1 | <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
|
---|
2 | <title>Introduction to Firewalling</title>
|
---|
3 |
|
---|
4 | <para>The general purpose of a firewall is to protect a network
|
---|
5 | against malicious access by using a single machine as a firewall.
|
---|
6 | This does imply that the firewall is to be considered a single point
|
---|
7 | of failure, but it can make the administrators life a lot easier.</para>
|
---|
8 |
|
---|
9 | <para>In a perfect world where you knew that every daemon or service
|
---|
10 | on every machine was perfectly configured and was immune to, e.g.,
|
---|
11 | buffer-overflows and any other imaginable problem regarding its
|
---|
12 | security, and where you trusted every user accessing your services
|
---|
13 | to aim no harm, you wouldn't need to do firewalling!
|
---|
14 | In the real world however, daemons may be misconfigured,
|
---|
15 | exploits against essential services are freely availiable, you
|
---|
16 | may wish to choose which services are accessible by certain machines,
|
---|
17 | you may wish to limit which machines or applications are allowed
|
---|
18 | to have internet access, or you may simply not trust some of your
|
---|
19 | apps or users.
|
---|
20 | In these situations you might benefit by using a firewall.</para>
|
---|
21 |
|
---|
22 | <para>Don't assume however, that having a firewall makes careful
|
---|
23 | configuration redundant, nor that it makes any negligent
|
---|
24 | misconfiguration harmless, nor that it prevents anyone from exploiting a
|
---|
25 | service you intentionally offer but haven't recently updated or patched
|
---|
26 | after an exploit went public. Despite having a firewall, you need to
|
---|
27 | keep applications and daemons on your system well-configured and
|
---|
28 | up-to-date; a firewall is not a cure-all!</para>
|
---|
29 |
|
---|
30 | </sect2>
|
---|
31 |
|
---|
32 | <sect2>
|
---|
33 | <title>Meaning of the word firewall.</title>
|
---|
34 |
|
---|
35 | <para>The word firewall can have several different meanings.</para>
|
---|
36 |
|
---|
37 | <sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
|
---|
38 |
|
---|
39 | <para>This is a setup or program, for Windows commercially sold by
|
---|
40 | companies such as Symantec, of which they claim or pretend that it
|
---|
41 | secures a home or desktop-pc with internet access. This topic is
|
---|
42 | highly relevant for users who do not know the ways their computers
|
---|
43 | might be accessed via the internet and how to disable these,
|
---|
44 | especially if they are always online and if they are connected via
|
---|
45 | broadband links.</para></sect3>
|
---|
46 |
|
---|
47 | <sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
|
---|
48 | <para>This is a box placed between the internet and an intranet.
|
---|
49 | To minimize the risk of compromizing the firewall itself it
|
---|
50 | should generally have only one role, that of protecting the intranet.
|
---|
51 | Although not completely riskless, the tasks of doing the routing
|
---|
52 | and eventually IP masquerading<footnote><para>rewriting IP-headers
|
---|
53 | of the packets it routes from clients with private IP-addresses onto
|
---|
54 | the internet so that they seem to come from the firewall
|
---|
55 | itself</para></footnote> are commonly considerd harmless.</para></sect3>
|
---|
56 |
|
---|
57 | <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
|
---|
58 | <para>This is often an old box you may have retired and nearly forgotten,
|
---|
59 | performing masquerading or routing functions, but offering a bunch of
|
---|
60 | services, e.g., web-cache, mail, etc. This may be very commonly used
|
---|
61 | for home networks, but can definitely not to be considered as secure
|
---|
62 | anymore because the combining of server and router on one machine raises
|
---|
63 | the complexity of the setup.</para></sect3>
|
---|
64 |
|
---|
65 | <sect3><title>Firewall with a demilitarized zone [not further described
|
---|
66 | here]</title>
|
---|
67 | <para>This box performs masquerading or routing, but grants public access to
|
---|
68 | some branch of your network which, because of public IP's and a physically
|
---|
69 | separated structure, is neither considered to be part of the inter- nor
|
---|
70 | intranet. These servers are those which must be easily accessible
|
---|
71 | from both the inter- and intranet. The firewall protects
|
---|
72 | them all.</para></sect3>
|
---|
73 |
|
---|
74 | <sect3><title>Packetfilter / partly accessible net [partly described
|
---|
75 | here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
|
---|
76 | <para>Doing routing or masquerading, but permitting only selected
|
---|
77 | services to be accessible, sometimes only by selected internal users or boxes;
|
---|
78 | mostly used in highly secure business contexts, sometimes by distrusting
|
---|
79 | employers. This was the common configuration of a firewall at the time of
|
---|
80 | the Linux 2.2 kernel. It's still possible to configure a firewall this way,
|
---|
81 | but it makes the rules quite complex and lengthy.</para></sect3>
|
---|
82 |
|
---|
83 | </sect2>
|
---|
84 |
|
---|