 We're going to set up a firewall. So create some rules for a firewall and the software we'll use is called IP tables And we're going to do it in a virtual network. So the first thing that we need to do is create that virtual network so we'll go through those steps and Then we'll use and introduce IP tables to create the virtual network several steps We're going to create this network Which looks like this. It's going to have five computers five nodes One will be the router and in fact for IP tables. I think we'll just use one and One three and four for most tasks But we'll create that and we'll use VN create topology seven But before we do that, we need to set things up and check that everything will work. So You've got internet access so first open virtual box So from the menu open the the GUI for virtual box Click on that and Just check because someone may have used these computers before there may be some nodes that exist You should see just base if so leave it there if you see other nodes delete them Sorry If I see node one I will delete that and I'll delete all files So you should have base and base should be powered off. You should have no nodes there We'll close that we don't need that We'll use the command line to manipulate the virtual machines So with virtual box you can use the GUI to create virtual machines and open them or you can use the command line And that's what we'll do. So First we need to just update the our programs to to create the topology So CD into the directory you should have SVN vert net there's only three or four commands and Press enter success and Then just type SVN update and press enter. It just downloads some files that are necessary to Create our topology and it should say updating it may be different on some of the computers that may download two or three files that may take a Minute or so Make sure you have internet access for that to work Of course, that's the part where we needed internet access it downloads from a server some some new files that we'll use Once you've done that CD into the directory bin slash host This can this directory contains that the program to create our topology for us and now create the topology bash VN create topology and we're creating topology number seven That's the topology that of those five nodes So let's just be careful. It's wrapped around there and Presenter and it should take a few minutes to create that topology And I'll create it should go through all those steps of it just creates those five virtual box machines It takes a few minutes If if you didn't catch the commands I type they're in the in the file ITS 3 3 5 nodes Okay, so the file ITS 3 3 5 nodes contains those commands that I just did So I suggest having that open so you can see What that's doing is creating five nodes and connecting them in the network topology that we desire While that's running Because we want to access all five nodes at the same time I suggest you open another five terminals Okay, so we're gonna have five nodes plus the original host so open another five new terminals So open five more and eventually we'll log in for those five separate ones So we can do things on each of those nodes at the same time So open some more terminals and you may want to use your workspaces this This icon the workspace switcher allows you to switch between the the workspaces or the desktops really that Allows you to have a little bit more space when you have those five terminals open So in my case where I only have a smaller screen. I'm going to switch between the desktops So I've got a number of terminals open And I'm going to make mine different colors so we can distinguish between those five nodes So you should have six terminals open one It's it's creating the topology now and the other five will use in a moment once the topology is created a Shortcut to switch between desktops is control alt and the arrow keys Control key alt key and the arrows will switch between Let's look while it's still running. Let's look at What we're going to do in this task So the homework several tasks. We're just going to do some basics of Adding firewall rules and we're using the software IP tables And the first task will be to understand the difference between what we call the input forward and output chains So on the presentation It gives some information about IP tables and the way to think of it some details From your computer's perspective Packets come in to the network interface card come into the operating system or the Linux kernel and Then they may be filtered a firewall filters packets a filter either usually accepts or drops them and If they're accepted those packets go to the applications So IP tables were used to control the filters for what goes through to the applications and the same in the other direction IP tables has some treats the set of filters in different what's called tables and We're only using what's called the filter table today the default option But more importantly it contains what it calls chains. So let's explain that and the picture maybe explains it The easiest think from your computer People can send packets to your computer Your computer can send packets out or If your computer is a router your Computer can forward those packets through to someone else So IP tables allows us to treat those three types of packets separately and that's done performed using The three chains called the input chain the output chain and the forward chain When we refer to the input chain it refers to only the packets that are going to your computer into your computer Output chain refers to the packets that are created by your computer and go out and the forward chain is For packets that are going through your computer if you're a router only Know that a packet that goes through your computer actually comes in and out again But it's treated separately under this what's called forward chain The main reason we need to know this is because IP tables allows you to create separate rules for each of those chains You can create a rule for the input chain only Or the output chain only or for all of those chains and those rules will only be applied to the packets which are either coming in going out or being forwarded