<html>
<head>
<link href="../lg.css" rel="stylesheet" type="text/css" media="screen, projection"  />
<title>A Bare-Bones Guide to Firewalls LG #103</title>

<style type="text/css" media="screen, projection">
<!--


.articlecontent {
	position:absolute;
	top:143px;
}


-->
</style>


</head>

<body>


<img src="../gx/2003/newlogo-blank-200-gold2.jpg" id="logo" alt="Linux Gazette"/>
<p id="fun">...making Linux just a little more fun!</p>


<div class="content articlecontent">

<div id="previousnexttop">
<A HREF="venter.html" >&lt;-- prev</A> | <A HREF="odonovan.html" >next --&gt;</A>
</div>



<h1>A Bare-Bones Guide to Firewalls</h1>
<p id="by"><b>By <A HREF="../authors/murray.html">John Murray</A></b></p>

<p>
<h3>An Overview for Home Computer Users</h3>

<p>Security is an issue that every Internet-connected user needs
to consider. Attackers are using increasingly sophisticated tools
to attempt to access our computers, and unfortunately they
sometimes succeed. Denial of service attacks, worms, viruses,
data theft and plain old vandalism are common, and chances are
that if you haven't yet been affected, you know someone who has.
Even home dial-up users should be aware of the risks. Firewalling
is one of the primary tools for controlling computer security,
and in this article I'll try to explain what a firewall is and
what it does, without getting bogged down in too much technical
jargon. So do <i>you</i> need a firewall? If you connect to the
'net, even via dial-up, the answer is probably yes.

<h3>Who This Article Is For</h3>

<p>It's for ordinary users who run Linux on their home computers,
and who'd like to improve their security without having to wade
through reams of documentation. I've tried to write in plain
English, keeping it as simple as possible. As a result, this
article only just scratches the surface of Linux firewalling, and
the areas I've covered are somewhat oversimplified. Hopefully
though, there'll be enough detail to get you started.

<p>Whatever you do, don't think that just because you are using
Linux that you'll be safe - sure, you'll be immune to most of the
worms and viruses out there, but that doesn't mean your machine
won't get "owned". And let's face it; some Linux distros
as-installed are as insecure as MS Windows...

<h3>Firewalls - What They Are and What They Do</h3>

<p>Originally, the term Firewall was used to describe a wall
isolating one section of a building from another in case of fire.
In a computing environment, a firewall performs a similar
protective and isolating function, and forms a sort of security
gate between your computer and the Internet.

<p>Firewalls can take a variety of physical forms, using both
hardware and/or software. They can be dedicated hardware devices,
or combined with other devices such as modems or routers.
Sometimes a computer will be set up to do nothing but act as a
firewall to protect a local network. For the home computer user
however, firewalling is usually implemented as a software package
installed and configured to protect not just the home computer,
but any other computers on the local network that share the
Internet connection.

<h3>How do They Work?</h3>

<p>In simple terms, we could say that firewalls are used to control traffic
between your computer (or LAN) and the Internet.  More accurately, a
firewall is a way of enforcing a policy or a set of rules governing the
flow of data packets to and from the outside world.  Firewalls that are
used to protect home computers are usually based on packet filtering, i.e.
data packets are admitted or rejected according to the way the rules are
configured. Most firewalling tools for end users will come with a sensible
set of rules by default, so that they can benefit from at least <i>some</i>
protection even without any configuration.

<h3>Some Jargon</h3>

<p>Here are a few of the basic terms you are likely to encounter
when setting up a firewall. You might already be familiar with
them; if so read on anyway to see how they relate to
firewalling...

<p><b>Hosts</b> - A host is simply a computer that is connected
to (or a part of) a network. This includes the Internet, which is
basically just a network of networks. Firewalls can be configured
to prohibit access by specific hosts.

<p><b>Ports</b>- These are the virtual connection points used by networking
services; not to be confused with physical ports like the serial or USB
ports. They are allocated an identifying number, and common services are
associated with specific ports by convention. For example web servers
generally use port 80, outgoing email uses port 25 and so on. Many
operating systems will have <i>lots</i> of ports open unnecessarily - these
are potential access points for attackers. You could think of ports as
being analogous to the doors of a building. For a building to be of any use
it must allow some access; on the other hand trying to maintain security in
a building with dozens of open or unlocked doors will be impossible. A
firewall can not only control access through these doors, it can make the
unused doors invisible to hosts on the outside.

<p><b>Packets</b> - Data doesn't flow between hosts on a network
in a continuous stream, but rather it is broken down into
manageable chunks called <i>packets</i>. Each packet contains
information related to the type of packet it is, where it is
going to and where it has come from, as well as the data itself.
Firewalls will handle individual packets in one of these ways,
depending on how the packet matches the firewall rules:

<ul>
  <li>Accept (a.k.a. allow) - This lets the packet through the
  firewall. Same as no firewall.</li>

  <li>Reject - Prohibits the package from passing through. A
  "destination-unreachable" message is normally sent back to the
  sending host.</li>

  <li>Drop (a.k.a. deny, blackhole)- Prohibits the packet from
  passing, with no response sent back to host.</li>
</ul>

<p><b>Protocols</b> are the methods or systems that define how
networking clients and servers will communicate. You are probably
familiar with at least some of these listed here; they are common
protocols that can be controlled with firewall filtering
rules.

