source: postlfs/security/firewalling/intro.xml@ 1ea79a1

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v5_1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 1ea79a1 was 1ea79a1, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

Typos and punctuation

git-svn-id: svn:// af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 4.2 KB
1<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
2<title>Introduction to Firewall Creation</title>
4<para>The general purpose of a firewall is to protect a network
5against malicious access by using a single machine as a firewall.
6This does imply that the firewall is to be considered a single point
7of failure, but it can make the administrator's life a lot easier.</para>
9<para>In a perfect world where you knew that every daemon or service
10on every machine was perfectly configured and was immune to, e.g.,
11buffer-overflows and any other imaginable problem regarding its
12security, and where you trusted every user accessing your services
13to aim no harm, you wouldn't need to have a firewall!
14In the real world however, daemons may be misconfigured,
15exploits against essential services are freely available, you
16may wish to choose which services are accessible by certain machines,
17you may wish to limit which machines or applications are allowed
18to have Internet access, or you may simply not trust some of your
19apps or users.
20In these situations you might benefit by using a firewall.</para>
22<para>Don't assume however, that having a firewall makes careful
23configuration redundant, or that it makes any negligent
24misconfiguration harmless. It also doesn't prevent anyone from exploiting a
25service you intentionally offer but haven't recently updated or patched
26after an exploit went public. Despite having a firewall, you need to
27keep applications and daemons on your system well-configured and
28up-to-date; a firewall is not a cure-all!</para>
33<title>Meaning of the word firewall.</title>
35<para>The word firewall can have several different meanings.</para>
37<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
39<para>This is a setup or program, for Windows commercially sold by
40companies such as Symantec, of which they claim or pretend that it
41secures a home or desktop-pc with Internet access. This topic is
42highly relevant for users who do not know the methods their computers
43might be accessed via the Internet or how to disable them,
44especially if they are always online and connected via
45broadband links.</para></sect3>
47<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
48<para>This is a box placed between the Internet and an intranet.
49To minimize the risk of compromising the firewall itself it
50should generally have only one role, that of protecting the intranet.
51Although not completely risk free, the tasks of doing the routing
52and eventually IP masquerading (rewriting IP-headers
53of the packets it routes from clients with private IP-addresses onto
54the Internet so that they seem to come from the firewall
55itself) are commonly considered harmless.</para></sect3>
57<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
58<para>This is often an old box you may have retired and nearly forgotten,
59performing masquerading or routing functions, but offering a bunch of
60services, e.g., web-cache, mail, etc. This may be very commonly used
61for home networks, but can definitely not be considered as secure
62anymore because the combining of server and router on one machine raises
63the complexity of the setup.</para></sect3>
65<sect3><title>Firewall with a demilitarized zone [not further described
67<para>This box performs masquerading or routing, but grants public access to
68some branch of your network which, because of public IP's and a physically
69separated structure, is neither considered to be part of the inter- nor
70intranet. These servers are those which must be easily accessible
71from both the inter- and intranet. The firewall protects
72them all.</para></sect3>
74<sect3><title>Packetfilter / partly accessible net [partly described
75here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
76<para>Doing routing or masquerading, but permitting only selected
77services to be accessible, sometimes only by selected internal users or boxes;
78mostly used in highly secure business contexts, sometimes by distrusting
79employers. This was the common configuration of a firewall at the time of
80the Linux 2.2 kernel. It's still possible to configure a firewall this way,
81but it makes the rules quite complex and lengthy.</para></sect3>
Note: See TracBrowser for help on using the repository browser.