪{131.159.14.138..131.159.14.139} ∪ {131.159.14.141..131.159.14.144}∪{131.159.14.147..131.159.14.154} ∪ {131.159.14.157..131.159.14.162}∪{131.159.14.164..131.159.14.168} ∪ {131.159.14.170..131.159.14.200}∪{131.159.14.202..131.159.14.213} ∪ {131.159.14.215..131.159.15.4}∪131.159.15.6 ∪ {131.159.15.14..131.159.15.15}∪{131.159.15.21..131.159.15.22} ∪ 131.159.15.26 ∪ 131.159.15.28∪131.159.15.30 ∪ {131.159.15.33..131.159.15.35}∪{131.159.15.37..131.159.15.38} ∪ 131.159.15.40∪{131.159.15.45..131.159.15.46} ∪ {131.159.15.48..131.159.15.49}∪{131.159.15.52..131.159.15.55} ∪ 131.159.15.57 ∪ 131.159.15.59∪{131.159.15.61..131.159.15.67} ∪ {131.159.15.70..131.159.15.196}∪{131.159.15.198..131.159.15.227} ∪ {131.159.15.229..131.159.15.233}∪{131.159.15.235..131.159.15.246} ∪ {131.159.15.250..131.159.15.255}∪{131.159.20.0..131.159.20.20} ∪ {131.159.20.22..131.159.20.28}∪{131.159.20.30..131.159.20.35} ∪ {131.159.20.37..131.159.20.44}∪{131.159.20.46..131.159.20.51} ∪ {131.159.20.53..131.159.20.58}∪{131.159.20.60..131.159.20.62} ∪ {131.159.20.64..131.159.20.70}∪{131.159.20.72..131.159.20.73} ∪ {131.159.20.75..131.159.20.84}∪{131.159.20.86..131.159.20.96} ∪ {131.159.20.98..131.159.20.119}∪{131.159.20.121..131.159.20.138} ∪ {131.159.20.140..131.159.20.149}∪{131.159.20.152..131.159.20.154} ∪ {131.159.20.156..131.159.20.159}∪{131.159.20.161..131.159.20.164} ∪ {131.159.20.167..131.159.20.179}∪{131.159.20.181..131.159.20.184} ∪ {131.159.20.186..131.159.20.199}∪{131.159.20.201..131.159.20.232} ∪ {131.159.20.235..131.159.20.255}∪{185.86.232.0..185.86.235.255} ∪ {188.95.233.0..188.95.233.3}∪{188.95.233.5..188.95.233.8} ∪ {188.95.233.10..188.95.233.255}∪{192.48.107.0..192.48.107.255}
{131.159.14.8..131.159.14.11} ∪ 131.159.14.26 ∪ 131.159.14.28∪{131.159.14.34..131.159.14.37} ∪ 131.159.14.40 ∪ 131.159.14.42∪131.159.14.52 ∪ 131.159.14.56 ∪ 131.159.14.60 ∪ 131.159.14.69∪131.159.14.83 ∪ 131.159.14.104 ∪ 131.159.14.125 ∪ 131.159.14.137∪131.159.14.140 ∪ {131.159.14.145..131.159.14.146}∪{131.159.14.155..131.159.14.156} ∪ 131.159.14.163 ∪ 131.159.14.169∪131.159.14.201 ∪ 131.159.14.214 ∪ 131.159.15.5∪{131.159.15.7..131.159.15.13} ∪ {131.159.15.16..131.159.15.20}∪{131.159.15.23..131.159.15.25} ∪ 131.159.15.27 ∪ 131.159.15.29∪{131.159.15.31..131.159.15.32} ∪ 131.159.15.36 ∪ 131.159.15.39∪{131.159.15.41..131.159.15.44} ∪ 131.159.15.47 ∪ 131.159.15.51∪131.159.15.56 ∪ 131.159.15.58 ∪ 131.159.15.60∪{131.159.15.68..131.159.15.69} ∪ 131.159.15.197 ∪ 131.159.15.228∪131.159.15.234 ∪ {131.159.15.247..131.159.15.249} ∪ 131.159.20.21∪131.159.20.29 ∪ 131.159.20.36 ∪ 131.159.20.45 ∪ 131.159.20.52∪131.159.20.59 ∪ 131.159.20.63 ∪ 131.159.20.71 ∪ 131.159.20.74∪131.159.20.85 ∪ 131.159.20.97 ∪ 131.159.20.120 ∪ 131.159.20.139∪{131.159.20.150..131.159.20.151} ∪ 131.159.20.155 ∪ 131.159.20.160∪{131.159.20.165..131.159.20.166} ∪ 131.159.20.180 ∪ 131.159.20.185∪131.159.20.200 ∪ {131.159.20.233..131.159.20.234}∪{131.159.21.0..131.159.21.255} ∪ {188.95.232.192..188.95.232.223}∪188.95.233.4 ∪ 188.95.233.9 ∪ {188.95.234.0..188.95.239.255}
188.1.239.86 ∪ {188.95.232.64..188.95.232.191}
{138.246.253.6..138.246.253.10}
138.246.253.5
131.159.15.50
{127.0.0.0..127.255.255.255}
![Page 67: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/67.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Example: Firewall of our lab (pre-2016)
internal
servers
multicast
INET
localhost
ip1
ip2
AS routers
INET’
C. Diekmann – Verified iptables Firewall Analysis 17
![Page 68: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/68.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Part 3: Evaluation & Related Work
C. Diekmann – Verified iptables Firewall Analysis 18
![Page 69: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/69.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Correctness
