Firewall Fundamentals

Linuxbased firewalls come in a variety of flavors. Originally, Linux-based firewalls were based on the ipfw code (which itself was taken from the Berkeley Software Distribution [BSD] of UNIX). This code comprised the original version of firewall capabilities within the Linux kernel. The next evolutionary step beyond ipfw was the ipfwadm utility (which was actually a rewrite of BSD's ipfw utility). This firewall code and utility began to be available in Linux kernels in the 1.0 series and provided significant flexibility by allowing the administrator to do the following:

  • Change the default policies for all firewall categories

  • Automatically add the necessary extra rules when the named hosts have more than one IP address

  • List and reset packet/byte counters atomically for setting up a reliable accounting scheme

  • List the existing rules in a number of formats

Additionally, the ipfwadm utility provided support for the following:

  • Specifying the interface address and/or name for the rules.

  • Bidirectional rules, TCP ACK, and TCP SYN matching

  • Packet redirection (used for transparent proxying)

  • Masquerading

With the release of Linux kernel 2.2, a new filtering system came into place, ipchains. The ipchains filter was an expansion of the ipfwadm capabilities as well as a significant rewrite of the underlying filter code. Like the ipfwadm firewalls, ipchains firewalls are not stateful and must be configured to accept TCP packets with the ACK bit set to allow for return traffic from a remote server. As a result, ipchainsbased firewalls rely on the packet itself to determine whether it is part of an existing connection. This is inherently a lesssecure method because packets can easily be forged to bypass such filtering.

The Linux 2.4 kernel series witnessed another, more extensive rewrite of the Linux filtering and firewall capabilities, NetFilter. However, this rewrite resulted in a more mature stateful firewall with more powerful inspection and logging capabilities. An advantage this provides is the fact that Linux firewalls are inexpensive to put together because they can be installed on commodity hardware and there is a great deal of support in the open source community for them. Some companies have even begun to package Linuxbased firewalls in a commercial format and provide commercial technical support for the product.

This chapter provides an overview of how NetFilter and its utility, iptables, work.

Категории