Normally, we'll run a firewall on a router and the chain of interest is forward change So normally we deal with forwarding and most of the tasks today will be about using the forward chain So we're not deal much with the others There are other chains, but they are not going to be used For our firewall today pre-routing and post-routing are used for things like changing packets modifying packets our firewall in a simplest term will either drop or Allow packets But it can do more complex things like modify packets and that's where pre-routing and post-routing chains come in into play So just remember input packets coming to into your computer Output packets created by your computer going out Forward if your router packets going through how we're going as everyone got their topology created I'm up to node four It's slow because of different reasons one is the the logging in to secure shell is take some time in checking We need to set that up a bit better So once you've got those five nodes created will use them Well, we're waiting The first task we will add a rule To the firewall table so what we do is the firewall administrators create rules and We add them to the filter table because we want to filter packets and the the aim of the first rule is to block ping from working We all know that pin uses the protocol ICMP So what we'll do is we'll create a rule that will drop ICMP packets and And the first rule will be drop packets being forwarded by Between the two not submits Subnets, I must have wrote that a little bit too quick subnets Because in our network We'll run the firewall on node three No three will be the firewall. So what we want to do is stop say computer one from pinging computer four So we'll add a rule that node three the router and the firewall will drop ICMP packets And we're almost there on mine. I hope some of yours are finished being created if they are Then on your five other terminals so mine's just finished you should you can check in virtual box You should see node one to five powered off. We don't use the GUI. We don't need it Now I'll go to my other terminals and I'll log in to those nodes. I'll actually start them and log in and The shortcut for doing that VN Slash SSH and then the node number So on one terminal VN SSH one What it does is starts the node and then logs in automatically for us and Do that on the other terminals for the other four nodes? It takes some time This one for me is node three so that VN SSH program just starts the node it boots the computer and then eventually logs in and You should see them all logged in and you get the prompt Logged into each of those five nodes And I'll just clear on each of them So I now have my five nodes running. I have terminals and logged into each of them. So we'll start Setting things up for our firewall so we want to add a rule on the firewall and The firewall will be on node three To block say nodes one and two from pinging four and five and also in the opposite direction So first let's just ping and see if it works and note the IP addresses of these nodes They all start with one nine two dot one six eight and Then the first subnet is dot one Node one is dot one dot eleven node two one dot twelve The nodes four and five are subnet one nine two one six eight two dot twenty one two dot twenty two and The router is on both subnets. So first we'll just check that ping works So in node one I'm going to ping say node four Just three pings account of three ping one nine two one six eight two dot twenty one And we should get a response just to check that your network is working if it's not then we have a problem Now on our router in my case the white one node three. Let's add a rule to drop ICMP And we'll use the command is IP tables to modify the firewall. We need to be administrator So we use sudo always with IP tables and The syntax after some practice it becomes quite easy. We want to add a rule dash uppercase a let's add a rule to the table and We need to specify the chain. We're the router. So we mainly deal with a forwarding chain Add a rule to the forward chain. So if it applies only the packets that are going to go through my computer Forwarded and now we specify the conditions. What are the conditions we want? What packets should we drop? Ping packets and how do we identify ping packets? The protocol minus P is ICMP So minus P specifies that the transport protocol. So the common options will see is ICMP TCP or UDP if it's ICMP We don't care about the source of destination So we're not specified the source or destination. We don't care about port numbers. They're not relevant for ICMP So if it's ICMP Then we take some action and the syntax we jump to some operation. So minus J We jump to some operation to drop those packets Add a rule to the forward chain The conditions are that the packets must be using the protocol ICMP and if that condition matches We will drop those packets Try it We prompted for the network password Which is network and then test See if you can ping so our firewall Seem to work and that at least node one cannot ping node four in my case Three packets were transmitted zero received So the rule in this case anything that was ICMP that was going through my router. I dropped it I didn't allow it through See if you can ping from node one to the to the other nodes. So we ping from node one to node four What about to node five which is two dot twenty two? So we're on node one see if you can ping node five Yes or no Why not? Because our firewall drops it And then try see if you can ping node two Okay, we cannot ping node five that two dot twenty two ping nodes To which is one dot twelve Yes, we can ping node two because the packets don't go via the router. They're on the same subnet So this is the case of think of an internal computer talking to another internal computer The firewall doesn't take any part in that communications Can you ping node three? Try to ping node three Why can you ping node three? Because we applied the rule to the forward chain So here's the case that I'm pinging and come back to our network diagram I'm pinging so we saw the ping from node one to node four didn't work the firewall blocks it From one to five didn't work the