I Proven
α
A
βλ →
C. Diekmann – Verified iptables Firewall Analysis 19
![Page 70: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/70.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correct
I Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 71: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/71.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correct
I Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 72: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/72.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugs
I Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 73: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/73.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21
I Logical negations induced by RETURNI Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 74: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/74.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURN
I Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 75: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/75.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitives
I . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 76: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/76.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 77: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/77.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I Performance
I Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 78: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/78.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I PerformanceI Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 79: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/79.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I PerformanceI Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I Disclaimer
I ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 80: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/80.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I PerformanceI Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I DisclaimerI ITval academic open source prototype
I Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 81: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/81.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I PerformanceI Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I DisclaimerI ITval academic open source prototypeI Introduces idea of IP address range partitioning
I We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 82: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/82.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Related Work
I ITVal: iptables ruleset analysis
I Not formally proven correctI Yes, there are bugsI Number of significant bits in IP addresses in CIDR notation is not a multiple of 8.I Example: 188.95.232.0/21I Logical negations induced by RETURNI Unknown primitivesI . . .
I PerformanceI Firewall with 4946 rules (the one from before)I 53h and almost 100GB RAM
I DisclaimerI ITval academic open source prototypeI Introduces idea of IP address range partitioningI We are standing on the shoulders of giants
C. Diekmann – Verified iptables Firewall Analysis 20
![Page 83: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/83.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
FFFUU: Get It While It’s Hot
http://iptables.isabelle.systems/ & don’t forget to publish your rulesets!
C. Diekmann – Verified iptables Firewall Analysis 21
![Page 84: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/84.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
FFFUU: Get It While It’s Hot
http://iptables.isabelle.systems/ & don’t forget to publish your rulesets!
