source: postlfs/security/firewalling.xml

trunk
Last change on this file was 2c87187, checked in by Bruce Dubbs <bdubbs@…>, 4 months ago

Spelling fixes

  • Property mode set to 100644
File size: 9.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9 <?dbhtml filename="firewall.html"?>
10
11 <sect1info>
12 <date>$Date$</date>
13 </sect1info>
14
15 <title>Setting Up a Network Firewall</title>
16
17 <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
18 <title>Introduction to Firewall Creation</title>
19
20 <para>
21 The purpose of a firewall is to protect a computer or a network against
22 malicious access. In a perfect world every daemon or service, on every
23 machine, is perfectly configured and immune to security flaws, and all
24 users are trusted implicitly to use the equipment as intended. However,
25 this is rarely, if ever, the case. Daemons may be misconfigured, or
26 updates may not have been applied for known exploits against essential
27 services. Additionally, you may wish to choose which services are
28 accessible by certain machines or users, or you may wish to limit which
29 machines or applications are allowed external access. Alternatively, you
30 simply may not trust some of your applications or users. For these
31 reasons, a carefully designed firewall should be an essential part of
32 system security.
33 </para>
34
35 <para>
36 While a firewall can greatly limit the scope of the above issues, do not
37 assume that having a firewall makes careful configuration redundant, or
38 that any negligent misconfiguration is harmless. A firewall does not
39 prevent the exploitation of any service you offer outside of it. Despite
40 having a firewall, you need to keep applications and daemons properly
41 configured and up to date.
42 </para>
43
44 </sect2>
45
46 <sect2>
47 <title>Meaning of the Word "Firewall"</title>
48
49 <para>
50 The word firewall can have several different meanings.
51 </para>
52
53 <sect3>
54 <title>Personal Firewall</title>
55
56 <para>
57 This is a hardware device or software program, intended to secure a
58 home or desktop computer connected to the Internet. This type of
59 firewall is highly relevant for users who do not know how their
60 computers might be accessed via the Internet or how to disable
61 that access, especially if they are always online and connected
62 via broadband links.
63 </para>
64
65 <para>
66 An example configuration for a personal firewall is provided at
67 <xref linkend="fw-persFw-ipt"/>.
68 </para>
69
70 </sect3>
71
72 <sect3>
73 <title>Masquerading Router</title>
74
75 <para>
76 This is a system placed between the Internet and an intranet.
77 To minimize the risk of compromising the firewall itself, it should
78 generally have only one role&mdash;that of protecting the intranet.
79 Although not completely risk-free, the tasks of doing the routing and
80 IP masquerading (rewriting IP headers of the packets it routes from
81 clients with private IP addresses onto the Internet so that they seem
82 to come from the firewall itself) are commonly considered relatively
83 secure.
84 </para>
85
86 <para>
87 An example configuration for a masquerading firewall is provided at
88 <xref linkend="fw-masqRouter-ipt"/>.
89 </para>
90
91 </sect3>
92
93 <sect3>
94 <title>BusyBox</title>
95
96 <para>
97 This is often an old computer you may have retired and nearly
98 forgotten, performing masquerading or routing functions, but offering
99 non-firewall services such as a web-cache or mail. This may be used
100 for home networks, but is not to be considered as secure as a firewall
101 only machine because the combination of server and router/firewall on
102 one machine raises the complexity of the setup.
103 </para>
104
105 <para>
106 An example configuration for a BusyBox is provided at
107 <xref linkend="fw-busybox-ipt"/>.
108 </para>
109
110 </sect3>
111
112 <sect3>
113 <title>Firewall with a Demilitarized Zone</title>
114
115 <para>
116 This type of firewall performs masquerading or routing, but grants
117 public access to some branch of your network that is physically
118 separated from your regular intranet and is essentially a separate
119 network with direct Internet access. The servers on this network are
120 those which must be easily accessible from both the Internet and
121 intranet. The firewall protects both networks. This type of firewall
122 has a minimum of three network interfaces.
123 </para>
124
125 </sect3>
126
127 <sect3>
128 <title>Packetfilter</title>
129
130 <para>
131 This type of firewall does routing or masquerading but does
132 not maintain a state table of ongoing communication streams. It is
133 fast but quite limited in its ability to block undesired packets
134 without blocking desired packets.
135 </para>
136
137 </sect3>
138
139 </sect2>
140
141 <sect2>
142 <title>Conclusion</title>
143
144 <caution>
145 <para>
146 The example configurations provided for <xref linkend="iptables"/>
147<!-- and <xref linkend="nftables"/> -->
148 are not intended to be a complete guide to
149 securing systems. Firewalling is a complex issue that requires careful
150 configuration. The configurations provided by BLFS are intended only to
151 give examples of how a firewall works. They are not intended to fit any
152 particular configuration and may not provide complete protection from
153 an attack.
154 </para>
155 </caution>
156<!--
157 <para>
158 BLFS provides two utilities to manage the kernel Netfilter interface,
159 <xref linkend="iptables"/> and <xref linkend="nftables"/>.
160 </para>
161-->
162 <para>
163 BLFS provides an utility to manage the kernel Netfilter interface,
164 <xref linkend="iptables"/>. It has been around since early 2.4 kernels,
165 and has been the standard since. This is likely the set of tools that
166 will be most familiar to existing admins. Other tools have been
167 developed more recently, see the list of further readings below
168 for more details. Here you will find a
169 list of URLs that contain comprehensive information about building
170 firewalls and further securing your system.
171 </para>
172<!--
173 <para>
174 <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
175 and provies all of the same functionality with a single userspace tool,
176 <command>nft</command>, that uses similar syntax to BSD's
177 <application>pf</application> utility, and may be easier for new users or
178 admins already familiar with that platform.
179 </para>
180
181 <para>
182 While both can be used in tandem, that is an advanced configuration and
183 you should decide on one or the other. Both pages include very simple
184 example configurations, and customization of the provided configurations
185 for your specific environment will be necessary if you elect to use
186 either without a configuration tool.
187 </para>
188
189 <para>
190 Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
191 provided to greatly ease firewall configuration for both simple and
192 complex environments, and can be used with either tool. You should not
193 use the example configurations if you intend to use
194 <application>firewalld</application> to manage your firewall rules.
195 </para>
196
197 <para>
198 If you elect to configure manually, have a look at the
199 list of further reading below for more details. Here you will find a
200 list of URLs that contain comprehensive information about building
201 firewalls and further securing your system.
202 </para>
203-->
204 </sect2>
205
206 <sect2 id="fw-extra-info">
207 <title>Extra Information</title>
208
209 <sect3>
210 <title>Further Reading on Firewalls</title>
211
212 <blockquote>
213 <literallayout>
214<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
215<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
216<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
217<ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
218<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
219<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
220<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
221<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
222<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
223<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
224<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
225<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
226<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
227<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
228<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
229<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
230<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
231 </literallayout>
232 </blockquote>
233
234 </sect3>
235
236 </sect2>
237
238</sect1>
Note: See TracBrowser for help on using the repository browser.