1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <sect1 id="fw-firewall" xreflabel="Firewalling">
|
---|
9 | <?dbhtml filename="firewall.html"?>
|
---|
10 |
|
---|
11 | <sect1info>
|
---|
12 | <date>$Date$</date>
|
---|
13 | </sect1info>
|
---|
14 |
|
---|
15 | <title>Setting Up a Network Firewall</title>
|
---|
16 |
|
---|
17 | <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
|
---|
18 | <title>Introduction to Firewall Creation</title>
|
---|
19 |
|
---|
20 | <para>
|
---|
21 | The purpose of a firewall is to protect a computer or a network against
|
---|
22 | malicious access. In a perfect world every daemon or service, on every
|
---|
23 | machine, is perfectly configured and immune to security flaws, and all
|
---|
24 | users are trusted implicitly to use the equipment as intended. However,
|
---|
25 | this is rarely, if ever, the case. Daemons may be misconfigured, or
|
---|
26 | updates may not have been applied for known exploits against essential
|
---|
27 | services. Additionally, you may wish to choose which services are
|
---|
28 | accessible by certain machines or users, or you may wish to limit which
|
---|
29 | machines or applications are allowed external access. Alternatively, you
|
---|
30 | simply may not trust some of your applications or users. For these
|
---|
31 | reasons, a carefully designed firewall should be an essential part of
|
---|
32 | system security.
|
---|
33 | </para>
|
---|
34 |
|
---|
35 | <para>
|
---|
36 | While a firewall can greatly limit the scope of the above issues, do not
|
---|
37 | assume that having a firewall makes careful configuration redundant, or
|
---|
38 | that any negligent misconfiguration is harmless. A firewall does not
|
---|
39 | prevent the exploitation of any service you offer outside of it. Despite
|
---|
40 | having a firewall, you need to keep applications and daemons properly
|
---|
41 | configured and up to date.
|
---|
42 | </para>
|
---|
43 |
|
---|
44 | </sect2>
|
---|
45 |
|
---|
46 | <sect2>
|
---|
47 | <title>Meaning of the Word "Firewall"</title>
|
---|
48 |
|
---|
49 | <para>
|
---|
50 | The word firewall can have several different meanings.
|
---|
51 | </para>
|
---|
52 |
|
---|
53 | <sect3>
|
---|
54 | <title>Personal Firewall</title>
|
---|
55 |
|
---|
56 | <para>
|
---|
57 | This is a hardware device or software program, intended to secure a
|
---|
58 | home or desktop computer connected to the Internet. This type of
|
---|
59 | firewall is highly relevant for users who do not know how their
|
---|
60 | computers might be accessed via the Internet or how to disable
|
---|
61 | that access, especially if they are always online and connected
|
---|
62 | via broadband links.
|
---|
63 | </para>
|
---|
64 |
|
---|
65 | <para>
|
---|
66 | An example configuration for a personal firewall is provided at
|
---|
67 | <xref linkend="fw-persFw-ipt"/>.
|
---|
68 | </para>
|
---|
69 |
|
---|
70 | </sect3>
|
---|
71 |
|
---|
72 | <sect3>
|
---|
73 | <title>Masquerading Router</title>
|
---|
74 |
|
---|
75 | <para>
|
---|
76 | This is a system placed between the Internet and an intranet.
|
---|
77 | To minimize the risk of compromising the firewall itself, it should
|
---|
78 | generally have only one role—that of protecting the intranet.
|
---|
79 | Although not completely risk-free, the tasks of doing the routing and
|
---|
80 | IP masquerading (rewriting IP headers of the packets it routes from
|
---|
81 | clients with private IP addresses onto the Internet so that they seem
|
---|
82 | to come from the firewall itself) are commonly considered relatively
|
---|
83 | secure.
|
---|
84 | </para>
|
---|
85 |
|
---|
86 | <para>
|
---|
87 | An example configuration for a masquerading firewall is provided at
|
---|
88 | <xref linkend="fw-masqRouter-ipt"/>.
|
---|
89 | </para>
|
---|
90 |
|
---|
91 | </sect3>
|
---|
92 |
|
---|
93 | <sect3>
|
---|
94 | <title>BusyBox</title>
|
---|
95 |
|
---|
96 | <para>
|
---|
97 | This is often an old computer you may have retired and nearly
|
---|
98 | forgotten, performing masquerading or routing functions, but offering
|
---|
99 | non-firewall services such as a web-cache or mail. This may be used
|
---|
100 | for home networks, but is not to be considered as secure as a firewall
|
---|
101 | only machine because the combination of server and router/firewall on
|
---|
102 | one machine raises the complexity of the setup.
|
---|
103 | </para>
|
---|
104 |
|
---|
105 | <para>
|
---|
106 | An example configuration for a BusyBox is provided at
|
---|
107 | <xref linkend="fw-busybox-ipt"/>.
|
---|
108 | </para>
|
---|
109 |
|
---|
110 | </sect3>
|
---|
111 |
|
---|
112 | <sect3>
|
---|
113 | <title>Firewall with a Demilitarized Zone</title>
|
---|
114 |
|
---|
115 | <para>
|
---|
116 | This type of firewall performs masquerading or routing, but grants
|
---|
117 | public access to some branch of your network that is physically
|
---|
118 | separated from your regular intranet and is essentially a separate
|
---|
119 | network with direct Internet access. The servers on this network are
|
---|
120 | those which must be easily accessible from both the Internet and
|
---|
121 | intranet. The firewall protects both networks. This type of firewall
|
---|
122 | has a minimum of three network interfaces.
