The Best Damn Firewall Book Period
|
Creating packet-filtering rules can become somewhat involved, mainly because you have to spend a great deal of time determining the source and destination IP addresses and ports. You also need to be familiar with how connections are made, managed, and ended. However, there are some simple rules that can help you create a packet filter as soon as possible. As far as outgoing traffic is concerned, you should take the following steps:
-
Configure your Linux firewall to deny all outgoing traffic unless explicitly allowed. This means that your firewall will deny all services to your end users, unless you allow it by creating a rule allowing a specific traffic type.
-
Configure your firewall to allow your internal network to use ports over 1023. Most network clients use these ports to establish connections to network services.
-
Identify the ports of your services to which you want to allow access. If, for example, you want to allow end users to access the Web, you must create a rule allowing all local network hosts to access all remote systems at ports 80 and 443. Likewise, if you want your local clients to use remote POP3 servers, you will have to allow local hosts to use access remote systems at port 110.
As far as incoming traffic is concerned, you have many options. Many systems administrators want to create a firewall that forbids all incoming traffic, except for the TCP and UDP packets necessary when building up and tearing down a network connection. For example, if you want to allow internal clients to allow access to the Web, you will need to allow remote hosts to make connections to your firewall. This involves allowing remote hosts to open their local ports above 1023 to access your systems at ports above 1023. Therefore, you should take the following steps:
-
Configure your firewall to prohibit all incoming traffic from accessing any services below port 1023. The most secure firewall will not allow any connections to these ports.
-
Forbid all incoming traffic unless it is part of an already established session. In Ipchains, the -y option will do this. In Iptables, you would use the —SYN option. Each of these options will have the firewall match and discard any incoming packet with the SYN bit set. All other packets with the FIN or ACK bit set will be allowed, because the firewall assumes that these packets are part of an already established session (for example, an internal user is closing an SMTP or POP3 session with a remote host on the Internet). If you do not add this rule, then it is easier for malicious users to get around your firewall.
-
Disable all incoming ICMP traffic to protect yourself against DoS attacks. This step is optional, of course, because disabling this feature often makes network troubleshooting quite difficult.
-
Disable all forwarding except for networks that require it. The Ipchains and Iptables commands allow you to masquerade private IP networks. You want to, however, masquerade only certain networks.
-
To enable logging, use the -l option in Ipchains, or the -j LOG target in Iptables.
Customized Packet Filtering
Your firewall configuration needs will be specific to your situation. You need to consider the design of your network, and the services you need to provide. If, for example, you want to allow remote clients to access certain internal hosts, such as a Web server, you can place the Web server outside the firewall, or you can allow incoming traffic to access port 80. Consider, however, that if you place your Web server behind your firewall, you will have to ensure that this request is then forwarded to a specific internal host. Later in this chapter, you will see how you can manipulate the default INPUT, FORWARD, and OUTPUT chains using Ipchains and Iptables.
It is common practice to use packet filtering to block the following:
-
Incoming and outgoing ICMP packets
-
Access to remote POP3 servers
-
Access to remote SMTP servers
-
Access to the Web, or to certain sites (unproductive or offensive sites)
-
Access to additional remote TCP/IP services, such as Telnet, FTP, finger, and so forth
Configuring the Kernel
Most Linux operating systems, such as Red Hat, Slackware, SuSE, and Caldera, support IP forwarding, masquerading, and firewalling by default. However, you may have to reconfigure your kernel in order to provide full functionality. When recompiling the kernel, choose the Network packet filtering (replaces Ipchains) option in the Networking section. In the 2.2 and earlier kernels, check the following Networking options:
-
Network firewalls
-
TCP/IP networking
-
IP accounting
Packet Accounting
Packet accounting is the ability to summarize protocol usage on an IP network. For example, you can use this feature to list the amount of TCP, ICMP, and IP traffic that passes through your interfaces. Once you have recompiled the kernel and restarted your system, find out if the following file is present in the /proc virtual file system:
/proc/net/ip_acct
If the file exists, then your kernel supports IP accounting, in addition to all other features. Of course, you may want to check to see if this file exists before taking the time to recompile the kernel.
|