Firewalling

By Kurt Seifried [email protected]


 

Firewalling is the practice of filtering network traffic, typically at the point where your network connects to another (e.g. the Internet, a customers LAN, etc.) network, that may be untrusted (in the case of the Internet) or perhaps even trusted (another floor of your building). Like firewalls in a large building, a network firewall can prevent and even block the spread of an attack if one segment is compromised successfully, like their namesake firewalls can stop your network from being further compromised. There is a good FAQ on Internet firewalls at: http://www.interhack.net/pubs/fwfaq/. A list of port numbers and what they are is available here at seifried.org.

 

Firewall software for Linux

Linux has gone through a series of firewalls. The most recent is IPTables (sometimes referred to as NETFILTER), preceding that was ipchains, and preceding this was ipfwadm, as well there are a number of other firewalls such as IPF and SINUS firewall (some of which only work on 2.0 and 2.2 series kernels so are largely obsolete). I would recommend using a 2.4 kernel with IPTables if possible since it offers stateful packet inspection, which makes firewalling protocols such as DNS and FTP properly a lot easier. Linux also supports IPMASQ (IP Masquerading) as part of it's firewall capabilities, an advanced form of NAT (Network Address Translation). IPMASQ allows you to hook up a network of computers to the Internet but proxy their connections at the IP level. Thus all traffic appears to be coming and going to one machine (the Linux IPMASQ box) which affords a high degree of protection to the internal network. As an added bonus the clients on the internal network require NO proxy configuration; as long as the Linux IPMASQ server is configured correctly, and the clients use it as their default gateway, things will work quite well.

Both ipchains and ipfwadm provide the following basic capabilities:

In addition to which ipchains supports:

The Firewall-HOWTO and "man <command>" (ipchains, ipfwadm or IPTables) page both cover in great detail the mechanics for setting up rules, but don't really cover the strategy for firewalling safely. Your first basic choice (well actually it's not so basic) to make is whether to go with default deny or default allow policies, followed by which services and hosts you wish to allow and block.

When deciding policy you should ideally choose a policy that will default to denying everything unless specifically allowed through (that is if there is a failure it will hopefully be minimized via default policies) or a policy that allows everything and blocks certain services/hosts. I typically use a policy of default denial as it can accommodate mistakes and changes more safely then a policy that defaults to allowing data through. 

Case in point, you have a server secured via firewalling, currently running Apache, you install WU-FTPD on it for internal use (so people can upload files) at 3 am, you forget to change the firewall rules. If you have chosen a policy of default allowal, anyone on the Internet can access the ftp server, and silly you, you installed an old version which allowed someone to compromise the machine. If on the other hand you go with a policy of default denial, they would not have access to the ftp server, and neither would your users, but you would find out quite quickly. Annoyed users are much easier to appease then fixing a network that has been compromised.

 

Firewall concepts

Some of the problems with firewalling and what you can do ensure they don't affect you to much.

 

IPTables

Firewalling for Linux 2.4 and 2.5. Provides stateful filtering unlike IPChains and IPFWADM. Combined with Linux advanced routing you can do many interesting and several downright bizarre things.

 

IPChains

Firewalling for Linux 2.2 and present in 2.4 for backwards compatibility as well. Does not provide stateful filtering, but provides chains, making it easier to manage then ipfwadm.

 

IPFWADM

Firewalling for Linux 2.0, no longer present. Not recommended.

 

Firewall piercing

Sometimes you will be stuck behind a firewall that is not properly set up, or otherwise stopping you from accessing data you need to. Other times users will simply want to climb over any walls you put on the network, and the best way to defend is to understand the attack. There is actually a mini-HOWTO on this; http://www.linuxdoc.org/HOWTO/mini/Firewall-Piercing.html. In addition to this is an add-on for the IP Masquerading code that allows certain types of VPN's through, you can get it at: ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html.

 


Back

Last updated on 27/9/2001

Copyright Kurt Seifried 2001 [email protected]