1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <sect1 id="fw-firewall" xreflabel="Firewalling">
|
---|
9 | <?dbhtml filename="firewall.html"?>
|
---|
10 |
|
---|
11 |
|
---|
12 | <title>Setting Up a Network Firewall</title>
|
---|
13 |
|
---|
14 | <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
|
---|
15 | <title>Introduction to Firewall Creation</title>
|
---|
16 |
|
---|
17 | <para>
|
---|
18 | The purpose of a firewall is to protect a computer or a network against
|
---|
19 | malicious access. In a perfect world every daemon or service, on every
|
---|
20 | machine, is perfectly configured and immune to security flaws, and all
|
---|
21 | users are trusted implicitly to use the equipment as intended. However,
|
---|
22 | this is rarely, if ever, the case. Daemons may be misconfigured, or
|
---|
23 | updates may not have been applied for known exploits against essential
|
---|
24 | services. Additionally, you may wish to choose which services are
|
---|
25 | accessible by certain machines or users, or you may wish to limit which
|
---|
26 | machines or applications are allowed external access. Alternatively, you
|
---|
27 | simply may not trust some of your applications or users. For these
|
---|
28 | reasons, a carefully designed firewall should be an essential part of
|
---|
29 | system security.
|
---|
30 | </para>
|
---|
31 |
|
---|
32 | <para>
|
---|
33 | While a firewall can greatly limit the scope of the above issues, do not
|
---|
34 | assume that having a firewall makes careful configuration redundant, or
|
---|
35 | that any negligent misconfiguration is harmless. A firewall does not
|
---|
36 | prevent the exploitation of any service you offer outside of it. Despite
|
---|
37 | having a firewall, you need to keep applications and daemons properly
|
---|
38 | configured and up to date.
|
---|
39 | </para>
|
---|
40 |
|
---|
41 | </sect2>
|
---|
42 |
|
---|
43 | <sect2>
|
---|
44 | <title>Meaning of the Word "Firewall"</title>
|
---|
45 |
|
---|
46 | <para>
|
---|
47 | The word firewall can have several different meanings.
|
---|
48 | </para>
|
---|
49 |
|
---|
50 | <sect3>
|
---|
51 | <title>Personal Firewall</title>
|
---|
52 |
|
---|
53 | <para>
|
---|
54 | This is a hardware device or software program, intended to secure a
|
---|
55 | home or desktop computer connected to the Internet. This type of
|
---|
56 | firewall is highly relevant for users who do not know how their
|
---|
57 | computers might be accessed via the Internet or how to disable
|
---|
58 | that access, especially if they are always online and connected
|
---|
59 | via broadband links.
|
---|
60 | </para>
|
---|
61 |
|
---|
62 | <para>
|
---|
63 | An example configuration for a personal firewall is provided at
|
---|
64 | <xref linkend="fw-persFw-ipt"/>.
|
---|
65 | </para>
|
---|
66 |
|
---|
67 | </sect3>
|
---|
68 |
|
---|
69 | <sect3>
|
---|
70 | <title>Masquerading Router</title>
|
---|
71 |
|
---|
72 | <para>
|
---|
73 | This is a system placed between the Internet and an intranet.
|
---|
74 | To minimize the risk of compromising the firewall itself, it should
|
---|
75 | generally have only one role—that of protecting the intranet.
|
---|
76 | Although not completely risk-free, the tasks of doing the routing and
|
---|
77 | IP masquerading (rewriting IP headers of the packets it routes from
|
---|
78 | clients with private IP addresses onto the Internet so that they seem
|
---|
79 | to come from the firewall itself) are commonly considered relatively
|
---|
80 | secure.
|
---|
81 | </para>
|
---|
82 |
|
---|
83 | <para>
|
---|
84 | An example configuration for a masquerading firewall is provided at
|
---|
85 | <xref linkend="fw-masqRouter-ipt"/>.
