Study Guide Chap18: Overseeing Linux Firewalls Flashcards
(11 cards)
1- Which of the following is true concerning firewalls on Linux that were covered in this chapter? (Choose all that apply.)
- They use ACLs for allowing packets.
- They detect malicious behavior.
- They inspect network packet control information.
- They use iptables embedded in the Linux kernel.
- They employ configuration files for persistency.
- They use ACLs for allowing packets.
- They inspect network packet control information.
- They employ configuration files for persistency.
The Linux firewall applications covered in this chapter use access control lists (ACLs) to identify which network packets are allowed in or out of the system. Therefore, option A is a correct answer. They identify the network packets by inspecting their control information along with other network data. Thus, option C is also a correct choice. In addition, the Linux firewall applications use configuration files to maintain persistency, which allows the firewall configuration to survive system reboots and/or the firewall application being started or reloaded. Therefore, option E is also a correct answer. These firewalls cannot detect malicious behavior; they only follow predefined rules. Therefore, option B is a wrong answer. In addition, they use netfilter embedded in the Linux kernel and not iptables (which is instead a firewall service), so option D is also an incorrect choice.
2- Which of the following options best describes packet filtering?
- Identifying network packets via their control information and allowing them into the system
- Identifying network packets via their control information and determining what to do based on ACL rules
- Identifying network packets via their payload and determining what to do based on ACL rules
- Identifying network packets by their source address and determining what to do based on ACL rules
- Identifying network packets by their payload and determining what to do based on their source address
Identifying network packets via their control information and determining what to do based on ACL rules
Option B best describes packet filtering. Option A describes how packets are identified but only allows them into the system, and therefore is not the best answer. A packet’s payload refers to the data it is carrying. In packet filtering, packets are identified by their control information, such as their source IP address. Therefore, option C is not the correct answer either. Network packets can be identified by much more than just their source address, making option D a wrong answer. Option E is also a wrong answer because it focuses on the packet’s payload and not its control information.
3- Which of the following are benefits of a stateful firewall over a stateless firewall? (Choose all that apply.)
- It operates faster.
- It is not as vulnerable to DDoS attacks.
- It determines if packets are fragmented.
- It operates faster for established connections.
- It is vulnerable to DDoS attacks.
- It determines if packets are fragmented.
- It operates faster for established connections.
A stateful firewall uses a memory table to track an established connection’s packets, making it faster for those connections. In addition, it can tell if packets are fragmented and thus protects the system from attacks that spread among multiple packets. Therefore, options C and D are the correct answers. Stateless firewalls operate faster overall, and they are not as vulnerable to DDoS attacks. Thus, options A and B are wrong answers. While stateful firewalls are vulnerable to DDoS attacks, it is not a benefit. Therefore, option E is also an incorrect choice.
Stateful vs Stateless Firewalls
- Stateless firewall examines each packet individually based only on header information (source/destination IP, ports, protocols) without considering the connection context or previous packets.
- Stateful firewall tracks active connections and maintains state tables, allowing it to make decisions based on connection context, session information, and the relationship between packets.
- Key advantage of stateful firewalls is they can automatically allow return traffic for established connections and detect suspicious patterns, while stateless firewalls require explicit rules for both directions of communication.
4- The firewalld service uses \_____ , which is a predefined rule set.
- netfilter
- firewall-cmd
- Services
- reject
- Zones
Zones
With firewalld, network traffic is grouped into a zone, which is a predefined rule set, also called a trust level. Therefore, option E is the correct answer. While firewalld does employ the netfilter and the firewall-cmd commands, those items are not predefined rule sets, so options A and B are wrong answers. A service is a predefined configuration set for a particular service, such as DNS. Therefore, option C is an incorrect answer as well. Option D is an incorrect choice because the zone that rejects packets is called block.
5- Peter, a Linux system administrator, has been testing a new firewalld configuration. The test was successful. What should Peter do next?
- Using super user privileges, issue the reboot command.
- Using super user privileges, issue the firewall-cmd –panic-on command.
- Nothing. If the test was successful, the runtime environment is the permanent environment.
- Issue the firewall-cmd –runtime-to-permanent command using super user privileges.
- Issue another firewall-cmd command, but add the –permanent option to it.
Issue the firewall-cmd –runtime-to-permanent command using super user privileges.
The firewalld’s runtime environment is the active firewall, but if the configuration is not saved as the permanent environment, it is not persistent. Therefore, after his successful tests, he should issue the firewall-cmd –runtime-to-permanent command to save the runtime environment to the permanent environment. Thus, option D is the correct answer. Rebooting the system would lose the tested runtime environment, so option A is a wrong answer. The –panic-on option blocks all incoming traffic, so option B is also an incorrect answer. The runtime environment is different than the permanent environment in this situation, so option C is a wrong choice. While the –permanent option will allow you to modify the runtime and permanent environment at the same time, Peter did not do this, so option E is also an incorrect answer.
