1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <sect1 id="fw-firewall" xreflabel="Firewalling">
|
---|
9 | <?dbhtml filename="firewall.html"?>
|
---|
10 |
|
---|
11 | <sect1info>
|
---|
12 | <othername>$LastChangedBy$</othername>
|
---|
13 | <date>$Date$</date>
|
---|
14 | </sect1info>
|
---|
15 |
|
---|
16 | <title>Setting Up a Network Firewall</title>
|
---|
17 |
|
---|
18 | <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
|
---|
19 | <title>Introduction to Firewall Creation</title>
|
---|
20 |
|
---|
21 | <para>
|
---|
22 | The purpose of a firewall is to protect a computer or a network against
|
---|
23 | malicious access. In a perfect world every daemon or service, on every
|
---|
24 | machine, is perfectly configured and immune to security flaws, and all
|
---|
25 | users are trusted implicitly to use the equipment as intended. However,
|
---|
26 | this is rarely, if ever, the case. Daemons may be misconfigured, or
|
---|
27 | updates may not have been applied for known exploits against essential
|
---|
28 | services. Additionally, you may wish to choose which services are
|
---|
29 | accessible by certain machines or users, or you may wish to limit which
|
---|
30 | machines or applications are allowed external access. Alternatively, you
|
---|
31 | simply may not trust some of your applications or users. For these
|
---|
32 | reasons, a carefully designed firewall should be an essential part of
|
---|
33 | system security.
|
---|
34 | </para>
|
---|
35 |
|
---|
36 | <para>
|
---|
37 | While a firewall can greatly limit the scope of the above issues, do not
|
---|
38 | assume that having a firewall makes careful configuration redundant, or
|
---|
39 | that any negligent misconfiguration is harmless. A firewall does not
|
---|
40 | prevent the exploitation of any service you offer outside of it. Despite
|
---|
41 | having a firewall, you need to keep applications and daemons properly
|
---|
42 | configured and up to date.
|
---|
43 | </para>
|
---|
44 |
|
---|
45 | </sect2>
|
---|
46 |
|
---|
47 | <sect2>
|
---|
48 | <title>Meaning of the Word "Firewall"</title>
|
---|
49 |
|
---|
50 | <para>
|
---|
51 | The word firewall can have several different meanings.
|
---|
52 | </para>
|
---|
53 |
|
---|
54 | <sect3>
|
---|
55 | <title>Personal Firewall</title>
|
---|
56 |
|
---|
57 | <para>
|
---|
58 | This is a hardware device or software program, intended to secure a
|
---|
59 | home or desktop computer connected to the Internet. This type of
|
---|
60 | firewall is highly relevant for users who do not know how their
|
---|
61 | computers might be accessed via the Internet or how to disable
|
---|
62 | that access, especially if they are always online and connected
|
---|
63 | via broadband links.
|
---|
64 | </para>
|
---|
65 |
|
---|
66 | <para>
|
---|
67 | An example configuration for a personal firewall is provided at
|
---|
68 | <xref linkend="fw-persFw-ipt"/>.
|
---|
69 | </para>
|
---|
70 |
|
---|
71 | </sect3>
|
---|
72 |
|
---|
73 | <sect3>
|
---|
74 | <title>Masquerading Router</title>
|
---|
75 |
|
---|
76 | <para>
|
---|
77 | This is a system placed between the Internet and an intranet.
|
---|
78 | To minimize the risk of compromising the firewall itself, it should
|
---|
79 | generally have only one role—that of protecting the intranet.
|
---|
80 | Although not completely risk-free, the tasks of doing the routing and
|
---|
81 | IP masquerading (rewriting IP headers of the packets it routes from
|
---|
82 | clients with private IP addresses onto the Internet so that they seem
|
---|
83 | to come from the firewall itself) are commonly considered relatively
|
---|
84 | secure.
|
---|
85 | </para>
|
---|
86 |
|
---|
87 | <para>
|
---|
88 | Example configurations for a masquerading firewall are provided at
|
---|
89 | <xref linkend="fw-masqRouter-ipt"/> and
|
---|
90 | <xref linkend="fw-masqRouter-nft"/>.
|
---|
91 | </para>
|
---|
92 |
|
---|
93 | </sect3>
|
---|
94 |
|
---|
95 | <sect3>
|
---|
96 | <title>BusyBox</title>
|
---|
97 |
|
---|
98 | <para>
|
---|
99 | This is often an old computer you may have retired and nearly
|
---|
100 | forgotten, performing masquerading or routing functions, but offering
|
---|
101 | non-firewall services such as a web-cache or mail. This may be used
|
---|
102 | for home networks, but is not to be considered as secure as a firewall
|
---|
103 | only machine because the combination of server and router/firewall on
|
---|
104 | one machine raises the complexity of the setup.
|
---|
105 | </para>
|
---|
106 |
|
---|
107 | <para>
|
---|
108 | An example configuration for a BusyBox is provided at
|
---|
109 | <xref linkend="fw-busybox-ipt"/>.
