The Best Damn Firewall Book Period

Several attempts have been made to automate the process of creating a firewall in Linux. Similarly, developers are also busy creating GUI applications that make the job easier. Many of these utilities are quite useful, although they are mostly effective in beginning your firewall configuration; you will likely have to customize the rules these applications generate.

The more effective firewall scripts and GUI tools include the following:

Weighing the Benefits of a Graphical Firewall Utility

As you consider using any of the GUI applications covered in this section, keep in mind the following issues:

Firewall Works in Progress

The following is a partial list of applications being developed at the current time:

Exercise: Using Firestarter to Create a Personal Firewall

  1. Make the necessary preparations for your firewall. If you are creating a personal firewall, then you can simply move on to step 2. If you want to use your firewall to masquerade connections, you should understand that Firestarter may not do the best job creating forwarding and nat/masquerading rules, so you may want to create them first. You will see later in this exercise how you can configure Firestarter to enable masquerading for you.

  2. Once you have verified and tested your masquerading (if necessary), download the latest Firestarter RPM or tarball from http://sourceforge.net/projects/firestarter. The RPM and tarball packages are equivalent. They do not require any special libraries; if you have installed either the Gnome or KDE window managers, you will have no problem.

  3. Install Firestarter. If you are using the RPM, you would issue the following command:

    rpm –ivh firestarter-0.7.0-1.i386.rpm

  4. Now, start X and enter the following in a terminal:

    firestarter

  5. If an existing Ipchains or Iptables configuration exists, you may see the warning shown in Figure 5.3.

    Figure 5.3: Firestarter Warning

    If necessary, click Yes. You should note that this warning will also appear if you restart Firestarter. If you are using this wizard on a system that already has masquerading configured, you would click No to save this configuration. Firestarter will simply append its configuration to yours.

  6. When you first launch Firestarter, the configuration wizard, shown in Figure 5.4, should appear automatically.

    Figure 5.4: The Firestarter Configuration Wizard Initial Screen

    If the wizard does not appear, maximize the main interface and go to Firewall | Run firewall wizard.

  7. Once the wizard begins, click Next.

  8. The Network Device Configuration screen will appear, as shown in Figure 5.5. Select the interface you want to protect, and click Next.

    Figure 5.5: The Network Device Configuration Screen

    You will notice that in this particular example, the eth0 interface is selected. Firestarter is written well enough so that it will automatically detect all of your interfaces.

  9. The Services Configuration window, shown in Figure 5.6, will appear.

    Figure 5.6: The Services Configuration Window

  10. Configure the services that you want. Figure 5.6 shows that only SSH will be allowed to connect to the firewall. Your settings will differ according to your needs. When you are finished selecting the services you want to provide on this interface, click Next.

  11. The ICMP Configuration screen will appear, as shown in Figure 5.7. By default, Firestarter disables all ICMP filtering, which means that all ICMP packets will be allowed to pass through the firewall. Select Enable ICMP Filtering, and then select the ICMP packet types that you want to filter. You will notice that in this particular example, no ICMP packets will be allowed to traverse the firewall.

    Figure 5.7: The ICMP Configuration Screen

  12. When you have selected the ICMP packets you want to block, click Next. Firestarter will inform you that it is ready to generate the firewall, as shown in Figure 5.8. Click Finish to do so.

    Figure 5.8: Completing the Firewall Generation Process in Firestarter

  13. The wizard will disappear, and you will see the Firestarter main interface, shown in Figure 5.9.

    Figure 5.9: The Firestarter Main Interface

  14. The main interface defaults to the Firewall hits tab, which is a graphical logging device. If a packet matches the rules you have generated, it will be instantaneously logged here. From a remote system, generate some traffic that you have blocked. For example, if you have not enabled Telnet support, try to telnet to this system. After enough traffic is generated, you will see the logging screen fill up, as shown in Figure 5.10.