6- Peter is a Linux system administrator of a system using the iptables service. He wants to add a rule to block only incoming ping packets and not send a rejection message to the source. What command should he employ?
- sudo iptables -P INPUT DROP
- sudo iptables -A INPUT -p icmp -j REJECT
- sudo iptables -A INPUT -p icmp -j DROP
- sudo iptables -D INPUT -p icmp -j DROP
- sudo iptables -A OUTPUT -p icmp -j REJECT
sudo iptables -A INPUT -p icmp -j DROP
To achieve the desired result, Peter will need to modify the iptables INPUT chain for the protocol ping uses, which is ICMP. Also, the target will need to be set to DROP, in order to not send any rejection message. Therefore, option C is the correct iptables command to use. The command in option A will set the policy to DROP for all incoming packets that do not have a rule in the INPUT chain, but that does not target ping packets. Therefore, option A is a wrong answer. The command in option B will send a rejection message, which is not desired, so it is also an incorrect answer. The command in option D is attempting to delete a rule, not add one. Therefore, option D is a wrong choice. The command in option E is modifying the OUTPUT chain instead of the INPUT chain, which will affect outbound network packets. Thus, option E is an incorrect choice.
7- Which of the following commands will allow you to view the various rules in a UFW firewall with their associated numbers?
- sudo ufw show numeric
- sudo ufw status
- sudo ufw status verbose
- sudo ufw status numbered
- sudo ufw enable
sudo ufw status numbered
The sudo ufw status numbered command will display the UFW firewall’s ACL rules with their associated numbers. Therefore, option D is the correct answer. Option A is made up and thus is a wrong answer. Both options B and C will show any rules, but they will not include their numbers, so those options are incorrect answers. The UFW command in option E enables the firewall but does not display ACL rules, so it is an incorrect choice as well.
8- Which of the following is an example of UFW simple syntax for blocking all incoming and outgoing OpenSSH connections without providing a blocking message?
- sudo ufw deny 22/tcp
- sudo ufw drop 22/tcp
- sudo ufw reject 22/tcp
- sudo ufw accept 22/tcp
- sudo ufw block 22/tcp
sudo ufw deny 22/tcp
While all these options use simple syntax, the ufw command in option A will block all incoming and outgoing OpenSSH connections and not send a blocking (rejection) message. Thus, option A is the correct answer. There is no drop argument in the ufw command, so option B is a wrong answer. The command in option C would send a rejection message. Thus, it is a wrong choice. The command in option D will allow OpenSSH connections, and therefore it is an incorrect answer. There is no block argument in the ufw command, so option E is also an incorrect choice.
9- Which of the following are true concerning both DenyHosts and Fail2Ban? (Choose all that apply.)
- It is an intrusion detection system (IDS).
- It modifies the /etc/hosts.deny file.
- It only handles OpenSSH traffic.
- Its configuration file is named jail.conf.
- It can work with TCP Wrappers, iptables, and firewalld.
- It is an intrusion detection system (IDS).
- It modifies the /etc/hosts.deny file.
Options A and B are true statements concerning both DenyHosts and Fail2Ban. DenyHosts only works with OpenSSH traffic, while Fail2Ban can handle many different types of traffic. So option C is a wrong answer. Fail2Ban’s configuration file is named /etc/fail2ban/jail.conf, but the configuration file for DenyHosts is not. Therefore, option D is an incorrect answer as well. DenyHosts can only work with TCP Wrappers, whereas Fail2Ban can work with iptables, TCP Wrappers, firewalld, and so on. Thus, option E is an incorrect choice.
10- Virginia is administering a Linux system with a firewall. She has already set up an IPset and named it BlockThem. A new attack has begun to occur from the 72.32.138.96 address. Along with super user privileges, what command should she issue to add this IPv4 address to the IPset?
- ipset create BlockThem hash:net
- ipset -n BlockThem hash:net
- ipset save -f /etc/ipset.conf
- ipset -A BlockThem 72.32.138.0/24
- ipset add BlockThem 72.32.138.96
ipset add BlockThem 72.32.138.96
The command in option E will properly add the new IP address to the BlockThem IPset. Thus, it is the correct answer. The commands in options A and B create the IPset and do not add new addresses to it. Therefore, those options are wrong answers. The command in option C will save the current IPset configuration to the IPset configuration file. While this is something Virginia should do after the new address is added, it is not the currently needed command. Thus, option C is a wrong answer. The command in option D adds an entire subnet of addresses to the IPset and not a single IP address. Thus it is an incorrect answer as well.