|
---|
86 | </para>
|
---|
87 |
|
---|
88 | </sect3>
|
---|
89 |
|
---|
90 | <sect3>
|
---|
91 | <title>BusyBox</title>
|
---|
92 |
|
---|
93 | <para>
|
---|
94 | This is often an old computer you may have retired and nearly
|
---|
95 | forgotten, performing masquerading or routing functions, but offering
|
---|
96 | non-firewall services such as a web-cache or mail. This may be used
|
---|
97 | for home networks, but is not to be considered as secure as a firewall
|
---|
98 | only machine because the combination of server and router/firewall on
|
---|
99 | one machine raises the complexity of the setup.
|
---|
100 | </para>
|
---|
101 |
|
---|
102 | <para>
|
---|
103 | An example configuration for a BusyBox is provided at
|
---|
104 | <xref linkend="fw-busybox-ipt"/>.
|
---|
105 | </para>
|
---|
106 |
|
---|
107 | </sect3>
|
---|
108 |
|
---|
109 | <sect3>
|
---|
110 | <title>Firewall with a Demilitarized Zone</title>
|
---|
111 |
|
---|
112 | <para>
|
---|
113 | This type of firewall performs masquerading or routing, but grants
|
---|
114 | public access to some branch of your network that is physically
|
---|
115 | separated from your regular intranet and is essentially a separate
|
---|
116 | network with direct Internet access. The servers on this network are
|
---|
117 | those which must be easily accessible from both the Internet and
|
---|
118 | intranet. The firewall protects both networks. This type of firewall
|
---|
119 | has a minimum of three network interfaces.
|
---|
120 | </para>
|
---|
121 |
|
---|
122 | </sect3>
|
---|
123 |
|
---|
124 | <sect3>
|
---|
125 | <title>Packetfilter</title>
|
---|
126 |
|
---|
127 | <para>
|
---|
128 | This type of firewall does routing or masquerading but does
|
---|
129 | not maintain a state table of ongoing communication streams. It is
|
---|
130 | fast but quite limited in its ability to block undesired packets
|
---|
131 | without blocking desired packets.
|
---|
132 | </para>
|
---|
133 |
|
---|
134 | </sect3>
|
---|
135 |
|
---|
136 | </sect2>
|
---|
137 |
|
---|
138 | <sect2>
|
---|
139 | <title>Conclusion</title>
|
---|
140 |
|
---|
141 | <caution>
|
---|
142 | <para>
|
---|
143 | The example configurations provided for <xref linkend="iptables"/>
|
---|
144 | <!-- and <xref linkend="nftables"/> -->
|
---|
145 | are not intended to be a complete guide to
|
---|
146 | securing systems. Firewalling is a complex issue that requires careful
|
---|
147 | configuration. The configurations provided by BLFS are intended only to
|
---|
148 | give examples of how a firewall works. They are not intended to fit any
|
---|
149 | particular configuration and may not provide complete protection from
|
---|
150 | an attack.
|
---|
151 | </para>
|
---|
152 | </caution>
|
---|
153 | <!--
|
---|
154 | <para>
|
---|
155 | BLFS provides two utilities to manage the kernel Netfilter interface,
|
---|
156 | <xref linkend="iptables"/> and <xref linkend="nftables"/>.
|
---|
157 | </para>
|
---|
158 | -->
|
---|
159 | <para>
|
---|
160 | BLFS provides an utility to manage the kernel Netfilter interface,
|
---|
161 | <xref linkend="iptables"/>. It has been around since early 2.4 kernels,
|
---|
162 | and has been the standard since. This is likely the set of tools that
|
---|
163 | will be most familiar to existing admins. Other tools have been
|
---|
164 | developed more recently, see the list of further readings below
|
---|
165 | for more details. Here you will find a
|
---|
166 | list of URLs that contain comprehensive information about building
|
---|
167 | firewalls and further securing your system.