firewall blocks the packet good One to two works because we don't go via the firewall. We just go by the switch So we can ping one to two Pinging So here net a Although there's no actual switch in our network virtual box thinks we can think of that's a switch that connects them So there's a cable going from node one into the switch and the switch into the router node three So one to two works one to three also works Because the packet that comes From one to three is going in to computer three It's not being forwarded by computer three Therefore it's only We apply the rules and the input chain to that packet Which we didn't add a rule to Can computer three ping computer four? Try it try can node three ping node four don't So here we can test and Confirm what we believe will happen node three to node four yes why because It's not forwarding that packet. It's outputting the packet Okay, so that's the difference between input output and forward and we can see the rules To switch three so We added added a rule to the forward chain. Let's look at the rules. We can use IP tables to list the rules Minus L will list the rules I'll zoom out a bit so It will fit in Pseudo IP tables minus L should show you The rules in the input chain There are none in The forward chain. There is one rule. That's the one we added in The output chain there are none remember our firewall. We can think of as a table Each row specifies a rule The output also shows us here that the default of our firewall is to accept Anything that's not in the table will accept anything that doesn't match the rules We can see it in the raw form using the minus n option to see the actual addresses So looking closer at the forward chain Just at the forward chain ignoring the other two It gives us some summary information if the protocol is ICMP if The source is anywhere destination anywhere Then if our packet matches those conditions then take the action the target is to drop that packet We can delete the rule using the exact same syntax as adding the rule but minus d instead of minus a There are other ways to delete but that's one way Just same as adding but minus d so delete the rule now add a rule to the input chain The input chain on our router means the packets that come into our router So now we have a rule only in the input chain No rules in forward or output So this rule will only apply to packets that are sent to my router Now test ping See who can ping who can node 1 ping node 4 Can node 1 ping node 3 can node 3 ping node 4 try those three cases node 1 to 4 1 to 3 and 3 to 4 node 1 Can ping node 4 Because that ping ping packet is forwarded by the router We've created a rule to only handle the packets which go into the router not forwarded So the firewall is not blocking this ping packet The firewall is only blocking ping packets to the router. So if we try to ping the router What happens From node 1 to node 3 the packets coming into the router and the rule should drop that packet What about router to node? 4 try to ping from your router to node 4 for example Why not have you done something wrong? so from node 3 to node 4 we saw that one could ping node 4 because the Firewall rule was only applying to packets which are coming in to node 3 so forwarding is okay accepted One could not ping node 3 because of the input rule drops that packet can node 3 ping node 4 No, why not? We didn't change the output rule node 3 can send a ping request to node 4 But will not receive the reply the reply from 4 back to 3 comes in to node 3 So therefore that gets dropped So with many applications when they request response-based applications if we drop one of the two the application won't work Here we're dropping the reply So really we just need to drop either the request or the reply. So in this case, it's dropping the reply Let's look at our firewall Tables again Let's clear the firewall table. So let's delete the rule that's there and a quick way to delete is to flush Minus F We can flush a specific chain flush means delete all So a quick way to clear out the firewall rules is to flush the the table so The input forward and output chains are all empty and The default policy is accept Let's look at the next task Add a rule to the firewall table To prevent node 1 from secure shelling to outside nodes So think of node 1 and node 2 is inside node 4 and 5 outside Stop node 1 from SSH into the outside nodes Let's just check before we add the rule that we can node 1 secure shell into node 4 for example So Qo shell gives us a remote access to that computer It's slow because it does some hostname or DNS lookups trying to determine if it's Who it's connecting to But because they're in the virtual network. It's not Responding so eventually it logs into node 4. We've set it up these nodes so that they automatically log in you don't need a password Okay, so just to make it easier for the Moving between the nodes because they're all the same password network. I've set it up just so it's auto log in So I secured shell into node 4 Let's exit Log out. I'm back to node 1 We'll do that again in a moment, but let's first add a rule to stop that from working I want to stop node 1 to be able to secure shell into node 4 and also node 5 Add a rule What chain are we going to do it on? We want to stop at the firewall node 1 from accessing outside computers. The firewall is a router and We're mainly going to use the forward chain in this case Apply the rules to packets going through the router. What conditions do we want? How do we find the secure shell packets? Port number will be important before that what protocol does secure shell use? What transport protocol? TCP and Specifically we can identify Usually applications by port numbers. What's the port number of a secure shell server a web server? We know as port 80 a secure shell server. It's So the destination port so dash dash is a special option destination port 22 So this is an extra condition if the protocol is TCP and if the destination port number is 22 because we know that the secure shell server will be listening on port 22 What other conditions do we want? Drop is the action, but there may be another condition that we should specify the the aim Prevent node one from