Setting Up a Network Firewall

Introduction to Firewall Creation

The purpose of a firewall is to protect a computer or a network against malicious access. In a perfect world every daemon or service, on every machine, is perfectly configured and immune to security flaws, and all users are trusted implicitly to use the equipment as intended. However, this is rarely, if ever, the case. Daemons may be misconfigured, or updates may not have been applied for known exploits against essential services. Additionally, you may wish to choose which services are accessible by certain machines or users, or you may wish to limit which machines or applications are allowed external access. Alternatively, you simply may not trust some of your applications or users. For these reasons, a carefully designed firewall should be an essential part of system security.

While a firewall can greatly limit the scope of the above issues, do not assume that having a firewall makes careful configuration redundant, or that any negligent misconfiguration is harmless. A firewall does not prevent the exploitation of any service you offer outside of it. Despite having a firewall, you need to keep applications and daemons properly configured and up to date.

Meaning of the Word "Firewall"

The word firewall can have several different meanings.

Personal Firewall

This is a hardware device or software program, intended to secure a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.

An example configuration for a personal firewall is provided at Creating a Personal Firewall With iptables.

Masquerading Router

This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk-free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.

Example configurations for a masquerading firewall are provided at Creating a Masquerading Router With iptables and Creating a Masquerading Router With nftables.

BusyBox

This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.

An example configuration for a BusyBox is provided at Creating a BusyBox With iptables.

Firewall with a Demilitarized Zone

This type of firewall performs masquerading or routing, but grants public access to some branch of your network that is physically separated from your regular intranet and is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.

Packetfilter

This type of firewall does routing or masquerading but does not maintain a state table of ongoing communication streams. It is fast but quite limited in its ability to block undesired packets without blocking desired packets.

Conclusion

[Caution]

Caution

The example configurations provided for iptables-1.8.3 and nftables-0.9.2 are not intended to be a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The configurations provided by BLFS are intended only to give examples of how a firewall works. They are not intended to fit any particular configuration and may not provide complete protection from an attack.

BLFS provides two utilities to manage the kernel Netfilter interface, iptables-1.8.3 and nftables-0.9.2.

iptables-1.8.3 has been around since early 2.4 kernels, and has been the standard since. If you plan not to use a configuration utility, this is likely the set of tools that will be most familiar to existing admins.

nftables-0.9.2 is the successor to iptables-1.8.3 and provies all of the same functionality with a single userspace tool, nft, that uses similar syntax to BSD's pf utility, and may be easier for new users or admins already familiar with that platform.

While both can be used in tandem, that is an advanced configuration and you should decide on one or the other. Both pages include very simple example configurations, and customization of the provided configurations for your specific environment will be necessary if you elect to use either without a configuration tool.

Additionally, a firewall management tool, firewalld-0.7.2, is provided to greatly ease firewall configuration for both simple and complex environments, and can be used with either tool. You should not use the example configurations if you intend to use firewalld to manage your firewall rules.

If you elect to configure manually, have a look at the list of further reading below for more details. Here you will find a list of URLs that contain comprehensive information about building firewalls and further securing your system.

Extra Information

Last updated on 2019-10-25 01:28:45 -0500