<ul>
  <li><b>TCP/IP</b> (Transmission Control Protocol/Internet Protocol) - The
  main protocol for data delivery over the Internet</li>

  <li><b>HTTP</b> (HyperText Transfer Protocol) - used for the
  Web</li>

  <li><b>FTP</b> (File Transfer Protocol) - used for downloading
  and uploading files</li>

  <li><b>UDP</b> (User Datagram Protocol) - used for one-way data
  flow, e.g. streaming media</li>

  <li><b>ICMP</b> (Internet Control Message Protocol) - this one
  allows routers to pass messages to each other, amongst other
  things. It also allows hosts to "ping" others, which can
  sometimes reveal useful info to a potential intruder.</li>

  <li><b>SMTP</b> (Simple Mail Transport Protocol) - for sending
  email</li>

  <li><b>Telnet</b> - used to log in to a remote computer, telnet
  is notoriously insecure. If you really need to do this, use
  something like SSH instead</li>
</ul>

<p><b>Rules</b> - Firewalling is simply the enforcement of a set
of configurable rules. Each packet of data is assessed and then
accepted or rejected depending on how it compares to criteria set
in the rules. Firewall applications allow the user to configure
the rules, and then implement them.

<h3>Monitoring and Logging</h3>

<p>As well as controlling network traffic, firewalling tools also
allow you to monitor or log network activity. The type of
activity that's reported on is configurable, so that you only
need be shown the interesting stuff, and not be overwhelmed with
tons of entries describing legitimate traffic. Log files can be
somewhat cryptic unless you know what to look for, and can
quickly become huge. GUI apps like Firestarter have a
big advantage in this area; they can monitor and display the
information in a way that is easy to understand.

<h3>How Linux Implements Firewalling</h3>

<p>Firewalls under Linux (using software) utilize a tool called
<i>iptables</i> with the 2.4 series kernels, and <i>ipchains</i>
with the earlier 2.2 series kernels. In fact, it's quite possible
to run an effective firewall simply by entering ipchains/iptables
commands from a shell prompt. These commands configure the rules,
and start the packet filtering process. Entering these commands
manually would be difficult though, and here's why: first, you'd
have to be familiar with the iptables/ipchains syntax to know
what to type in. Secondly, because firewall rules tend to be
rather complex, it'd be time consuming. Thirdly, you'd have to go
through the exercise every time you booted, and fine-tuning would
involve typing in more obscure (to the average user) commands.
For these reasons, iptables/ipchains is generally run from a
script rather than directly from the command line. This way the
script can be automatically run at boot-up, and tuning carried out
simply by editing the script with a text editor or alternatively
from a GUI front end. There are plenty of pre-configured scripts
available, and if you prefer your firewalls point'n'clicky, you
can do it all with a mouse. So in fact, when we talk about
firewall programs, we're really talking about front-ends for
iptables/chains. Firewalls for home computers are generally based
around iptables' packet filtering capabilities - however, iptables is
capable of doing <i>much</i> more.

<h3>Setting up your Firewall</h3>

<p>Which firewall tool should you choose? This is a bit like
asking which editor is best, or which distro to choose - ask
twenty different users and you'll get nearly as many different
answers. In other words, it doesn't really matter, they all do
the job so just use something that suits your own preferences.
Running a firewall on a home machine needn't be difficult, and
often requires no more than a couple of mouse clicks. Here are
your options:

<ul>
  <li><b>Use your existing distro-supplied tools</b> - This
  should probably be your first choice. Most, if not all distros,
  will set up basic firewalling by default. Mandrake, for
  example, does this using rules whose "strictness" is determined
  by the security level you select. The lowest security level
  under Mandrake doesn't provide any firewalling, while the
  highest enables a firewall using relatively restrictive rules.
  You can change the security level at any time, not just at
  installation. Other home-desktop style distros will have
  similar tools, but they aren't always listed in the menus or
  some other conspicuous place. This means you might have to dig
  through your distros documentation to find out what tools are
  available (there may be several, including GUI tools), and how
  to run them. Most distros (e.g. Mandrake again) include a great
  tool named <a href=
  "http://www.bastille-linux.org/">Bastille</a> that allows easy
  firewall configuration, as well as many other security related
  tasks. Some Internet related programs (e.g. Roaring Penguin's
  ppp-oe package) can also set up a firewall, though the
  configuration options may be somewhat limited.</li>