secure shelling into any outside nodes So in our simple network, we want to stop node one from secure shelling to four or five or anyone else who may be outside But we don't want to stop node two So we should specify the source If the source is node one They're trying to connect to a secure shell server Then drop that let's find our router. So I'll add another condition dash s for source And it's going to wrap around Specify the source address node ones address We know secure shell uses TCP and the server listens on port 22 So if it's coming from node one to a secure shell server Jump to the action of drop add the rule you may check list the rules and This is where we should use the minus n option to avoid this look up It does a look up for it for trying to find does the IP address have an actual domain name and It takes a long time So it says There's a rule now protocol TCP if the source is node one if the destination is anywhere If the destination port is secure shell then drop it Let's try go back to node one and see if we can secure shell again, and you shouldn't be able to Okay, if you can maybe your rules are not working correct Let's let's see some details of what's happening there Eventually the secure shell So it's trying to connect it's sending the packets. No three is receiving them, but dropping them Let's check that so I'll control C to stop. It didn't work for me. We'll try it again in a moment But let's capture packets on node three and See the packets coming in we can use TCP dump to capture coming into interface ETH one minus n to avoid any DNS look ups and We can select just so this is a way to filter TCP dump shows many packets in quotes TCP show just the TCP packets So we'll run TCP dump and it will show us the packets coming in It's running. I'll just zoom out a bit. So it will Show on a one line and now try secure shell and Then look at the TCP dump output You should see some packets coming in to our router before they get dropped What's happening is that TCP is retransmitting and it tries multiple times before it gives up Let's have a look on my case. I'll just highlight the first packet. I see Node one connecting to the secure shell server. So look at the TCP packets look at the times Do you see any pattern? let's See the packets They're all from my node one one nine two one six eight one dot eleven going to the secure shell server on computer node node four Port twenty two. So the syntax we see the IP address dot port number The flag S here means what? What's the first TCP packet? S is for when we Use TCP we establish a connection. So we send a sin packet So this is the sin packet being sent from my computer to the server But it gets to the firewall It's received by the router, but then the firewall drops it. So in fact This packet will not get to node four You could have captured on node four and see that it doesn't arrive Then a short time later my computer sends a sin packet again Same destination Because it didn't get a reply it retries Send a sin packet. We're expecting a SINAC We don't get one. So send another SIN packet We're expecting a SINAC. So after some time Retry and it keeps retrying How how often did it retry? Well, the first one was at nine fifty six seventeen seconds One second later it retried Two seconds later Four seconds later Eight seconds Sixteen seconds later and you see the pattern. It's doubling the interval between retrying each time 32 seconds later, and I think the last one is 64 seconds later, and then it gives up So we don't see another packet because We eventually got this error message saying could cannot connect the connection timed out So this is just showing how the connection Works with respect to retries We keep trying to connect, but it won't connect because we know that the firewall is dropping this packet It never gets to the destination Any questions before we move on to some other rules? Let me find our other tasks Let's try task three where we access instead of secure shell server web server And we'll do it and learn a little bit about HTTP along the way Nodes four and five are already running web servers. So we've set them up so that they run web servers Well, they we need to start the web server. So To start the web server We'll run this command the web server software is called Apache 2 and we can start it using this Service command a start the Apache 2 service and we do it on nodes 4 and 5 just one of them's enough But let's do it on both So start the web server on node 4 pseudo service Apache to start it Starting web server gives this warning. Don't worry about it. It's just that this web server doesn't have a real domain name That's all it's just we haven't set up a domain name on this web server. So it's using just a It's special name for the server name do the same on node 5 Although we may not use that today So again the web server should be running on 4 and 5 Come back to my firewall I'll stop TCP dumb And let's clear our Let's flush our IP tables Just get rid of the old rules. So we're we start from scratch again So we have no rules here. Let's just check that our web servers working before we use our firewall How we're going to access the website so different ways we can use links to use a graphical Text-based web browser. So on node one Links is a text-based web browser because we don't yet have a GUI on those virtual nodes We just have the the command line interface. We can try links and we specify the destination address We don't have a domain name for our web server, but we can use the IP address For example to access the web server on node for Links is the web browser and open the URL HTTP 192 168 2.21 as a work Okay, it brings us to the default web page This web page was created, but when we install the web server, so the web server has a default web page There's not much to see there Will quit Q to quit Are you sure you want to quit? Yes Just to get out of there. We later will may use that to follow some links So we can access the web website Let's just check on the web server Where that web page was where would the web page be stored on the server? What directory? anyone remember Slash var slash www index.html So if you want to change that default