Next Previous Contents

12. Firewalls and Border Patrol

Linux can also be used as a full-featured utility to protect your internal network.

There are currently several firewall systems that run on Linux. Packet filters, application gateways (proxy gateways), IP masquerading, Network Address Translation (NAT), as well as IP accounting are all available on Linux.

Firewalls are a means of restricting what information is allowed into and out of your local network. Typically the firewall host is connected to the Internet and your local network, and the only access from your network to the Internet is through the firewall. A firewall is not just a program that runs on a Linux box. A firewall establishes a perimeter that controls all entry and exit points to your internal network. The strongest firewall won't protect you from a modem on one of the PCs inside your network.

There are a number of types and methods of setting up firewalls. Linux machines make pretty good low cost firewalls. Firewall code can be built right into 2.0 and higher kernels. The ipfwadm(8) user space tool configures the kernel-based packet filtering, allowing you to change what types of network traffic you allow on the fly. You can also log particular types of network traffic.

Firewalls are a very useful and important technique in securing your network. It is important to realize that you should never think that because you have a firewall, you don't need to secure the machines behind it. This is a fatal mistake.

12.1 Introduction

It is important you are familiar with not only the methods in which you can configure a firewall, but also which type of firewall gets used in which situation. This document, is an excerpt from the O'Reilly book Building Internet Firewalls which is practically mandatory reading if you've never worked with firewalls first.

There are, however, several very well written documents available on the Internet, including some of these:

12.2 General Documentation

There is also a wealth of Linux-specific firewall-related material available. Some of them are on very specific topics, but others are excellent general overviews, written to address problems with documenting the proper procedures to use the tools Linux has available. Some of the documents you should check out include:

12.3 The Firewall Toolkit

The most full-featured firewall available for Linux is the Firewall Toolkit (FWTK), written by Trusted Information Systems. Their web page states: The TIS Internet Firewall Toolkit is a set of programs and configuration practices designed to facilitate the building of network firewalls. Components of the toolkit, while designed to work together, can be used in isolation or can be combined with other firewall components. The toolkit software is designed to run on UNIX systems using TCP/IP with a Berkeley-style ``socket'' interface. You can find an overview of its features, a description of how it works, and the source code itself at Trusted Information Systems, now really Network Associates, has some generally good information also on their web site.

You can download the source for the Firewall Toolkit at The documentation may be downloaded seperately from

The Linux Journal wrote an excellent article on configuring the Firewall Toolkit in their Issue 25. The transcript of that article is available at

Additionally, it may be necessary to patch the downloaded version of the Firewall Toolkit. You can find these patches at

12.4 Packet Filtering and Accounting

The ipfwadm(8) tool is used to build packet filtering rules on the 2.0 series kernels. With this tool, you can accept or deny packets based on their source or destination address, port number, protocol, including TCP, UDP, and ICMP, as well as monitor number of packets and bytes transferred. You can find a well-written document on implementation, and the source code at Your Linux vendor should have also included the latest version with your distribution.

The Linux Firewall HOWTO is also available for some sample implementations and brief descriptions. You can find the Firewall-HOWTO at It is intended to be used with ipfwadm(8).

In addition to a kernel-based packet filter for the 2.0 kernel series, there is also IP Chains, which is a complete rewrite of the code used in the ipfwadm(8) utility. The IP Chains package is also available in the 2.0 kernels, but only with a kernel patch. It is primarily intended to be used with the 2.1, and 2.2 stable kernels when they are released. Quoting Paul Russell, the author, [email protected] it was written because The current Linux firewalling code doesn't deal with fragments, has 32-bit counters (on Intel at least), doesn't allow specification of protocols other than TCP, UDP or ICMP, can't make large changes atomically, can't specify inverse rules, has some strange quirks, and can be tough to manage (making it prone to user error).

More information on IP Chains can be found at which is an introduction on what it can do, and how to use it. There are also tips on converting your old ipfwadm(8) rules to use the new program and format.

The sf Firewall is an TCP/IP packet filter with quite a few features. Quoting from their web site, ``In addition to a human-readable configuration language, we implemented dynamic rules, variables and time-outs, extensive logging, alerting and counter intelligence, RIP, FTP, ICMP, IGMP, UDP and TCP filtering and offer control of all IP fields. The firewall also prevents packet address spoofing.''

It is available at You can find the documentation and quite a few configuration examples at

12.5 Linux Firewall Tools sonny/fwconfig/fwconfig.html

12.6 Proxy Servers

12.7 Masquerading and Address Translation

Linux also supports masquerading of IP packets. With this ability, and using the ipfwadm(8) tool, all packets being forwarded through a Linux box have their source address translated to the IP address of the Linux box. On the packet's return trip, the proper address gets substituted into the translated address, and delivered to the proper host.

Not only does this provide ambiguity for the host behind the Linux box, it also has the advantage of preserving the amount of registered IP addresses that must be used, where instead only a single IP address for the Linux box is needed.

Masquerading is typically used for a home network, to allow both your Windows machine, as well as your Linux box, to use the same dialup connection. It can also be used on your firewall to provide security for the hosts behind the Linux box, and as previously stated, preserving the amount of necessary registered IP addresses in an attempt to solve the address space problem the Internet is currently suffering from.

More information can also be found in the IP-Masquerade mini-howto, available at and the IP Masquerading home page, available at

Linux also implements Network Address Translation (NAT) which is another method of masquerading a number of hosts behind one IP address (called m:1 translation), but is far more advanced. It includes m:1 translation, (that is, it translates m hosts to 1 addresses), m:n translation, m!=n translation, referred to as dynamic NAT, as well as m=n translation, referred to as static NAT.

Michael Hasenstein, [email protected] has written some excellent documentation, which explains each aspect very clearly, including how and why he wrote it, and is available at

Next Previous Contents