[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 | ]>
|
---|
| 7 |
|
---|
[dd362e5] | 8 | <sect1 id="fw-firewall" xreflabel="Firewalling">
|
---|
[8920dfa] | 9 | <?dbhtml filename="firewall.html"?>
|
---|
| 10 |
|
---|
| 11 | <sect1info>
|
---|
| 12 | <date>$Date$</date>
|
---|
| 13 | </sect1info>
|
---|
| 14 |
|
---|
| 15 | <title>Setting Up a Network Firewall</title>
|
---|
| 16 |
|
---|
| 17 | <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
|
---|
| 18 | <title>Introduction to Firewall Creation</title>
|
---|
| 19 |
|
---|
[018c0cc3] | 20 | <para>
|
---|
| 21 | The purpose of a firewall is to protect a computer or a network against
|
---|
| 22 | malicious access. In a perfect world every daemon or service, on every
|
---|
| 23 | machine, is perfectly configured and immune to security flaws, and all
|
---|
| 24 | users are trusted implicitly to use the equipment as intended. However,
|
---|
| 25 | this is rarely, if ever, the case. Daemons may be misconfigured, or
|
---|
| 26 | updates may not have been applied for known exploits against essential
|
---|
| 27 | services. Additionally, you may wish to choose which services are
|
---|
| 28 | accessible by certain machines or users, or you may wish to limit which
|
---|
| 29 | machines or applications are allowed external access. Alternatively, you
|
---|
| 30 | simply may not trust some of your applications or users. For these
|
---|
| 31 | reasons, a carefully designed firewall should be an essential part of
|
---|
| 32 | system security.
|
---|
| 33 | </para>
|
---|
| 34 |
|
---|
| 35 | <para>
|
---|
| 36 | While a firewall can greatly limit the scope of the above issues, do not
|
---|
| 37 | assume that having a firewall makes careful configuration redundant, or
|
---|
| 38 | that any negligent misconfiguration is harmless. A firewall does not
|
---|
| 39 | prevent the exploitation of any service you offer outside of it. Despite
|
---|
| 40 | having a firewall, you need to keep applications and daemons properly
|
---|
| 41 | configured and up to date.
|
---|
| 42 | </para>
|
---|
[8920dfa] | 43 |
|
---|
| 44 | </sect2>
|
---|
| 45 |
|
---|
| 46 | <sect2>
|
---|
| 47 | <title>Meaning of the Word "Firewall"</title>
|
---|
| 48 |
|
---|
[018c0cc3] | 49 | <para>
|
---|
| 50 | The word firewall can have several different meanings.
|
---|
| 51 | </para>
|
---|
[8920dfa] | 52 |
|
---|
| 53 | <sect3>
|
---|
[018c0cc3] | 54 | <title>Personal Firewall</title>
|
---|
[8920dfa] | 55 |
|
---|
[018c0cc3] | 56 | <para>
|
---|
| 57 | This is a hardware device or software program, intended to secure a
|
---|
| 58 | home or desktop computer connected to the Internet. This type of
|
---|
| 59 | firewall is highly relevant for users who do not know how their
|
---|
| 60 | computers might be accessed via the Internet or how to disable
|
---|
| 61 | that access, especially if they are always online and connected
|
---|
| 62 | via broadband links.
|
---|
| 63 | </para>
|
---|
| 64 |
|
---|
| 65 | <para>
|
---|
| 66 | An example configuration for a personal firewall is provided at
|
---|
| 67 | <xref linkend="fw-persFw-ipt"/>.
|
---|
| 68 | </para>
|
---|
[8920dfa] | 69 |
|
---|
| 70 | </sect3>
|
---|
| 71 |
|
---|
| 72 | <sect3>
|
---|
[018c0cc3] | 73 | <title>Masquerading Router</title>
|
---|
[8920dfa] | 74 |
|
---|
[018c0cc3] | 75 | <para>
|
---|
| 76 | This is a system placed between the Internet and an intranet.
|
---|
| 77 | To minimize the risk of compromising the firewall itself, it should
|
---|
| 78 | generally have only one role—that of protecting the intranet.
|
---|
| 79 | Although not completely risk-free, the tasks of doing the routing and
|
---|
| 80 | IP masquerading (rewriting IP headers of the packets it routes from
|
---|
| 81 | clients with private IP addresses onto the Internet so that they seem
|
---|
| 82 | to come from the firewall itself) are commonly considered relatively
|
---|
| 83 | secure.
|
---|
| 84 | </para>
|
---|
| 85 |
|
---|
| 86 | <para>
|
---|
| 87 | An example configuration for a masquerading firewall is provided at
|
---|
| 88 | <xref linkend="fw-masqRouter-ipt"/>.
|
---|
| 89 | </para>
|
---|
[8920dfa] | 90 |
|
---|
| 91 | </sect3>
|
---|
| 92 |
|
---|
[d612b9f] | 93 | <sect3>
|
---|
[018c0cc3] | 94 | <title>BusyBox</title>
|
---|
| 95 |
|
---|
| 96 | <para>
|
---|
| 97 | This is often an old computer you may have retired and nearly
|
---|
| 98 | forgotten, performing masquerading or routing functions, but offering
|
---|
| 99 | non-firewall services such as a web-cache or mail. This may be used
|
---|
| 100 | for home networks, but is not to be considered as secure as a firewall
|
---|
| 101 | only machine because the combination of server and router/firewall on
|
---|
| 102 | one machine raises the complexity of the setup.
|
---|
| 103 | </para>
|
---|
[8920dfa] | 104 |
|
---|
[018c0cc3] | 105 | <para>
|
---|
| 106 | An example configuration for a BusyBox is provided at
|
---|
| 107 | <xref linkend="fw-busybox-ipt"/>.
|
---|
| 108 | </para>
|
---|
[8920dfa] | 109 |
|
---|
| 110 | </sect3>
|
---|
| 111 |
|
---|
| 112 | <sect3>
|
---|
[018c0cc3] | 113 | <title>Firewall with a Demilitarized Zone</title>
|
---|
| 114 |
|
---|
| 115 | <para>
|
---|
| 116 | This type of firewall performs masquerading or routing, but grants
|
---|
| 117 | public access to some branch of your network that is physically
|
---|
| 118 | separated from your regular intranet and is essentially a separate
|
---|
| 119 | network with direct Internet access. The servers on this network are
|
---|
| 120 | those which must be easily accessible from both the Internet and
|
---|
| 121 | intranet. The firewall protects both networks. This type of firewall
|
---|
| 122 | has a minimum of three network interfaces.
|
---|
| 123 | </para>
|
---|
[8920dfa] | 124 |
|
---|
| 125 | </sect3>
|
---|
| 126 |
|
---|
| 127 | <sect3>
|
---|
| 128 | <title>Packetfilter</title>
|
---|
| 129 |
|
---|
[018c0cc3] | 130 | <para>
|
---|
| 131 | This type of firewall does routing or masquerading but does
|
---|
| 132 | not maintain a state table of ongoing communication streams. It is
|
---|
| 133 | fast but quite limited in its ability to block undesired packets
|
---|
| 134 | without blocking desired packets.
|
---|
| 135 | </para>
|
---|
[8920dfa] | 136 |
|
---|
| 137 | </sect3>
|
---|
| 138 |
|
---|
| 139 | </sect2>
|
---|
| 140 |
|
---|
[018c0cc3] | 141 | <sect2>
|
---|
| 142 | <title>Conclusion</title>
|
---|
[8920dfa] | 143 |
|
---|
| 144 | <caution>
|
---|
[018c0cc3] | 145 | <para>
|
---|
| 146 | The example configurations provided for <xref linkend="iptables"/>
|
---|
| 147 | <!-- and <xref linkend="nftables"/> -->
|
---|
| 148 | are not intended to be a complete guide to
|
---|
| 149 | securing systems. Firewalling is a complex issue that requires careful
|
---|
| 150 | configuration. The configurations provided by BLFS are intended only to
|
---|
| 151 | give examples of how a firewall works. They are not intended to fit any
|
---|
| 152 | particular configuration and may not provide complete protection from
|
---|
| 153 | an attack.
|
---|
| 154 | </para>
|
---|
[8920dfa] | 155 | </caution>
|
---|
[018c0cc3] | 156 | <!--
|
---|
| 157 | <para>
|
---|
| 158 | BLFS provides two utilities to manage the kernel Netfilter interface,
|
---|
| 159 | <xref linkend="iptables"/> and <xref linkend="nftables"/>.
|
---|
| 160 | </para>
|
---|
| 161 | -->
|
---|
| 162 | <para>
|
---|
| 163 | BLFS provides an utility to manage the kernel Netfilter interface,
|
---|
| 164 | <xref linkend="iptables"/>. It has been around since early 2.4 kernels,
|
---|
| 165 | and has been the standard since. This is likely the set of tools that
|
---|
| 166 | will be most familiar to existing admins. Other tools have been
|
---|
[2c87187] | 167 | developed more recently, see the list of further readings below
|
---|
[018c0cc3] | 168 | for more details. Here you will find a
|
---|
| 169 | list of URLs that contain comprehensive information about building
|
---|
| 170 | firewalls and further securing your system.
