source: postlfs/security/firewalling/intro.xml@ f45b1953

10.0 10.1 11.0 11.1 11.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome initial-import kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules plabs/python-mods qt5new reorg systemd-11177 systemd-13485 trunk upgradedb v1_0 v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since f45b1953 was f45b1953, checked in by Mark Hymers <markh@…>, 21 years ago

Initial revision

git-svn-id: svn:// af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 4.2 KB
1<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
2<title>Introduction to Firewalling</title>
4<para>The general purpose of a firewall is to protect a network
5against malicious access by using a single machine as a firewall.
6This does imply that the firewall is to be considered a single point
7of failure, but it can make the administrators life a lot easier.</para>
9<para>In a perfect world where you knew that every daemon or service
10on every machine was perfectly configured and was immune to, e.g.,
11buffer-overflows and any other imaginable problem regarding its
12security, and where you trusted every user accessing your services
13to aim no harm, you wouldn't need to do firewalling!
14In the real world however, daemons may be misconfigured,
15exploits against essential services are freely availiable, you
16may wish to choose which services are accessible by certain machines,
17you may wish to limit which machines or applications are allowed
18to have internet access, or you may simply not trust some of your
19apps or users.
20In these situations you might benefit by using a firewall.</para>
22<para>Don't assume however, that having a firewall makes careful
23configuration redundant, nor that it makes any negligent
24misconfiguration harmless, nor that it prevents anyone from exploiting a
25service you intentionally offer but haven't recently updated or patched
26after an exploit went public. Despite having a firewall, you need to
27keep applications and daemons on your system well-configured and
28up-to-date; a firewall is not a cure-all!</para>
33<title>Meaning of the word firewall.</title>
35<para>The word firewall can have several different meanings.</para>
37<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
39<para>This is a setup or program, for Windows commercially sold by
40companies such as Symantec, of which they claim or pretend that it
41secures a home or desktop-pc with internet access. This topic is
42highly relevant for users who do not know the ways their computers
43might be accessed via the internet and how to disable these,
44especially if they are always online and if they are connected via
45broadband links.</para></sect3>
47<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
48<para>This is a box placed between the internet and an intranet.
49To minimize the risk of compromizing the firewall itself it
50should generally have only one role, that of protecting the intranet.
51Although not completely riskless, the tasks of doing the routing
52and eventually IP masquerading<footnote><para>rewriting IP-headers
53of the packets it routes from clients with private IP-addresses onto
54the internet so that they seem to come from the firewall
55itself</para></footnote> are commonly considerd harmless.</para></sect3>
57<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
58<para>This is often an old box you may have retired and nearly forgotten,
59performing masquerading or routing functions, but offering a bunch of
60services, e.g., web-cache, mail, etc. This may be very commonly used
61for home networks, but can definitely not to be considered as secure
62anymore because the combining of server and router on one machine raises
63the complexity of the setup.</para></sect3>
65<sect3><title>Firewall with a demilitarized zone [not further described
67<para>This box performs masquerading or routing, but grants public access to
68some branch of your network which, because of public IP's and a physically
69separated structure, is neither considered to be part of the inter- nor
70intranet. These servers are those which must be easily accessible
71from both the inter- and intranet. The firewall protects
72them all.</para></sect3>
74<sect3><title>Packetfilter / partly accessible net [partly described
75here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
76<para>Doing routing or masquerading, but permitting only selected
77services to be accessible, sometimes only by selected internal users or boxes;
78mostly used in highly secure business contexts, sometimes by distrusting
79employers. This was the common configuration of a firewall at the time of
80the Linux 2.2 kernel. It's still possible to configure a firewall this way,
81but it makes the rules quite complex and lengthy.</para></sect3>
Note: See TracBrowser for help on using the repository browser.