Okay, I think we've covered a good bit of theory about what a firewall should and shouldn't allow now. Time to get to building them. We'll start with ipchains, since that's simpler than iptables, and move on up.
There is an excellent how-to that explains the rules of ipchains firewalling at:
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.htmlI could go over the syntax (and will if anyone wants me to), but feel like I'd be reinventing the wheel since I think Rusty's done such a good, clear job of it already.
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.htmlis particularly helpful, and explains the basics of syntax. Please ask if anything is unclear or confusing.
So let's try to apply all this knowledge. You are a security consultant hired by the admin of example.com's network. You have the (we'll pretend that it's routable) IP block 10.1.1.0/24. Most of your network is comprised of Windows workstation boxes. You also have some Linux workstation boxes, an FTP server running under Solaris at 10.1.1.7, a Web server running under Linux at 10.1.1.14, and a file server for the Windows machines at 10.1.1.21. Your mail server is hosted on the same machine as your Web server (10.1.1.14). DNS is handled by a FreeBSD server at 10.1.1.5.
Your Windows users want to be able to "access the Internet". Your Linux users want to be able to ssh into their workstations from home so that they can work remotely. The company is worried about the security of its network, and wants for you to firewall it off from the Internet, without disrupting business. You decide to use ipchains under Linux.
What sort of a setup would you recommend? What further questions would you have for your employers? And what firewall ruleset(s) would you propose? We will assume for the purposes of this discussion that the Linux boxes you're using are already built, that firewalling and IP masquerading support are already built into the kernel, and that the Linux boxes have been stripped of unnecessary services and locked down. Post your ideas and rules to the list, and we'll discuss them and see what the best setup we can come up with is for example.com.
Copyright (c) 2002 by Raven Alder. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).