|
---|
168 | </para>
|
---|
169 | <!--
|
---|
170 | <para>
|
---|
171 | <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
|
---|
172 | and provides all of the same functionality with a single userspace tool,
|
---|
173 | <command>nft</command>, that uses similar syntax to BSD's
|
---|
174 | <application>pf</application> utility, and may be easier for new users or
|
---|
175 | admins already familiar with that platform.
|
---|
176 | </para>
|
---|
177 |
|
---|
178 | <para>
|
---|
179 | While both can be used in tandem, that is an advanced configuration and
|
---|
180 | you should decide on one or the other. Both pages include very simple
|
---|
181 | example configurations, and customization of the provided configurations
|
---|
182 | for your specific environment will be necessary if you elect to use
|
---|
183 | either without a configuration tool.
|
---|
184 | </para>
|
---|
185 |
|
---|
186 | <para>
|
---|
187 | Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
|
---|
188 | provided to greatly ease firewall configuration for both simple and
|
---|
189 | complex environments, and can be used with either tool. You should not
|
---|
190 | use the example configurations if you intend to use
|
---|
191 | <application>firewalld</application> to manage your firewall rules.
|
---|
192 | </para>
|
---|
193 |
|
---|
194 | <para>
|
---|
195 | If you elect to configure manually, have a look at the
|
---|
196 | list of further reading below for more details. Here you will find a
|
---|
197 | list of URLs that contain comprehensive information about building
|
---|
198 | firewalls and further securing your system.
|
---|
199 | </para>
|
---|
200 | -->
|
---|
201 | </sect2>
|
---|
202 |
|
---|
203 | <sect2 id="fw-extra-info">
|
---|
204 | <title>Extra Information</title>
|
---|
205 |
|
---|
206 | <sect3>
|
---|
207 | <title>Further Reading on Firewalls</title>
|
---|
208 |
|
---|
209 | <blockquote>
|
---|
210 | <literallayout>
|
---|
211 | <ulink url="https://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
|
---|
212 | <ulink url="https://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
|
---|
213 | <ulink url="https://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
|
---|
214 | <ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
|
---|
215 | <ulink url="https://tldp.org/LDP/nag2/x-087-2-firewall.html">tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
|
---|
216 | <ulink url="https://tldp.org/HOWTO/Security-HOWTO.html">tldp.org/HOWTO/Security-HOWTO.html</ulink>
|
---|
217 | <ulink url="https://tldp.org/HOWTO/Firewall-HOWTO.html">tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
|
---|
218 | <ulink url="https://linuxsecurity.com/howtos">linuxsecurity.com/howtos</ulink>
|
---|
219 | <ulink url="https://www.circlemud.org/jelson/writings/security/index.htm">www.circlemud.org/jelson/writings/security/index.htm</ulink>
|
---|
220 | <ulink url="https://insecure.org/reading.html">insecure.org/reading.html</ulink>
|
---|
221 | </literallayout>
|
---|
222 |
|
---|
223 | <!-- comment-out entries moved out of literallayout to avoid empty lines -->
|
---|
224 |
|
---|
225 | <!-- not accessible 2024-04-12
|
---|
226 | <ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>-->
|
---|
227 | <!-- not accessible 2022-09-08
|
---|
228 | <ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German & outdated, but very comprehensive)</ulink>-->
|
---|
229 | <!-- redirects somewhere you can buy a book, not sure if we should link to
|
---|
230 | a book which you'll need to pay for reading
|
---|
231 | <ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
|
---|
232 | -->
|
---|
233 | <!-- 404 2022-09-08
|
---|
234 | <ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink> -->
|
---|
235 | <!-- redirects to dead bugtraq
|
---|
236 | <ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>-->
|
---|
237 | <!-- redirects to CERT main page
|
---|
238 | <ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>-->
|
---|
239 | <!-- not accessible 2022-09-08
|
---|
240 | <ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink> -->
|
---|
241 | </blockquote>
|
---|
242 |
|
---|
243 | </sect3>
|
---|
244 |
|
---|
245 | </sect2>
|
---|
246 |
|
---|
247 | </sect1>
|
---|