1) firewalls for self-protection (co-location of the protective firewall and protected service on same machine)
using the iptables command in linux
doing the same thing with the built-in Windows' XP firewall

2) firewalls for net-protection (location of the protective firewall on the path to a protected service that's on another machine)
another example: contrasting self- vs net-protection of a Windows service (Windows' vs router's firewall)

After you have performed the above lab components, answer the following questions.

1. Windows XP's firewall by default lets nothing in and everything out. Comment on whether we should consider this an "optimistic" or "pessimistic" stance.

1 iptables -F # flush existing rules
2
3 iptables -P INPUT DROP
4 iptables -P FORWARD DROP
5 iptables -P OUTPUT DROP
6
7 # first service
8 iptables -A OUTPUT -p udp --dport 53 -d 0.0.0.0/0 -j ACCEPT
9 iptables -A INPUT -p udp --sport 53 -s 0.0.0.0/0 -j ACCEPT
10
11 # second service
12 iptables -A OUTPUT -p tcp --dport 80 -d 0.0.0.0/0 -j ACCEPT
13 iptables -A INPUT -p tcp --sport 80 -s 0.0.0.0/0 -j ACCEPT

a. briefly express in declarative English what the script below expresses in iptables syntax. Include mention of the effects of each of its four main sections, in terms of resulting behavior. For example, the first main section discards existing rules. (Look up the port numbers found in the script if you don't recognize them.)

b. for different reasons, removal of either lines 8 and 9, or else lines 12 and 13, will obstruct the primary behavior otherwise possible under this firewall. What's the reason when lines 8 and 9 are removed?

3. You have a home LAN containing 2 computers. The first computer is a general purpose PC running Windows XP. The second computer is a typical commersial router, perhaps a Netgear WGR614. The router, in addition to being on the LAN, is on the internet (it has 2 NICs).

a. You want to run a web server on your XP box. To enable, do you need to make the firewall adjustment on the router, XP, or both?

b. You want to prevent the XP box from conversing with the internet using certain protocols. To do it, do you need to make the corresponding firewall adjustment on the router, XP, or both?

4. The Netgear WGR614 you examined is a smart device, not a dumb one. Because it's actually a computer. Though humble in appearance, it contains a CPU, memory, operating system-- the defining essentials. In addition, it has 2 network interfaces. To use this computer as a router for PCs, you need to connect them to it. You could do that just as you connect PCs to each other, by plugging them into a common switch. For marketability the small commercial router makers build a switch into their boxes. You got to have one; they're cheap to build in; the competitors do it. So you can hardly find a router that is not a router-cum-switch.

Consider the switch built in to the WGR614. Physically, the number of computer connections it provides in the form of RJ-45 connection sockets is 4. Visibly. Electronically, by contrast, how many computer connections does this built-in switch have altogether? That is, if it is an n-port switch (electronically), what is n?

The University of Southern California does not screen or control the content on this website and thus does not guarantee the accuracy, integrity, or quality of such content. All content on this website is provided by and is the sole responsibility of the person from which such content originated, and such content does not necessarily reflect the opinions of the University administration or the Board of Trustees