    Figure 5.10: Viewing Logged Packet Matches in Firestarter

  15. Now, select the Dynamic Rules tab. From here, you can add rules to those that Firestarter has automatically generated. It is important to understand that Firestarter imposes a fairly strict series of rules. You may need to open some ports to suit your needs. Following is a brief overview of your options:

    • Deny all connections from Allows you to block a specific host. If, for example, you have left the SSH port open to all systems, you can specify a host or range of IP addresses here. As with any of the dynamic options, the rules you enter here will override any settings established by either Firestarter or the Firestarter wizard.

    • Allow all connections from Enables you to allow a host or range of IP addresses full access to your system. Be careful when using this option, because it can expose your firewall to IP spoofing. Remember, it opens all ports on your interface to a remote system.

    • Open service to machine Allows you to open a specific port or range of ports to a specific host or range of IP addresses.

    • Open service to anyone Opens a port to all hosts on the network, and any other network. Like the Allow all connections from setting, this option is quite powerful, and can reduce your firewall's security. Specifying this option allows any host on your network or on any other to access the port you specify.

      You can also add and remove all rules in a particular group, or you can remove all of the dynamic rules you have created.

  16. Right-click in the Allow all connections from field, and then select Add new rule. You will see a dialog box, shown in Figure 5.11, where you can enter either an IP address or a host name. Enter the IP address of a remote host here. Although you can enter a DNS name, it is best if you use an IP address. When you are finished, click OK.

    Figure 5.11: The Add New Rule Dialog Box

  17. You will see that the IP address or host name (if this is what you entered) is entered in the Allow all connections from dialog box (Figure 5.12). Test this setting by using the remote client you have specified.

    Figure 5.12: Allowing SSH and Telnet Service to a System Named "keats"

  18. Experiment with the additional settings to see how well Firestarter is able to configure the interface to suit your needs.

    When you have configured Firestarter, open a second terminal and list the chains. If, for example, you are using Iptables, issue the following command:

    iptables -L

  19. You will see a list of many different rules, most of which have been added by Firestarter. Consider that some of these rules may not be necessary for your particular situation. Use the –D option to delete the rules you do not need. Make sure you test your firewall each time you delete a rule.

  20. When you are finished, use the iptables-save or ipchains-save command to save your rules:

    ipchains-save > firestarter.chains iptables-save > firestarter.chains

    You can then restore your firewall by using the ipchains-restore or iptables-restore command.

  21. It is also possible to save the logs generated by Firestarter. In the main interface, go to Hit List | Save firewall hit list to file. You will be asked to enter the name of the text file where the logs will be stored. Do so, and then press OK. When you have saved the log file, open it in a text editor. You will see a report that details the connection, including the source IP address, the time of the attempted connection, and the protocol used.

  22. When you are finished saving your log, you can clear the log screen and begin logging again.

Exercise: Using Advanced Firestarter Features

  1. Go to Firewall | Preferences and examine the additional options offered by Firestarter. These include the ability for Firestarter to play a sound whenever a packet matches a rule, starting Firestarter "hidden," so that you do not see the interface, and, the most interesting feature, the one that shows every page in the configuration wizard. You can access this feature by selecting the Advanced icon, and then clicking Show every page in wizard.

  2. When you have done this, restart the wizard. You will then be given additional options, including the ability to create masquerading rules, as shown in Figure 5.13, and the ability to create ToS associations, shown in Figure 5.14.

    Figure 5.13: The IP Masquerade Configuration Screen

    This particular page allows you to have Firestarter automatically discover the internal network IP range, which works rather sporadically. In addition, notice that you can also enable specific port forwarding rules. If you do not want to rely on the Autodetect feature, you can specify your own range.

    Figure 5.14: The ToS Configuration Screen

    The ToS configuration feature is effective if you want to give certain services, such as e-mail or the X Windows system, more priority than others have. In this particular example, the choice was made to give priority to server applications, such as FTP, Squid, SSH, SMTP, and POP3. You will, of course, choose the option that best suits you.

    You can choose these settings according to your needs.

  3. When you are finished using the wizard, you can then re-edit your settings to create the best firewall for your situation.

Категории