web page You can edit you need to do it as sudo sudo nano index.html and it'll open up that that just the default web page which is displayed by the web server It works So you can edit that web page in a later Topic will create some other web pages on our server Now we use links to access that web page. We can use other approaches as well Back to node one. So we use links. How does HTTP work? What what's the what's the messages that are sent by HTTP a Get we send a get request from browser To server the server when it receives a get request Sends back a response usually containing the web page What your web browser does is creates the get request in the right format But we know the structure of a get request. Don't we? What's a get request look like? Let's try Let's download that web page using a different command a simpler command NC or net cat Net cat creates a simple TCP connection to a server so net cat connect to the web server and Connect to the that computer at port 80 because we know that the web server is on port 80 So we're going to do a very very very basic way to download the web page here using net cat instead of a browser So net cat will create a TCP connection to computer 2.21 at port 80 and then it if you remember net cat we can type things in What we would type in is the actual get request and I'll do it quite quickly because That may time out if we don't send the quit request as as fast as possible or within it Some time Let's try it and we may try it again if it doesn't work fast enough We're connecting now we send a message and the first line Specifies the file to get and we need one optional one field that must be included It's called the host field and I'll explain it in a moment, but see if it worked in this case I sent this That is I typed in three lines there and I did it quick because it times out if you don't send it within a few seconds So what we did there is we don't need a web browser to request a web page because HTTP just sends text-based messages. We can type in the get request So remember that a get request starts with the word get Followed by the web page we want to get and then the protocol inversion. So that's fixed I know that we're using HTTP 1.1. I think most web browsers use that now a Get request may have fields Following it and there's one field that we need to include it's called the host field and it's quite simply The IP address of the web server or if the web server has a domain name the domain name And then I press enter and a get request We know it's the end of the request when we have a blank line. So I press enter twice So in fact, this is the request it was sent To port 80 on 2 21 And when the web server receives such a request it sends back a reply And the reply is my web page including the header fields Make sure you get yours to work So make sure you type in the request in the exact correct format and within time It may time out and give you some error response If you get the url wrong or the host wrong it may return an error So we're using NC just as an alternative to create a raw connection. We will create the message We will not use a web browser to create the get request. We'll type it in And we must type the request message in the exact right format and and it's an example is given here And it times out if we don't do it quick enough Let's capture And we can use tcp-dump to capture But it's quite complex command to specify capture only the htdp messages So I give it here So it's best to copy and paste because we need to specify let's ignore the sins seen acts and acts Just capture the data messages. This is the command using tcp-dump. So on the Router We'll capture that So we haven't added a rule yet. We'll connect again Still no rules. So on the router we'll start capturing with this long command. So copy and paste this so you don't get it wrong What it does is captures packets coming into interface eth1 Some options just to show the output in a nice format and to port 80 and this means Just get the data messages ignore the sins and syn acts and this part is redirect the output to a file You can include that But because I want to show it on the screen I'll omit the last part but you can include it so outputs to a text file so you can save it yourself So it's capturing Now access our website again Again, I requested the web page I got the response and if we look at the capture we see a lot of Messages here. They look strange, but they'll make sense yours If you redirect it to htdp.txt this information is saved in the text file so you can open the text file But I've just shown a director on the screen What it shows is four packets packet one being sent from my computer to the web server Packet two from my computer to the web server And packet three from my computer to the web server Packet four is from the web server back to my computer It shows the actual packet contents But some of the the values are in these strange characters because they're not printable characters But the thing that you'll recognize is what I typed in This is the first part of the get request Even though the htdp get request is one message it was sent in this case in three tcp packets Because I pressed enter each time This was the first string I typed in I pressed enter the packet was sent The next string I typed in was sent to the web server And then the last one was actually just a blank line. I press enter again Is sent to the web server The web server understands that those three lines or three packets And realizes I'm requesting index.html and the web server sends back in the last packet the contents of the response so here we see the Router seeing the request and response This is not about ip tables But in our next topic or our topic on web security You see that it's very easy for a router to intercept web traffic So if you want to stop someone in between you and the web server from viewing your request and response You need to use htdps Or some other security mechanisms So Let's block htdp Let's not I'll leave a task for you to block htdp. It's very easy to block the web request It's similar to secure shell. Let's move to the last task So you should try and create a rule To prevent the internal nodes