[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall (fwd)

debian-isp@ghost.net.cfw.com wrote:
> Has anyone found making a debian machine with firewall support useful?

Yes, very much so

> What are firewalls useful for? Do they simply prevent packets from passing
> through the firewall into the rest of the network?

It depends. "Firewall" can mean different things:
It may be a packet filtering firewall which does what you think it does.
This functionality is built into the kernel (needs a recompile,
probably). The interface to change its behavior is ipchains (for the
2.2.x-kernel, 2.0.x and 2.4.x use other means), i.e. you write a shell
script that gets executed in a runlevel, which sets your config.
Another type of firewall is a proxying firewall. There is a package
called SOCKS that does this (maybe others too). Proxies work on the
application level, IIRC, and so can know things that apacket filtering
firewall can't know. They need the ability to use the proxy compiled
into client programs too, though.

> Would a firewall
> necessarly have to be also configured to be a router?

Again, it depends. A proper firewall should be a standalone machine
without user accounts, without network services running and with as
little SW as possible installed (no compilers, ...). If behind the
firewall you have a network then, yes, it can do routing, too. It can
also do IP masquerading. Note that there are much more sophisticated
setups with "demilitarized zones" around the firewall and all kinds of
stuff. What to build depends on your security requirements.

OTOH, you can have packet filtering enabled on a standalone workstation
with dial-up or cable/dsl access. No routing in this case, of course.
This way, you at least can stay out of random script-kiddie portscans
(or your cable provider's scans). It's also great to be able to control
what's allowed to go /out/, e.g., when you're configuring network stuff
and don't want your MTA to send mail to root@your.isp instead to
root@localhost :o)

Note that you should never rely on firewall security alone, but have
your services configured properly, too (tcp wrappers, etc.). You don't
want your machines completely open when the firewall is compromised.

> Any info you guys
> can provide would be useful. I was thinking about making one of my debian
> machies a firewall, but don't really know what I would do with it:)

I recommend the book Linux Firewalls by Robert L. Ziegler, New Riders,
ISBN 0-7357-0900-9. He has also a webpage
http://www.linux-firewall-tools.com/ with lots of info and a nifty tool
where you answer questions and it will generate a firewall script for
you. If you're security requirements are modest, this is maybe all you
need. There are other books too, like Building OpenBSD and Linux
Firewalls (IIRC), but I don't know them.

There are also some GUI firewall tools for gnome, like firestarter and
others (see www.gnome.org), probably for KDE, too. Note, however, that
at least firestarter is AFAIK made to work with RedHat, so it needs a
bit tweaking to work with the debian way of init.

Very good reading is also Securing and Optimizing Linux,
http://www.openna.com/books/book.htm Note that it's for RedHat, but it's
easy to apply it to debian

A nice exercise is to scan/attack your machine/network from the outside
before and after the firewall is in place. If you're lazy ;o) a quick
way to get a portscan on the well known ports done is to use Shields Up!
at http://www.grc.com/ (disable your isp's proxy in your browser
settings before, otherwise not you but your isp's proxy will be
scanned!). You want it to report "stealth" for every port you don't need
available from the outside

Hope this helps (well, I'm sure)

I did not vote for the Austrian government

Linux: The choice of a GNU generation. Visit http://www.gnu.org/

Reply to: