Linux Firewalls

Posted: 26th July 2010 by admin in Linux
Tags: ,

Packet filtering firewall:

Linux ipchains implement a packet filtering firewall and can be considered medium security if implemented properly.  A packet filtering firewall looks at each packet individually, it does not (can not) consider any previous packets which may be part of a multiple packet transaction.  In other words, a packet filtering firewall is stateless.

ipchains firewall (minimal survival rules):

No time to do it properly?  Want to get on-line fast?  Here is a minimal ipchains rule-set for Linux kernels 2.2.x.   But don’t trust me!  Once you have it installed, test it here.  At the time of writing the latest kernel was 2.2.16, the information provided here has been tested with this kernel.The intention of providing this rule-set is to allow you to get on-line quickly while providing you with basic security until you have had time to implement something better.

No attempt has been made to optimize the rule-set.  It is quite conceiveable that you can re-order the rules or even reduce the number of rules – feel free to do that if you want to.  However, ipchains are quite efficient.  Each rule only takes a few micro seconds to traverse, so there is not much to be gained unless you have lots of rules, e.g. hundreds.

I am planning on putting a more elaborate ruleset here (the one I use on my own firewall) once I get around to cleaning it up.    :-)

Stateful Firewalls:

A more secure solution can be provided by a stateful firewall. Such a firewall knows about many different protocols and it can look at the context of each packet and then filter according to that.Linux kernels 2.4.x have Netfilter which allows you to implement a stateful firewall.

A commercial, stateful firewall with an usable, free, limited edition is the Gnatbox.

A proxy server does essentially the same thing as a stateful firewall for the protocol it is designed for, but the design motivation for a proxy server may not be security. It could be performance (squid) or to block obnoxious material (junkbuster). “Socks” is a proxy server designed as a security measure; I found it to be unsatisfactory on my system, but YMMV.

Layered security:

It is common knowledge that several layers of security are better than one.  What sometimes is not so clear is that more of the same is not necessarily better, e.g. two identical firewalls are not much more secure than a single firewall.  The basic idea of multiple layers is to have something like this:

1st layer: Packet filtering firewall.  Non essential services removed.
2nd layer: Logging to a separate host or a printer (hardcopy).  Intrusion detection installed.
3rd layer: Where appropriate, servers installed in a chrooted “jail”.  Telnet, ftp and other programs which transmit passwords in clear text eliminated or tunneled through a secure channel.
4th layer: Security conscious installation of client software, e.g. no suid-root clients.

Do I use all of those?  No, only about two thirds of this.  It is up to you to judge how much security is appropriate and if the effort and cost is worth the benefit for you.

Firewall Related Links

Cut-down versions of Linux.  Optimized as routers and/or firewalls:
  • Floppy Firewall
  • Tom’s rtbt not a firewall, but a single floppy Linux system, links to similar systems.
  • Hardening system for various Linux distros:
  • Bastille Linux
  • A commercial firewall, and a limited but still useful, no-cost version:
  • GNAT Box – The Simple Powerful and Affordable Firewall
  • Port Scanning Services:
  • Norton Online Systems (good)
  • Intrusion Detection:
  • Tripwire
  • Snort!
  • Secure Servers and Clients:

    Get rid of telnet and ftp.  Use ssh, scp, rsync instead.

  • OpenSSH Excellent implementation of ssh1 and ssh2.
  • rsync can be used with ssh.  It is a really useful utility to keep directories on a remote hosts in synch with the local version, or vice versa.  Also uses conpression and does incremental updates.  Hint: explore ssh-agent (part of ssh).
  • Other useful information:
  • Allwhois.com – Search any domain name in the world!