| 1 | <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
|
|---|
| 2 | <title>Introduction to Firewalling</title>
|
|---|
| 3 |
|
|---|
| 4 | <para>The general purpose of a firewall is to protect a network
|
|---|
| 5 | against malicious access by using a single machine as a firewall.
|
|---|
| 6 | This does imply that the firewall is to be considered a single point
|
|---|
| 7 | of failure, but it can make the administrators life a lot easier.</para>
|
|---|
| 8 |
|
|---|
| 9 | <para>In a perfect world where you knew that every daemon or service
|
|---|
| 10 | on every machine was perfectly configured and was immune to, e.g.,
|
|---|
| 11 | buffer-overflows and any other imaginable problem regarding its
|
|---|
| 12 | security, and where you trusted every user accessing your services
|
|---|
| 13 | to aim no harm, you wouldn't need to do firewalling!
|
|---|
| 14 | In the real world however, daemons may be misconfigured,
|
|---|
| 15 | exploits against essential services are freely available, you
|
|---|
| 16 | may wish to choose which services are accessible by certain machines,
|
|---|
| 17 | you may wish to limit which machines or applications are allowed
|
|---|
| 18 | to have internet access, or you may simply not trust some of your
|
|---|
| 19 | apps or users.
|
|---|
| 20 | In these situations you might benefit by using a firewall.</para>
|
|---|
| 21 |
|
|---|
| 22 | <para>Don't assume however, that having a firewall makes careful
|
|---|
| 23 | configuration redundant, nor that it makes any negligent
|
|---|
| 24 | misconfiguration harmless, nor that it prevents anyone from exploiting a
|
|---|
| 25 | service you intentionally offer but haven't recently updated or patched
|
|---|
| 26 | after an exploit went public. Despite having a firewall, you need to
|
|---|
| 27 | keep applications and daemons on your system well-configured and
|
|---|
| 28 | up-to-date; a firewall is not a cure-all!</para>
|
|---|
| 29 |
|
|---|
| 30 | </sect2>
|
|---|
| 31 |
|
|---|
| 32 | <sect2>
|
|---|
| 33 | <title>Meaning of the word firewall.</title>
|
|---|
| 34 |
|
|---|
| 35 | <para>The word firewall can have several different meanings.</para>
|
|---|
| 36 |
|
|---|
| 37 | <sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
|
|---|
| 38 |
|
|---|
| 39 | <para>This is a setup or program, for Windows commercially sold by
|
|---|
| 40 | companies such as Symantec, of which they claim or pretend that it
|
|---|
| 41 | secures a home or desktop-pc with internet access. This topic is
|
|---|
| 42 | highly relevant for users who do not know the ways their computers
|
|---|
| 43 | might be accessed via the internet and how to disable these,
|
|---|
| 44 | especially if they are always online and if they are connected via
|
|---|
| 45 | broadband links.</para></sect3>
|
|---|
| 46 |
|
|---|
| 47 | <sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
|
|---|
| 48 | <para>This is a box placed between the internet and an intranet.
|
|---|
| 49 | To minimize the risk of compromising the firewall itself it
|
|---|
| 50 | should generally have only one role, that of protecting the intranet.
|
|---|
| 51 | Although not completely riskless, the tasks of doing the routing
|
|---|
| 52 | and eventually IP masquerading<footnote><para>rewriting IP-headers
|
|---|
| 53 | of the packets it routes from clients with private IP-addresses onto
|
|---|
| 54 | the internet so that they seem to come from the firewall
|
|---|
| 55 | itself</para></footnote> are commonly considered harmless.</para></sect3>
|
|---|
| 56 |
|
|---|
| 57 | <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
|
|---|
| 58 | <para>This is often an old box you may have retired and nearly forgotten,
|
|---|
| 59 | performing masquerading or routing functions, but offering a bunch of
|
|---|
| 60 | services, e.g., web-cache, mail, etc. This may be very commonly used
|
|---|
| 61 | for home networks, but can definitely not to be considered as secure
|
|---|
| 62 | anymore because the combining of server and router on one machine raises
|
|---|
| 63 | the complexity of the setup.</para></sect3>
|
|---|
| 64 |
|
|---|
| 65 | <sect3><title>Firewall with a demilitarized zone [not further described
|
|---|
| 66 | here]</title>
|
|---|
| 67 | <para>This box performs masquerading or routing, but grants public access to
|
|---|
| 68 | some branch of your network which, because of public IP's and a physically
|
|---|
| 69 | separated structure, is neither considered to be part of the inter- nor
|
|---|
| 70 | intranet. These servers are those which must be easily accessible
|
|---|
| 71 | from both the inter- and intranet. The firewall protects
|
|---|
| 72 | them all.</para></sect3>
|
|---|
| 73 |
|
|---|
| 74 | <sect3><title>Packetfilter / partly accessible net [partly described
|
|---|
| 75 | here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
|
|---|
| 76 | <para>Doing routing or masquerading, but permitting only selected
|
|---|
| 77 | services to be accessible, sometimes only by selected internal users or boxes;
|
|---|
| 78 | mostly used in highly secure business contexts, sometimes by distrusting
|
|---|
| 79 | employers. This was the common configuration of a firewall at the time of
|
|---|
| 80 | the Linux 2.2 kernel. It's still possible to configure a firewall this way,
|
|---|
| 81 | but it makes the rules quite complex and lengthy.</para></sect3>
|
|---|
| 82 |
|
|---|
| 83 | </sect2>
|
|---|
| 84 |
|
|---|
