06 Firewall theory - general

Firewall theory - general

So you want to build a firewall. Great! A firewall is essentially a series of rules for your box to follow when deciding what sort of traffic to allow in and out. In order to be able to come up with good rules for what should and shouldn't be allowed in or out, you're going to have to know your system. Again. [grin] This is a pretty common theme -- you have to know what's normal before you start knowing what you have to watch out for.

Under modern Linux systems, there are basically two sorts of native firewalls available. (Somewhat of a lie -- there are other options available, too, but these are the ones we'll deal with for now. Advanced firewalls in a bit.) If you have a 2.2 kernel, you can use ipchains to create a firewall. If you have a 2.4 kernel, it's iptables instead. If you're still running a system with a 2.0 kernel, there is firewalling capability there too -- ipfwadm is the command to look into. But I'd suggest upgrading -- there are many cool things you can do with the newer firewalling capabilities.

To find out if you have a 2.2 or 2.4 kernel, run uname -a (for all your system info) or just uname -r for the kernel version.

[user@linuxbox /dir]$ uname -a
Linux linuxbox 2.2.12-20 #1 Mon Sep 27 10:25:54 EDT 1999 i586 unknown 

[user@linuxbox /dir]$ uname -r
So this box is a 2.2 kernel, and would use ipchains.

We'll get into the command lines and syntax and kernel compilation for ipchains and iptables in a bit, but first let's start thinking about what we want to let in and what we want to keep out.

In general, there are three sorts of packets that you need to be concerned about -- TCP, UDP, and ICMP. (There are others, and we'll get into them, but let's start simple.) Think about what sorts of traffic you'd want to allow in, and out. You can also forward traffic selectively, and do IP masquerading and NAT. Let's skip those for now, though we will come back to them later.

So, let's start with my Linux box. You've seen the services it offers. What do you think would be good TCP traffic to let in? To block? To let out? What about UDP? Are you guys familiar with the differences between them? (If not, say so and we'll go over that. A good understanding of protocols is fundamental to understanding firewalling.)

If you were going to build me a firewall, what would you do?

Copyright (c) 2002 by Raven Alder. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).