Linux can also be used as a full-featured utility to protect your internal network.
There are currently several firewall systems that run on Linux. Packet filters, application gateways (proxy gateways), IP masquerading, Network Address Translation (NAT), as well as IP accounting are all available on Linux.
Firewalls are a means of restricting what information is allowed into and out of your local network. Typically the firewall host is connected to the Internet and your local network, and the only access from your network to the Internet is through the firewall. A firewall is not just a program that runs on a Linux box. A firewall establishes a perimeter that controls all entry and exit points to your internal network. The strongest firewall won't protect you from a modem on one of the PCs inside your network.
There are a number of types and methods of setting up firewalls. Linux
machines make pretty good low cost firewalls. Firewall code can be
built right into 2.0 and higher kernels. The ipfwadm(8)
user
space tool configures the kernel-based packet filtering, allowing you
to change what types of network traffic you allow on the fly. You can
also log particular types of network traffic.
Firewalls are a very useful and important technique in securing your network. It is important to realize that you should never think that because you have a firewall, you don't need to secure the machines behind it. This is a fatal mistake.
It is important you are familiar with not only the methods in which you can configure a firewall, but also which type of firewall gets used in which situation. This document, http://www.sunworld.com/swol-01-1996/swol-01-firewall.html is an excerpt from the O'Reilly book Building Internet Firewalls which is practically mandatory reading if you've never worked with firewalls first.
There are, however, several very well written documents available on the Internet, including some of these:
There is also a wealth of Linux-specific firewall-related material available. Some of them are on very specific topics, but others are excellent general overviews, written to address problems with documenting the proper procedures to use the tools Linux has available. Some of the documents you should check out include:
ipfwadm(8)
is available
here
http://linux.samiam.org/firewall.html and should be read in
conjunction with the Firewall-HOWTO.
You can find some general ipfwadm(8) examples, as well as a security overview, in two parts, at:
The most full-featured firewall available for Linux is the Firewall Toolkit (FWTK), written by Trusted Information Systems. Their web page states: The TIS Internet Firewall Toolkit is a set of programs and configuration practices designed to facilitate the building of network firewalls. Components of the toolkit, while designed to work together, can be used in isolation or can be combined with other firewall components. The toolkit software is designed to run on UNIX systems using TCP/IP with a Berkeley-style ``socket'' interface. You can find an overview of its features, a description of how it works, and the source code itself at http://www.tis.com/prodserv/fwtk/fwtkoverview.html. Trusted Information Systems, now really Network Associates http://www.nai.com/, has some generally good information also on their web site.
You can download the source for the Firewall Toolkit at ftp://ftp.tis.com/pub/firewalls/toolkit/fwtk-v1.3.tar.Z The documentation may be downloaded seperately from ftp://ftp.tis.com/pub/firewalls/toolkit/fwtk-doc-only.tar.Z
The Linux Journal wrote an excellent article on configuring the Firewall Toolkit in their Issue 25. The transcript of that article is available at http://www.ssc.com/lj/issue25/1204.html
Additionally, it may be necessary to patch the downloaded version of the Firewall Toolkit. You can find these patches at ftp://ftp.tisl.ukans.edu/pub/security/firewalls/fwtkpatches.tgz
The ipfwadm(8)
tool is used to build packet filtering rules
on the 2.0 series kernels. With this tool, you can accept or deny
packets based on their source or destination address, port number,
protocol, including TCP, UDP, and ICMP, as well as monitor number of
packets and bytes transferred. You can find a well-written document
on implementation, and the source code at
http://www.xos.nl/linux/ipfwadm/. Your Linux vendor should
have also included the latest version with your distribution.
The Linux Firewall HOWTO is also available for some sample implementations and brief descriptions. You can find the Firewall-HOWTO at http://sunsite.unc.edu/LDP/HOWTO/Firewall-HOWTO.html It is intended to be used with ipfwadm(8).
In addition to a kernel-based packet filter for the 2.0 kernel series,
there is also IP Chains, which is a complete rewrite of the
code used in the ipfwadm(8)
utility. The IP Chains
package is also available in the 2.0 kernels, but only with a kernel
patch. It is primarily intended to be used with the 2.1, and 2.2
stable kernels when they are released. Quoting Paul Russell, the
author,
[email protected] it was written because The
current Linux firewalling code doesn't deal with fragments, has 32-bit
counters (on Intel at least), doesn't allow specification of protocols
other than TCP, UDP or ICMP, can't make large changes atomically,
can't specify inverse rules, has some strange quirks, and can be tough
to manage (making it prone to user error).
More information on IP Chains can be found at
http://www.adelaide.net.au/~rustcorp/ipfwchains/HOWTO.html
which is an introduction on what it can do, and how to use it. There
are also tips on converting your old ipfwadm(8)
rules to use the
new program and format.
The sf Firewall is an TCP/IP packet filter with quite a few features. Quoting from their web site, ``In addition to a human-readable configuration language, we implemented dynamic rules, variables and time-outs, extensive logging, alerting and counter intelligence, RIP, FTP, ICMP, IGMP, UDP and TCP filtering and offer control of all IP fields. The firewall also prevents packet address spoofing.''
It is available at http://www.ifi.unizh.ch/ikm/SINUS/firewall.html You can find the documentation and quite a few configuration examples at http://www.ifi.unizh.ch/ikm/SINUS/sf-doc/
http://www.ejj.net/ sonny/fwconfig/fwconfig.html
Linux also supports masquerading of IP packets. With this ability, and using the ipfwadm(8) tool, all packets being forwarded through a Linux box have their source address translated to the IP address of the Linux box. On the packet's return trip, the proper address gets substituted into the translated address, and delivered to the proper host.
Not only does this provide ambiguity for the host behind the Linux box, it also has the advantage of preserving the amount of registered IP addresses that must be used, where instead only a single IP address for the Linux box is needed.
Masquerading is typically used for a home network, to allow both your Windows machine, as well as your Linux box, to use the same dialup connection. It can also be used on your firewall to provide security for the hosts behind the Linux box, and as previously stated, preserving the amount of necessary registered IP addresses in an attempt to solve the address space problem the Internet is currently suffering from.
More information can also be found in the IP-Masquerade mini-howto, available at http://sunsite.unc.edu/LDP/HOWTO/mini/IP-Masquerade.html and the IP Masquerading home page, available at http://ipmasq.home.ml.org/
Linux also implements Network Address Translation (NAT) which is another method of masquerading a number of hosts behind one IP address (called m:1 translation), but is far more advanced. It includes m:1 translation, (that is, it translates m hosts to 1 addresses), m:n translation, m!=n translation, referred to as dynamic NAT, as well as m=n translation, referred to as static NAT.
Michael Hasenstein, [email protected] has written some excellent documentation, which explains each aspect very clearly, including how and why he wrote it, and is available at http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html