The Best Damn Firewall Book Period

Regardless of whether you are implementing a packet filter or a proxy server, a firewall provides several services. The most essential Linux firewall functions include:

• IP address conservation and traffic forwarding Many firewalls first act as routers so that different networks (the 192.168.1.1/24 and 10.100.100.0/24 networks) can communicate with each other. Many network administrators use only this function to help create additional subnets. This feature is included as a firewall element simply because it is accomplished using either Ipchains or Iptables. Thus, anyone with only one IP address can create a local area network (LAN) or wide area network (WAN) that has full access to the Internet. You should understand, however, that a firewall does not necessarily have to provide Network Address Translation (NAT). Still, many firewalls (including those provided by Linux and Ipchains/Iptables) allow you to choose this feature.

• Network differentiation A firewall is the primary means of creating a boundary between your network and any other network. Because it creates a clear distinction between networks, a firewall helps you manage traffic. A firewall does not necessarily need to be deployed between a trusted, private network and the Internet. Many times, a firewall is deployed within a company network to further differentiate certain company divisions (such as research and development or accounting) from the rest of the network.

• Protection against denial-of-service (DoS), scanning, and sniffing attacks A firewall acts as a single point that monitors incoming and outgoing traffic. It is possible for this firewall to limit any traffic you choose.

• IP and port filtering The ability to allow or reject a connection based on IP address and port. Such filtering is likely the most understood function of a firewall. Generally, this type of filtering is usually accomplished by packet filters (in other words, Linux systems that use either Ipchains or Iptables). Packet filtering can become quite complex, because you must always consider that traffic can be filtered according to the source of the packet, as well as the packet's destination. For example, a packet filter can block traffic to your network if it originates from a particular IP address and port.

• Content filtering Proxy servers are generally the only types of firewall that manages and controls traffic by inspecting URL and page content. If configured properly, a proxy-oriented firewall can identify and block content that you consider objectionable.

• Packet redirection Sometimes, it is necessary for a firewall to send traffic to another port or another host altogether. For example, suppose you have installed Squid proxy server on a separate host than your firewall. It is likely that you will want to have your firewall automatically forward all traffic sent to ports 80 and 443 (the standard HTTP and HTTPS ports) to your proxy server for additional processing.

• Enhanced authentication and encryption A firewall has the ability to authenticate users, and encrypt transmissions between itself and the firewall of another network.

• Supplemented logging One of the most important—although commonly ignored—benefits of a firewall is that it allows you to examine all details about network packets that pass through it. You can learn, for example, about port scans and various connections to your system.

Building a Personal Firewall

It is possible to use Iptables or Ipchains on a standard client system. A personal firewall can be helpful in the following situations:

• You have only one system directly connected to the Internet, and don't want to create a router or a firewall as an intervening host.

• You want to log all blocked (or even allowed) traffic, and then read the entries in the /var/log/messages file.

• You want to block certain ports, such as those belonging to X (177 tcp and 177 udp, and tcp ports 6000 and 7100).

• You want to disable all pinging on the host. If you don't want to use Iptables or Ipchains, you can change the value of /proc/sys/net/ipv4/icmp_echo_ignore_all to 1 using

  • echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all.

When it comes to building any type of firewall, it is important to consider your own situation. The commands you learn in the next section will help you implement the proper solution.

Understanding Packet Filtering Terminology

Generally, whenever a packet passes through a firewall, it is compared to its rules. If a packet matches a rule, then the firewall processes the packet.

Whenever a packet enters a chain in Ipchains, it must pass all the way through before the kernel allows it to pass on to the operating system, or pass through to another host. Iptables uses a similar principle, except that it allows you to create specific tables that can be either processed or ignored, making the packet-filtering process quicker and more efficient. Iptables will likely become the standard for some time. Now that you understand some of the basic firewall terms, it is time to learn more about the most common uses of a Linux system in regard to routing and firewalling.

Many times, a router can be a completely separate host from the firewall. This is especially the case in medium to large networks, where it is necessary to balance the load between the two. However, routers commonly have features that allow you to program them as a packet filter. Linux is a particularly handy tool because it allows you to do both simple routing and packet filtering.

Choosing a Linux Firewall Machine

Contrary to what you may think, a firewall does not necessarily have to be the most powerful system on your network. It should, however, be a dedicated host, which means that you should not run any other services. The last thing you want to do is configure your firewall to also be a Samba server or print server. Additional services may cause a performance drain, and may open up vulnerabilities as well.

Ideally, a small network would be well served by a typical Pentium III or Pentium IV system with 128MB of RAM and a 500MHz processor. Depending on the amount of traffic the network generates, however, you could get by with a much less powerful system. It is not uncommon to see a network with 25 systems accessing the Internet using a Linux router that is no more powerful than a low-end 300MHz system. A good NIC is vital for firewalls and routers.

Larger businesses, say, those with demands for Web surfing, e-mail retrieval, and additional protocols, may require a more powerful system. Considerations for more powerful systems might include:

• A 1GHZ processor.

• At least 256MB of RAM (512MB of RAM or more may be preferable).

• Quality network interfaces and I/O cards, and possibly RAID 0 for faster data processing. RAID 0 does not provide data redundancy. It does, however, provide you with faster read/write time, which is helpful in regard to a firewall. Although a firewall does not store data as would a database application server, fast I/O is important, because you want the machine to process data as quickly as possible. Fast I/O is especially important if you plan to log extensive amounts of data.

• SCSI hard drives. SCSI systems tend to be faster and longer lasting than their IDE counterparts, thus allowing you a more powerful firewall.

Protecting the Firewall

One of the benefits of having a firewall is that it provides a single point that processes incoming and outgoing traffic. However, consider that a firewall can also provide a central point of attack or failure. A firewall does inform a hacker that a series of networks does exist behind it. If a hacker is able to defeat this one firewall, the entire network would be open to attack. Furthermore, if a hacker were able to somehow disable this host, the entire network would be denied all Internet services. It is important, therefore, that you take measures to protect your firewall. Consider the following options:

• Limit router and firewall access to interactive login only, and physically secure the system. This way, your firewall is much less susceptible to remote attack. It is still possible, however, that problems in the kernel (for example, buffer overflows and other programming problems) may occur. Such problems can lead to compromise of the system, even if you have no other services running.

• If remote access is necessary, access the firewall only via Secure Shell (SSH) or Stunnel, properly configured to use public keys to authenticate. Although SSH is not immune to security threats, it is one of the most popular and secure remote administration tools for Linux firewalls. Stunnel is also another viable option. You can get Stunnel from www.stunnel.org.

• Create a backup host: If your host crashes due to an attack, or simply because of a hard drive failure, you should have an identical system available as a replacement. If that is not possible, make sure you have a copy of the kernel configuration, the Iptables configuration, and most everything in the /etc directory.

• Monitor the host: Use an IDS application to listen in on connections made to your router. Usually, installing an IDS application on a separate host on the network is best. This is called passive monitoring, because the remote host does not consume the system resources of the firewall. The IDS application can, for example, send a random ping to the firewall to test whether it is up, and can then inform you if the host is down. Consider using an application such as Cheops, for example.

• Watch for bug reports concerning Ipchains, Iptables, the Linux kernel, and any applications such as SSH that you have installed. Keeping current about such changes can help you quickly upgrade your system in case a problem is discovered.