Firewall Simulation Instructions

The Firewall Simulator is a tool for students to learn how to configure a firewall using Cisco-like commands. The process for using the simulator is:

Open the simulator web page. If it asks you to trust the applet, responds positively.
When you first start, you must enter your name to identify yourself to other participants. Names must be less than 17 characters in length.
Configure your firewall to allow needed services while preventing attacks. A separate frame holds the firewall configuration commands. Type in the access-list commands and press the large button at the top marked �Update Configuration�.
Once the actions are enabled by the administrator, you can take actions against other players.
If you receive messages that other players are successfully attacking your network, reconfigure your firewall to correct problems.
New tasks will appear that may require you to reconfigure your firewall. Shortly after a new task appears, you are vulnerable to related attacks by other players. You may also attack other players.

The general format for a Cisco-like firewall configuration command is:

access-list number {permit | deny} [protocol] {any | ipaddr mask | host ipaddr} {any | ipaddr mask | host ipaddr} [operator port | established] [log]

access-list - All firewall configuration commands start with this keyword.
number - A number between 0-199 or 2000-2999 (Think of it as the name of the list.)
permit or deny - Whether to permit or deny this packet of information if conditions match
protocol (optional) - Type of protocol for this packet: IP, ICMP, SNMP, UDP or TCP. If omitted, then this command pertains to all network traffic regardless of protocol.
Source Address - The Internet address of the sender of the packet. This can be:

any - This access command applies to packets from any source.
host ipaddr - This command applies to one particular computer. The IP address of the computer is given in the usual dotted-decimal format (i.e. 152.8.1.2).
ipaddr mask - The IP address of the packet's source is specified in the usual dotted-decimal format. This is followed by a mask, also specified in the usual dotted-decimal format. When comparing the packet's source address, any address bit whose mask bit is one is ignored. Thus 152.8.12.47 0.0.255.255 represents all IP addresses whose first 16 bits match.

Destination Address - The Internet address of the network packet's destination. This can be specified in the same three formats as the source address.
Operator (optional) - This applies to TCP or UDP ports only. This indicates how the port number in the packet should be compared. If omitted, then this command applies for all ports.

eq	equal
lt	less than
gt	greater than
neq	not equal
range	a range of ports; you must specify two different port numbers
est	established connections - this allows packets to pass through the firewall from the Internet if they are the response to a connection established from within the intranet.

Port (optional) - TCP/UDP destination port number. If omitted, then this command applies for all port numbers. The port number must be specified if an operator is given.
Log - (optional) Whether to log this entry to the console (not used in the simulation)

Commands are case insensitive. Note that all access-list commands must fit on one line. Comments can be included configuration. Comments start with an exclamation point ( ! ).

Examples:

access-list 111 permit tcp any host 152.8.1.1 eq 80

This permits any computer on the Internet to connect to the computer whose IP address is 152.8.1.1 using the TCP protocol and port 80.

access-list 123 deny any 178.22.8.9 0.0.255.255

This will prohibit any computer from accessing a computer on the 178.22 domain using any protocol.

Addresses

The access-list commands specify source and destination addresses. If the source address starts with 152.8, then the traffic is going out from your network to the Internet. If the source is any other address, then the traffic is coming into your network. A description of your simulated network can be found here.

Access-list command order is important

� When a packet arrives at your firewall, it will be compared with each access-list statement in the order they appear.

� The first statement that applies to that packet determines if it is permitted or denied.

� For incoming traffic, there is an implicit deny everything at the end of the access-lists.

� For outgoing traffic, there is an implicit permit everything at the end of the access-lists.

Some interesting port numbers

port	service
21	FTP
23	Telnet
25	Simple Mail Transport Protocol
53	Domain Name Servers
69	Trivial FTP
80	HTTP
110	POP3 client email
123	Network Time Protocol
137-139	Microsoft NETBIOS
143	IMAP4 client email
161	Simple Network Maintenance Protocol
443	HTTPS
445	Windows File Sharing
1863	MSN Instant messaging
1214	Kazaa
3389	Windows Remote Desktop Protocol
5190	AOL instant messenger
28800-29100	MSN Gaming Zone
49876	Firewall Simulation

Initial Configuration

When you first start the simulation, you should configure your firewall to allow the following services to run. Actions against these services are possible as soon as the administrator enables the action button.

Access by the public to your web site
Email from other email servers
Domain Name Server access