|
---|
110 | </para>
|
---|
111 |
|
---|
112 | </sect3>
|
---|
113 |
|
---|
114 | <sect3>
|
---|
115 | <title>Firewall with a Demilitarized Zone</title>
|
---|
116 |
|
---|
117 | <para>
|
---|
118 | This type of firewall performs masquerading or routing, but grants
|
---|
119 | public access to some branch of your network that is physically
|
---|
120 | separated from your regular intranet and is essentially a separate
|
---|
121 | network with direct Internet access. The servers on this network are
|
---|
122 | those which must be easily accessible from both the Internet and
|
---|
123 | intranet. The firewall protects both networks. This type of firewall
|
---|
124 | has a minimum of three network interfaces.
|
---|
125 | </para>
|
---|
126 |
|
---|
127 | </sect3>
|
---|
128 |
|
---|
129 | <sect3>
|
---|
130 | <title>Packetfilter</title>
|
---|
131 |
|
---|
132 | <para>
|
---|
133 | This type of firewall does routing or masquerading but does
|
---|
134 | not maintain a state table of ongoing communication streams. It is
|
---|
135 | fast but quite limited in its ability to block undesired packets
|
---|
136 | without blocking desired packets.
|
---|
137 | </para>
|
---|
138 |
|
---|
139 | </sect3>
|
---|
140 |
|
---|
141 | </sect2>
|
---|
142 |
|
---|
143 | <sect2>
|
---|
144 | <title>Conclusion</title>
|
---|
145 |
|
---|
146 | <caution>
|
---|
147 | <para>
|
---|
148 | The example configurations provided for <xref linkend="iptables"/> and
|
---|
149 | <xref linkend="nftables"/> are not intended to be a complete guide to
|
---|
150 | securing systems. Firewalling is a complex issue that requires careful
|
---|
151 | configuration. The configurations provided by BLFS are intended only to
|
---|
152 | give examples of how a firewall works. They are not intended to fit any
|
---|
153 | particular configuration and may not provide complete protection from
|
---|
154 | an attack.
|
---|
155 | </para>
|
---|
156 | </caution>
|
---|
157 |
|
---|
158 | <para>
|
---|
159 | BLFS provides two utilities to manage the kernel Netfilter interface,
|
---|
160 | <xref linkend="iptables"/> and <xref linkend="nftables"/>.
|
---|
161 | </para>
|
---|
162 |
|
---|
163 | <para>
|
---|
164 | <xref linkend="iptables"/> has been around since early 2.4 kernels, and
|
---|
165 | has been the standard since. If you plan not to use a configuration
|
---|
166 | utility, this is likely the set of tools that will be most familiar to
|
---|
167 | existing admins.
|
---|
168 | </para>
|
---|
169 |
|
---|
170 | <para>
|
---|
171 | <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
|
---|
172 | and provies all of the same functionality with a single userspace tool,
|
---|
173 | <command>nft</command>, that uses similar syntax to BSD's
|
---|
174 | <application>pf</application> utility, and may be easier for new users or
|
---|
175 | admins already familiar with that platform.
|
---|
176 | </para>
|
---|
177 |
|
---|
178 | <para>
|
---|
179 | While both can be used in tandem, that is an advanced configuration and
|
---|
180 | you should decide on one or the other. Both pages include very simple
|
---|
181 | example configurations, and customization of the provided configurations
|
---|
182 | for your specific environment will be necessary if you elect to use
|
---|
183 | either without a configuration tool.
|
---|
184 | </para>
|
---|
185 |
|
---|
186 | <para>
|
---|
187 | Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
|
---|
188 | provided to greatly ease firewall configuration for both simple and
|
---|
189 | complex environments, and can be used with either tool. You should not
|
---|
190 | use the example configurations if you intend to use
|
---|
191 | <application>firewalld</application> to manage your firewall rules.
|
---|
192 | </para>
|
---|
193 |
|
---|
194 | <para>
|
---|
195 | If you elect to configure manually, have a look at the
|
---|
196 | list of further reading below for more details. Here you will find a
|
---|
197 | list of URLs that contain comprehensive information about building
|
---|
198 | firewalls and further securing your system.
|
---|
199 | </para>
|
---|
200 |
|
---|
201 | </sect2>
|
---|
202 |
|
---|
203 | <sect2 id="fw-extra-info">
|
---|
204 | <title>Extra Information</title>
|
---|
205 |
|
---|
206 | <sect3>
|
---|
207 | <title>Further Reading on Firewalls</title>
|
---|
208 |
|
---|
209 | <blockquote>
|
---|
210 | <literallayout>
|
---|
211 | <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
|
---|
212 | <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
|
---|
213 | <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
|
---|
214 | <ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
|
---|
215 | <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
|
---|
216 | <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
|
---|
217 | <ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
|
---|
218 | <ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
|
---|
219 | <ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German & outdated, but very comprehensive)</ulink>
|
---|
220 | <ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
|
---|
221 | <ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
|
---|
222 | <ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
|
---|
223 | <ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
|
---|
224 | <ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
|
---|
225 | <ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
|
---|
226 | <ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
|
---|
227 | <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
|
---|
228 | </literallayout>
|
---|
229 | </blockquote>
|
---|
230 |
|
---|
231 | </sect3>
|
---|
232 |
|
---|
233 | </sect2>
|
---|
234 |
|
---|
235 | </sect1>
|
---|