Firewall theory - general
So you want to build a firewall. Great! A firewall is
essentially a series of rules for your box to follow when deciding what
sort of traffic to allow in and out. In order to be able to come up
with good rules for what should and shouldn't be allowed in or out,
you're going to have to know your system. Again. [grin] This is a
pretty common theme -- you have to know what's normal before you
start knowing what you have to watch out for.
Under modern Linux systems, there are basically two sorts of
native firewalls available. (Somewhat of a lie -- there are other
options available, too, but these are the ones we'll deal with for now.
Advanced firewalls in a bit.) If you have a 2.2 kernel, you can use
ipchains to create a firewall. If you have a 2.4 kernel, it's iptables
instead. If you're still running a system with a 2.0 kernel, there is
firewalling capability there too -- ipfwadm is the command to look into.
But I'd suggest upgrading -- there are many cool things you can do with
the newer firewalling capabilities.
To find out if you have a 2.2 or 2.4 kernel, run uname -a (for
all your system info) or just uname -r for the kernel version.
[user@linuxbox /dir]$ uname -a
Linux linuxbox 2.2.12-20 #1 Mon Sep 27 10:25:54 EDT 1999 i586 unknown
[user@linuxbox /dir]$ uname -r
So this box is a 2.2 kernel, and would use ipchains.
We'll get into the command lines and syntax and kernel
compilation for ipchains and iptables in a bit, but first let's start
thinking about what we want to let in and what we want to keep out.
In general, there are three sorts of packets that you need to be
concerned about -- TCP, UDP, and ICMP. (There are others, and we'll get
into them, but let's start simple.) Think about what sorts of traffic
you'd want to allow in, and out. You can also forward traffic
selectively, and do IP masquerading and NAT. Let's skip those for now,
though we will come back to them later.
So, let's start with my Linux box. You've seen the services it
offers. What do you think would be good TCP traffic to let in? To
block? To let out? What about UDP? Are you guys familiar with the
differences between them? (If not, say so and we'll go over that. A
good understanding of protocols is fundamental to understanding
If you were going to build me a firewall, what would you do?
Copyright (c) 2002 by Raven Alder. This material
may be distributed only subject to the terms and
conditions set forth in the Open Publication License,
v1.0 or later (the latest version is presently
available at http://www.opencontent.org/openpub/).