|
---|
123 | </para>
|
---|
124 |
|
---|
125 | </sect3>
|
---|
126 |
|
---|
127 | <sect3>
|
---|
128 | <title>Packetfilter</title>
|
---|
129 |
|
---|
130 | <para>
|
---|
131 | This type of firewall does routing or masquerading but does
|
---|
132 | not maintain a state table of ongoing communication streams. It is
|
---|
133 | fast but quite limited in its ability to block undesired packets
|
---|
134 | without blocking desired packets.
|
---|
135 | </para>
|
---|
136 |
|
---|
137 | </sect3>
|
---|
138 |
|
---|
139 | </sect2>
|
---|
140 |
|
---|
141 | <sect2>
|
---|
142 | <title>Conclusion</title>
|
---|
143 |
|
---|
144 | <caution>
|
---|
145 | <para>
|
---|
146 | The example configurations provided for <xref linkend="iptables"/>
|
---|
147 | <!-- and <xref linkend="nftables"/> -->
|
---|
148 | are not intended to be a complete guide to
|
---|
149 | securing systems. Firewalling is a complex issue that requires careful
|
---|
150 | configuration. The configurations provided by BLFS are intended only to
|
---|
151 | give examples of how a firewall works. They are not intended to fit any
|
---|
152 | particular configuration and may not provide complete protection from
|
---|
153 | an attack.
|
---|
154 | </para>
|
---|
155 | </caution>
|
---|
156 | <!--
|
---|
157 | <para>
|
---|
158 | BLFS provides two utilities to manage the kernel Netfilter interface,
|
---|
159 | <xref linkend="iptables"/> and <xref linkend="nftables"/>.
|
---|
160 | </para>
|
---|
161 | -->
|
---|
162 | <para>
|
---|
163 | BLFS provides an utility to manage the kernel Netfilter interface,
|
---|
164 | <xref linkend="iptables"/>. It has been around since early 2.4 kernels,
|
---|
165 | and has been the standard since. This is likely the set of tools that
|
---|
166 | will be most familiar to existing admins. Other tools have been
|
---|
167 | developed more recently, see the list of further readings below
|
---|
168 | for more details. Here you will find a
|
---|
169 | list of URLs that contain comprehensive information about building
|
---|
170 | firewalls and further securing your system.
|
---|
171 | </para>
|
---|
172 | <!--
|
---|
173 | <para>
|
---|
174 | <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
|
---|
175 | and provies all of the same functionality with a single userspace tool,
|
---|
176 | <command>nft</command>, that uses similar syntax to BSD's
|
---|
177 | <application>pf</application> utility, and may be easier for new users or
|
---|
178 | admins already familiar with that platform.
|
---|
179 | </para>
|
---|
180 |
|
---|
181 | <para>
|
---|
182 | While both can be used in tandem, that is an advanced configuration and
|
---|
183 | you should decide on one or the other. Both pages include very simple
|
---|
184 | example configurations, and customization of the provided configurations
|
---|
185 | for your specific environment will be necessary if you elect to use
|
---|
186 | either without a configuration tool.
|
---|
187 | </para>
|
---|
188 |
|
---|
189 | <para>
|
---|
190 | Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
|
---|
191 | provided to greatly ease firewall configuration for both simple and
|
---|
192 | complex environments, and can be used with either tool. You should not
|
---|
193 | use the example configurations if you intend to use
|
---|
194 | <application>firewalld</application> to manage your firewall rules.
|
---|
195 | </para>
|
---|
196 |
|
---|
197 | <para>
|
---|
198 | If you elect to configure manually, have a look at the
|
---|
199 | list of further reading below for more details. Here you will find a
|
---|
200 | list of URLs that contain comprehensive information about building
|
---|
201 | firewalls and further securing your system.
|
---|
202 | </para>
|
---|
203 | -->
|
---|
204 | </sect2>
|
---|
205 |
|
---|
206 | <sect2 id="fw-extra-info">
|
---|
207 | <title>Extra Information</title>
|
---|
208 |
|
---|
209 | <sect3>
|
---|
210 | <title>Further Reading on Firewalls</title>
|
---|
211 |
|
---|
212 | <blockquote>
|
---|
213 | <literallayout>
|
---|
214 | <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
|
---|
215 | <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
|
---|
216 | <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
|
---|
217 | <ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
|
---|
218 | <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
|
---|
219 | <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
|
---|
220 | <ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
|
---|
221 | <ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
|
---|
222 | <ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German & outdated, but very comprehensive)</ulink>
|
---|
223 | <ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
|
---|
224 | <ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
|
---|
225 | <ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
|
---|
226 | <ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
|
---|
227 | <ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
|
---|
228 | <ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
|
---|
229 | <ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
|
---|
230 | <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
|
---|
231 | </literallayout>
|
---|
232 | </blockquote>
|
---|
233 |
|
---|
234 | </sect3>
|
---|
235 |
|
---|
236 | </sect2>
|
---|
237 |
|
---|
238 | </sect1>
|
---|