source: postlfs/security/firewalling.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
]>

<sect1 id="fw-firewall" xreflabel="Firewalling">
  <?dbhtml filename="firewall.html"?>


  <title>Setting Up a Network Firewall</title>

  <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
    <title>Introduction to Firewall Creation</title>

    <para>
      The purpose of a firewall is to protect a computer or a network against
      malicious access. In a perfect world every daemon or service, on every
      machine, is perfectly configured and immune to security flaws, and all
      users are trusted implicitly to use the equipment as intended. However,
      this is rarely, if ever, the case. Daemons may be misconfigured, or
      updates may not have been applied for known exploits against essential
      services. Additionally, you may wish to choose which services are
      accessible by certain machines or users, or you may wish to limit which
      machines or applications are allowed external access. Alternatively, you
      simply may not trust some of your applications or users. For these
      reasons, a carefully designed firewall should be an essential part of
      system security.
    </para>

    <para>
      While a firewall can greatly limit the scope of the above issues, do not
      assume that having a firewall makes careful configuration redundant, or
      that any negligent misconfiguration is harmless. A firewall does not
      prevent the exploitation of any service you offer outside of it. Despite
      having a firewall, you need to keep applications and daemons properly
      configured and up to date.
    </para>

  </sect2>

  <sect2>
    <title>Meaning of the Word "Firewall"</title>

    <para>
      The word firewall can have several different meanings.
    </para>

    <sect3>
      <title>Personal Firewall</title>

      <para>
        This is a hardware device or software program, intended to secure a
        home or desktop computer connected to the Internet. This type of
        firewall is highly relevant for users who do not know how their
        computers might be accessed via the Internet or how to disable
        that access, especially if they are always online and connected
        via broadband links.
      </para>

      <para>
        An example configuration for a personal firewall is provided at
        <xref linkend="fw-persFw-ipt"/>.
      </para>

    </sect3>

    <sect3>
      <title>Masquerading Router</title>

      <para>
        This is a system placed between the Internet and an intranet.
        To minimize the risk of compromising the firewall itself, it should
        generally have only one role&mdash;that of protecting the intranet.
        Although not completely risk-free, the tasks of doing the routing and
        IP masquerading (rewriting IP headers of the packets it routes from
        clients with private IP addresses onto the Internet so that they seem
        to come from the firewall itself) are commonly considered relatively
        secure.
      </para>

      <para>
        An example configuration for a masquerading firewall is provided at
        <xref linkend="fw-masqRouter-ipt"/>.
      </para>

    </sect3>

    <sect3>
      <title>BusyBox</title>

      <para>
        This is often an old computer you may have retired and nearly
        forgotten, performing masquerading or routing functions, but offering
        non-firewall services such as a web-cache or mail. This may be used
        for home networks, but is not to be considered as secure as a firewall
        only machine because the combination of server and router/firewall on
        one machine raises the complexity of the setup.
      </para>

      <para>
        An example configuration for a BusyBox is provided at
        <xref linkend="fw-busybox-ipt"/>.
      </para>

    </sect3>

    <sect3>
      <title>Firewall with a Demilitarized Zone</title>

      <para>
        This type of firewall performs masquerading or routing, but grants
        public access to some branch of your network that is physically
        separated from your regular intranet and is essentially a separate
        network with direct Internet access. The servers on this network are
        those which must be easily accessible from both the Internet and
        intranet. The firewall protects both networks. This type of firewall
        has a minimum of three network interfaces.
      </para>

    </sect3>

    <sect3>
      <title>Packetfilter</title>

      <para>
        This type of firewall does routing or masquerading but does
        not maintain a state table of ongoing communication streams. It is
        fast but quite limited in its ability to block undesired packets
        without blocking desired packets.
      </para>

    </sect3>

  </sect2>

  <sect2>
    <title>Conclusion</title>

    <caution>
      <para>
        The example configurations provided for <xref linkend="iptables"/>
<!-- and <xref linkend="nftables"/> -->
        are not intended to be a complete guide to
        securing systems. Firewalling is a complex issue that requires careful
        configuration. The configurations provided by BLFS are intended only to
        give examples of how a firewall works. They are not intended to fit any
        particular configuration and may not provide complete protection from
        an attack.
      </para>
    </caution>
<!--
    <para>
      BLFS provides two utilities to manage the kernel Netfilter interface,
      <xref linkend="iptables"/> and <xref linkend="nftables"/>.
    </para>
-->
    <para>
      BLFS provides an utility to manage the kernel Netfilter interface,
      <xref linkend="iptables"/>. It has been around since early 2.4 kernels,
      and has been the standard since. This is likely the set of tools that
      will be most familiar to existing admins. Other tools have been
      developed more recently, see the list of further readings below
      for more details. Here you will find a
      list of URLs that contain comprehensive information about building
      firewalls and further securing your system.
    </para>
<!--
    <para>
      <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
      and provies all of the same functionality with a single userspace tool,
      <command>nft</command>, that uses similar syntax to BSD's
      <application>pf</application> utility, and may be easier for new users or
      admins already familiar with that platform.
    </para>

    <para>
      While both can be used in tandem, that is an advanced configuration and
      you should decide on one or the other. Both pages include very simple
      example configurations, and customization of the provided configurations
      for your specific environment will be necessary if you elect to use
      either without a configuration tool.
    </para>

    <para>
      Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
      provided to greatly ease firewall configuration for both simple and
      complex environments, and can be used with either tool. You should not
      use the example configurations if you intend to use
      <application>firewalld</application> to manage your firewall rules.
    </para>

    <para>
      If you elect to configure manually, have a look at the
      list of further reading below for more details. Here you will find a
      list of URLs that contain comprehensive information about building
      firewalls and further securing your system.
    </para>
-->
  </sect2>

  <sect2 id="fw-extra-info">
    <title>Extra Information</title>

    <sect3>
      <title>Further Reading on Firewalls</title>

      <blockquote>
        <literallayout>
<ulink url="https://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
<ulink url="https://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="https://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
<ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
<ulink url="https://tldp.org/LDP/nag2/x-087-2-firewall.html">tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
<ulink url="https://tldp.org/HOWTO/Security-HOWTO.html">tldp.org/HOWTO/Security-HOWTO.html</ulink>
<ulink url="https://tldp.org/HOWTO/Firewall-HOWTO.html">tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
<ulink url="https://linuxsecurity.com/howtos">linuxsecurity.com/howtos</ulink>
<ulink url="https://www.circlemud.org/jelson/writings/security/index.htm">www.circlemud.org/jelson/writings/security/index.htm</ulink>
<ulink url="https://insecure.org/reading.html">insecure.org/reading.html</ulink>
        </literallayout>

<!-- comment-out entries moved out of literallayout to avoid empty lines -->

<!-- not accssible 2024-04-12
<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>-->
<!-- not accssible 2022-09-08
<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>-->
<!-- redirects somewhere you can buy a book, not sure if we should link to
     a book which you'll need to pay for reading
<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
-->
<!-- 404 2022-09-08
<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink> -->
<!-- redirects to dead bugtraq
<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>-->
<!-- redirects to CERT main page
<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>-->
<!-- not accessible 2022-09-08
<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink> -->
      </blockquote>

    </sect3>

  </sect2>

</sect1>