[f45b1953] | 1 | <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
|
---|
[5e18c49c] | 2 | <title>Introduction to Firewall Creation</title>
|
---|
[f45b1953] | 3 |
|
---|
| 4 | <para>The general purpose of a firewall is to protect a network
|
---|
| 5 | against malicious access by using a single machine as a firewall.
|
---|
| 6 | This does imply that the firewall is to be considered a single point
|
---|
| 7 | of failure, but it can make the administrators life a lot easier.</para>
|
---|
| 8 |
|
---|
| 9 | <para>In a perfect world where you knew that every daemon or service
|
---|
| 10 | on every machine was perfectly configured and was immune to, e.g.,
|
---|
| 11 | buffer-overflows and any other imaginable problem regarding its
|
---|
| 12 | security, and where you trusted every user accessing your services
|
---|
[c2ee009c] | 13 | to aim no harm, you wouldn't need to do have a firewall!
|
---|
[f45b1953] | 14 | In the real world however, daemons may be misconfigured,
|
---|
[64d97b7c] | 15 | exploits against essential services are freely available, you
|
---|
[f45b1953] | 16 | may wish to choose which services are accessible by certain machines,
|
---|
| 17 | you may wish to limit which machines or applications are allowed
|
---|
[5e18c49c] | 18 | to have Internet access, or you may simply not trust some of your
|
---|
[f45b1953] | 19 | apps or users.
|
---|
| 20 | In these situations you might benefit by using a firewall.</para>
|
---|
| 21 |
|
---|
| 22 | <para>Don't assume however, that having a firewall makes careful
|
---|
| 23 | configuration redundant, nor that it makes any negligent
|
---|
| 24 | misconfiguration harmless, nor that it prevents anyone from exploiting a
|
---|
| 25 | service you intentionally offer but haven't recently updated or patched
|
---|
| 26 | after an exploit went public. Despite having a firewall, you need to
|
---|
| 27 | keep applications and daemons on your system well-configured and
|
---|
| 28 | up-to-date; a firewall is not a cure-all!</para>
|
---|
| 29 |
|
---|
| 30 | </sect2>
|
---|
| 31 |
|
---|
| 32 | <sect2>
|
---|
| 33 | <title>Meaning of the word firewall.</title>
|
---|
| 34 |
|
---|
| 35 | <para>The word firewall can have several different meanings.</para>
|
---|
| 36 |
|
---|
| 37 | <sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
|
---|
| 38 |
|
---|
| 39 | <para>This is a setup or program, for Windows commercially sold by
|
---|
| 40 | companies such as Symantec, of which they claim or pretend that it
|
---|
[5e18c49c] | 41 | secures a home or desktop-pc with Internet access. This topic is
|
---|
[f45b1953] | 42 | highly relevant for users who do not know the ways their computers
|
---|
[5e18c49c] | 43 | might be accessed via the Internet and how to disable these,
|
---|
[f45b1953] | 44 | especially if they are always online and if they are connected via
|
---|
| 45 | broadband links.</para></sect3>
|
---|
| 46 |
|
---|
| 47 | <sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
|
---|
[5e18c49c] | 48 | <para>This is a box placed between the Internet and an intranet.
|
---|
[64d97b7c] | 49 | To minimize the risk of compromising the firewall itself it
|
---|
[f45b1953] | 50 | should generally have only one role, that of protecting the intranet.
|
---|
[c2ee009c] | 51 | Although not completely risk free, the tasks of doing the routing
|
---|
[1aacd4b5] | 52 | and eventually IP masquerading (rewriting IP-headers
|
---|
[f45b1953] | 53 | of the packets it routes from clients with private IP-addresses onto
|
---|
[5e18c49c] | 54 | the Internet so that they seem to come from the firewall
|
---|
[1aacd4b5] | 55 | itself) are commonly considered harmless.</para></sect3>
|
---|
[f45b1953] | 56 |
|
---|
| 57 | <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
|
---|
| 58 | <para>This is often an old box you may have retired and nearly forgotten,
|
---|
| 59 | performing masquerading or routing functions, but offering a bunch of
|
---|
| 60 | services, e.g., web-cache, mail, etc. This may be very commonly used
|
---|
| 61 | for home networks, but can definitely not to be considered as secure
|
---|
| 62 | anymore because the combining of server and router on one machine raises
|
---|
| 63 | the complexity of the setup.</para></sect3>
|
---|
| 64 |
|
---|
| 65 | <sect3><title>Firewall with a demilitarized zone [not further described
|
---|
| 66 | here]</title>
|
---|
| 67 | <para>This box performs masquerading or routing, but grants public access to
|
---|
| 68 | some branch of your network which, because of public IP's and a physically
|
---|
| 69 | separated structure, is neither considered to be part of the inter- nor
|
---|
| 70 | intranet. These servers are those which must be easily accessible
|
---|
| 71 | from both the inter- and intranet. The firewall protects
|
---|
| 72 | them all.</para></sect3>
|
---|
| 73 |
|
---|
| 74 | <sect3><title>Packetfilter / partly accessible net [partly described
|
---|
[30f1425] | 75 | here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
|
---|
[f45b1953] | 76 | <para>Doing routing or masquerading, but permitting only selected
|
---|
| 77 | services to be accessible, sometimes only by selected internal users or boxes;
|
---|
| 78 | mostly used in highly secure business contexts, sometimes by distrusting
|
---|
| 79 | employers. This was the common configuration of a firewall at the time of
|
---|
| 80 | the Linux 2.2 kernel. It's still possible to configure a firewall this way,
|
---|
| 81 | but it makes the rules quite complex and lengthy.</para></sect3>
|
---|
| 82 |
|
---|
| 83 | </sect2>
|
---|
| 84 |
|
---|