|
---|
| 171 | </para>
|
---|
| 172 | <!--
|
---|
| 173 | <para>
|
---|
| 174 | <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
|
---|
| 175 | and provies all of the same functionality with a single userspace tool,
|
---|
| 176 | <command>nft</command>, that uses similar syntax to BSD's
|
---|
| 177 | <application>pf</application> utility, and may be easier for new users or
|
---|
| 178 | admins already familiar with that platform.
|
---|
| 179 | </para>
|
---|
| 180 |
|
---|
| 181 | <para>
|
---|
| 182 | While both can be used in tandem, that is an advanced configuration and
|
---|
| 183 | you should decide on one or the other. Both pages include very simple
|
---|
| 184 | example configurations, and customization of the provided configurations
|
---|
| 185 | for your specific environment will be necessary if you elect to use
|
---|
| 186 | either without a configuration tool.
|
---|
| 187 | </para>
|
---|
| 188 |
|
---|
| 189 | <para>
|
---|
| 190 | Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
|
---|
| 191 | provided to greatly ease firewall configuration for both simple and
|
---|
| 192 | complex environments, and can be used with either tool. You should not
|
---|
| 193 | use the example configurations if you intend to use
|
---|
| 194 | <application>firewalld</application> to manage your firewall rules.
|
---|
| 195 | </para>
|
---|
| 196 |
|
---|
| 197 | <para>
|
---|
| 198 | If you elect to configure manually, have a look at the
|
---|
| 199 | list of further reading below for more details. Here you will find a
|
---|
| 200 | list of URLs that contain comprehensive information about building
|
---|
| 201 | firewalls and further securing your system.
|
---|
| 202 | </para>
|
---|
| 203 | -->
|
---|
[8920dfa] | 204 | </sect2>
|
---|
[b4b71892] | 205 |
|
---|
[018c0cc3] | 206 | <sect2 id="fw-extra-info">
|
---|
[8920dfa] | 207 | <title>Extra Information</title>
|
---|
[b4b71892] | 208 |
|
---|
[018c0cc3] | 209 | <sect3>
|
---|
| 210 | <title>Further Reading on Firewalls</title>
|
---|
[8920dfa] | 211 |
|
---|
| 212 | <blockquote>
|
---|
| 213 | <literallayout>
|
---|
[cd29bc9] | 214 | <ulink url="https://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
|
---|
| 215 | <ulink url="https://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
|
---|
| 216 | <ulink url="https://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
|
---|
[018c0cc3] | 217 | <ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
|
---|
[cd29bc9] | 218 | <ulink url="https://tldp.org/LDP/nag2/x-087-2-firewall.html">tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
|
---|
| 219 | <ulink url="https://tldp.org/HOWTO/Security-HOWTO.html">tldp.org/HOWTO/Security-HOWTO.html</ulink>
|
---|
| 220 | <ulink url="https://tldp.org/HOWTO/Firewall-HOWTO.html">tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
|
---|
| 221 | <ulink url="https://linuxsecurity.com/howtos">linuxsecurity.com/howtos</ulink>
|
---|
[b4b71892] | 222 | <ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
|
---|
[cd29bc9] | 223 | <ulink url="https://www.circlemud.org/jelson/writings/security/index.htm">www.circlemud.org/jelson/writings/security/index.htm</ulink>
|
---|
| 224 | <ulink url="https://insecure.org/reading.html">insecure.org/reading.html</ulink>
|
---|
[8920dfa] | 225 | </literallayout>
|
---|
[cd29bc9] | 226 |
|
---|
| 227 | <!-- comment-out entries moved out of literallayout to avoid empty lines -->
|
---|
| 228 |
|
---|
| 229 | <!-- not accssible 2022-09-08
|
---|
| 230 | <ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German & outdated, but very comprehensive)</ulink>-->
|
---|
| 231 | <!-- redirects somewhere you can buy a book, not sure if we should link to
|
---|
| 232 | a book which you'll need to pay for reading
|
---|
| 233 | <ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
|
---|
| 234 | -->
|
---|
| 235 | <!-- 404 2022-09-08
|
---|
| 236 | <ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink> -->
|
---|
| 237 | <!-- redirects to dead bugtraq
|
---|
| 238 | <ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>-->
|
---|
| 239 | <!-- redirects to CERT main page
|
---|
| 240 | <ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>-->
|
---|
| 241 | <!-- not accessible 2022-09-08
|
---|
| 242 | <ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink> -->
|
---|
[8920dfa] | 243 | </blockquote>
|
---|
| 244 |
|
---|
| 245 | </sect3>
|
---|
| 246 |
|
---|
| 247 | </sect2>
|
---|
[b4b71892] | 248 |
|
---|
[f45b1953] | 249 | </sect1>
|
---|