from accessing the web server on node four But let's go to task Task four and five five especially task four is easy Currently our firewall accepts everything The default policy is accept Let's change it to drop which is more secure By default except anything that doesn't match the rules We can change the policy to drop Minus p what have I done wrong? We need to specify the The chain We can do it for all of them But I'll just do it for forward Because we're on our router just so that we don't block ourselves from accessing the router We'll just do it on forward at this stage. So Anything that goes through our router now will be dropped Let's test Ping doesn't work from node one to node four Secure shell will not work So this drops everything and that's a more secure solution in that now we need to create rules to allow what we want It means mistakes will not allow people to access things that they shouldn't The last thing we want to do is look at stateful packet inspection Remember that it becomes difficult to add rules to handle packets going in both directions So the way to deal with that is using spi And what we can do on our firewall is enable spi It's not enabled by default. We need to turn it on so that the firewall will automatically add Entries to the spi table that will Accept packets which have been accepted by the firewall rules So we'll do it and then we'll see the impact So in ip tables the way to enable stateful packet inspection is this special command We add up to the forward chain What we do is we want to maintain state Keep track of the connections which have been established Or related to established connections and automatically accept them So this is a special command with ip tables that really enables stateful packet inspection So let's turn it on Let's run that command I'll copy and paste this Means anything that's going through my firewall And if the packets are related to an existing or an established tcp connection Then I'll accept them automatically So we as the administrator don't have to handle those rules So all we need to do now is allow the first packet through So let's say we want to allow secure shell access Currently I cannot secure shell into Computer 21. Let's add a rule so that we can add to the forward chain a rule secure shell remember protocol tcp destination port 22 If we want to control the direction and allow say the internal nodes to access out but not the External nodes to access in we can specify other options like minus I for the input interface Maybe back to our picture of the router We'll come back to the command just to remind us Router three the internal network On the left we think of node one and two is inside four and five outside We want to allow say node one to secure shell out But not allow four to secure shell in So we want to allow packets that coming on the input interface eth one If it comes to the router In via eth one Then allow it But if it's coming in to interface eth two then don't allow it So we'll specify the interface has another option here If the packet is going through our router if it arrived on the input interface eth one means if it arrived from an internal computer If it's using tcp and it's going to a secure shell server Then accept the packet Let's test See if you can secure a shell from node one to node four It does some look up And eventually it should log us in It's slow because it tries to find the corresponding domain name now i'm logged in to node four So I successfully ssh from node one to node four the firewall allowed that the reason because of two things This rule Allows that first packet From the node one to node four to be accepted And then because we enabled sbi stafel packet inspection because the first packet is Is accepted the firewall automatically accepts all subsequent packets related to that connection So the reply the synac And all the data messages using that combination of port numbers and IP addresses Means that Now we automatically accepted Just list our rules So we've got two rules one is about stafel packet inspection And one was for secure shell The last thing we'd like to do is to view the entries of the sbi table It's not normally available via ip tables. We need some other software to view the connections that are currently established And We'll install the software to do that On the router software called contract for connection tracker So on the router run this command sudo apt to get install contract Install some software that allows to view the connections Yes to install And let it install Does it install anyone I think these these computers are set up to use the wrong server here trying to connect to this server and it will not connect So let's not install that software Control c We'll try that another day that connect contract software allows us to view the sbi table We can't do that with ip tables I forgot to set up the correct Connection there The connect correct server So let's recap on what we've done the first rule here and it's Split across across two lines is really to say use stafel packet inspection And if you remember from our lectures stafel packet inspection The firewall automatically records connections that have been accepted So that we as the administrator don't have to manually add rules to handle subsequent packets So all we need to do is add a rule to handle the first packet So here what we said is For the tcp packet going to the secure shell server accept that and any response For that the spi table will accept that as well If you want to see the details of Those rules because it only shows a short summary add the minus v option It gives us some more information about some statistics and says that The number of packets which have been accepted for example As you do things you'll see that There was one packet accepted by this rule And there's been 54 packets accepted by the spi table Those packets that are being accepted of when I do something on On node 4 using the secure shell connection and then I exit And more packets have been accepted in this case The one thing that we didn't get to do is to see the actual connections to see the contents of the spi table We'll try and demonstrate that at a later stage