Story Time
C. Diekmann – Verified iptables Firewall Analysis 21
![Page 85: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/85.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Appendix
C. Diekmann – Verified iptables Firewall Analysis 22
![Page 86: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/86.jpg)
Fw Rules Chain Simple rules Use Parts (ITVal) ssh http Time (ITVal)
A 2784 FW (2376) 2381 (1920) 3 246 (1) 13 9 172s (3h∗)- FW (2376) 2837 (581) 7 r 522 (1) 1 1 194s (9h∗)
A 4113 FW (2922) 3114 (2862) 3 334 (2) 11 11 302s (27h∗)- FW (2922) 3585 (517) 7 r 490 (1) 1 1 320s (8h)
A 4814 FW (4403) 3574 (3144) 3 364 (2) 9 12 477s (46h∗)- FW (4403) 5123 (1601) 7 r 1574 (1) 1 1 618s (3h∗)
A 4946 FW (4887) 4004 (3570) 3 371 (2) 9 12 477s (53h∗)- FW (4887) 5563 (1613) 7 r 1585 (1) 1 1 820s (4h∗)
B 88 FW (40) 110 (106) 3 50 (4) 4 2 3s (2s)- FW (40) 183 (75) 3 40 (1) 1 1 2s (1s)
C 53 FW (30) 29 (12) 3 8 (1) 1 1 1s (1s)- FW (30) 27 (1) 3 1 (1) 1 1 1s (1s)- IN (49) 74 (46) 3 38 (1) 1 1 1s (1s)- IN (49) 75 (21) 3 6 (1) 1 1 1s (1s)
D 373 FW (2649) 3482 (166) 3 43 (1) 1 1 22s (3s)- FW (2649) 16592 (1918) 7 67 (1) 1 1 49s (33min∗)
E 31 IN (24) 57 (27) 3 4 (3) 1 2 10s (1s)- IN (24) 61 (45) 7 r 3 (1) 1 1 1s (1s)
F 263 IN (261) 263 (263) 3 250 (3) 3 3 80s (2min)- IN (261) 265 (264) 3 250 (3) 3 3 57s (3min)
G 68 IN (28) 20 (20) 3 8 (5) 1 2 8s (1s)- IN (28) 19 (19) 7 8 (2) 2 2 1s (1s)
H 19 FW (20) 10 (10) 7 9 (1) 1 1 8s (1s)- FW (20) 8 (8) 7 r 3 (1) 1 1 1s (1s)
![Page 87: Verified iptables Firewall Analysis › pub › diekmann › networking2016.pdf · I Understanding ruleset of previous administrator !almost impossible I Let’s just consider packet](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb7427e708231d436c756/html5/thumbnails/87.jpg)
Fw Rules Chain Simple rulesUse Parts (ITVal) ssh http Time (ITVal)
I 15 FW (5) 4 (4) 3 4 (4) 4 4 8s (1s)- FW (5) 4 (4) 3 4 (4) 4 4 1s (1s)
J 48 FW (12) 5 (5) 3 3 (2) 2 2 6s (1s)- FW (12) 8 (2) 3 1 (1) 1 1 1s (1s)
K 21 FW (9) 7 (6) 3 3 (1) 1 1 12s (1s)- FW (9) 4 (3) 3 2 (1) 1 1 1s (1s)
L 27 IN (16) 19 (19) 3 17 (3) 2 2 1s (1s)- IN (16) 18 (18) 3 17 (3) 2 2 1s (1s)
M 80 IN (92) 64 (16) 3 2 (2) 1 2 6s (1s)- IN (92) 58 (27) 7 11 (1) 1 1 1s (1s)
N 34 FW (14) 12 (12) 3 10 (6) 6 6 2s (2s)- FW (14) 12 (12) 3 10 (6) 6 6 1s (2s)
O 8 IN (7) 9 (9) 3 3 (3) 1 2 1s (1s)- IN (7) 8 (8) 3 3 (3) 1 2 1s (1s)
P 595 IN (15) 8 (8) 3 3 (2) 2 2 ?s (1s)- IN (15) 9 (9) 3 3 (2) 2 2 ?s (1s)595 IN (66) 64 (64) 3 60 (5) 5 4 ?s (22s)- IN (66) 63 63) 3 60 (5) 5 4 ?s (22s)
Q 58 IN (59) 65 (65) 3 21 (1) 1 1 ?s (2s)- IN (59) 62 (62) 3 21 (2) 2 1 ?s (2s)