  <li><b>Use a Pre-Configured Script</b> - There are plenty of
  these available for download on the 'net. These scripts usually
  have a well-commented configuration section that you can edit
  to suit your own requirements. This makes it easy to tailor
  your firewall without having to understand lots of obscure
  iptables options. They are usually sensibly configured by
  default, so will provide reasonable protection for most users
  as-is. Most people will probably want to add their firewall
  script to their start-up scripts to enable the firewall on
  boot-up.</li>

  <li><b>Use a GUI Firewall</b> - For those who prefer graphical,
  mouse-click type tools, there are some of these available as
  well. These are basically graphical front ends for iptables
  scripts, and are an exceptionally easy way to configure and run
  a firewall. They have the advantage of being a simple way to
  monitor network activity like uninvited connections and port
  scans etc.</li>

  <li><b>The Hardware Firewall</b> - It's unlikely that you'd run
  a dedicated hardware firewall on your home computer or network,
  but that doesn't mean some sort of hardware option is out of
  the question. There are quite a few ADSL modems/routers on the
  market that include firewalling capabilities, and they're often
  no more expensive than a plain modem. The firewalling functions
  on these devices require little or no setup, so for some they
  can be an attractive option.</li>

  <li><b>The Dedicated Firewall PC</b> - Yet another option for
  those running a home network is an old PC (e.g. 486) set up as a
  dedicated firewall/router. There are distros designed for this
  type of application (e.g. Smoothwall) that are easily set up via
  a web browser. If you have a few machines on your network, this
  might be a good way to set up a cheap and secure gateway.</li>
</ul>


<h3>Configuration</h3>

<p>Before you even start, make sure you have no unnecessary
services running. Some of the older distros in particular would
run all sorts of servers by default, so turn 'em off and strip
them from your startup scripts. Whichever way you choose to run
your firewall, you'll probably need to configure a few things. In
general, I'd recommend starting off by blocking just about
everything, and only opening things up if they prove to be too
restrictive. The general idea is to shut off anything that you
don't need. Some questions you may be asked include:

<ul>
  <li>Your Internet and LAN interface, e.g. ppp0 and eth0</li>

  <li>Ports you will allow access to. For the average home user
  who just wants to browse the web and do email etc. you can just
  close them all. You might find that some apps (p2p filesharing
  apps, or online gaming for example) will complain, but you can
  always open ports later if you need to. Of course, those
  running servers will need to keep the appropriate ports
  available - but then if you <i>are</i> running servers, you
  should be taking security <i>very</i> seriously, and I strongly
  recommend that you get more detailed advice than what's
  available here...</li>

  <li>Permitted protocols - Again, only allow what you need.</li>

  <li>The address of the internal LAN</li>

  <li>The addresses of any hosts that you want to explicitly
  exclude from accessing your computer.</li>

  <li>What to do with unwanted packets - i.e. set to "REJECT" or
  "DENY"</li>
</ul>Many firewall tools (especially the ones that come with your
distro) should be able to figure much of this out for themselves,
and if you aren't sure, just go with the defaults.


<h3>Testing your firewall</h3>

<p>It's important to check that your firewall is actually
running, and doing what it's supposed to be doing. The easy way
to do this is to connect to one of the online services like
<a href="https://grc.com/x/ne.dll?bh0bkyd2">ShieldsUp</a> or
<a href="http://scan.sygatetech.com/">Sygate Online Services</a>.
These can tell you quite a bit (using wanky buzzwords like
"stealthed"), such as which ports are open, closed or blocked,
how your computer responds (or doesn't) to different types of
requests and so on.

<h3>Links</h3>

<p>There is an abundance of firewall related stuff on the web.
Here are a few that may interest you:

<p><b>Some Ready-Made Firewall Scripts:</b><br>
<a href="http://monmotha.mplug.org/firewall/index.php">MonMotha's
Firewall Scripts</a> are popular, and a good choice for
non-techie users. The configuration section is brief and simple,
and the script is well commented.<br>
<a href="http://rocky.molphys.leidenuniv.nl/">Arno's Firewall
Script</a> is another popular choice, but more complex and
detailed than MonMotha's.</p>

<p><b>Graphical (GUI) Firewalling Tools:</b><br>
<a href="http://firestarter.sourceforge.net/">Firestarter</a> is
very widely used, and has a graphical interface and firewall
setup and monitoring capabilities.<br>
<a href=
"http://turtlefirewall.sourceforge.net/">TurtleFirewall</a> is an
easy to use tool with a graphical configuration via Webmin.<br>
<a href=
"http://www.simonzone.com/software/guarddog/">Guarddog</a> A
firewall setup tool for KDE users..</p>

<p><b>Other Tools</b><br>
<a href="http://www.smoothwall.org/about/">Smoothwall</a> is a
software package designed to turn a PC into a dedicated
firewall/router. Configured through a web browser, and a cost
effective way of protecting a local network.</p>

<p><b>Documentation</b><br>
<a href="http://www.linuxsecurity.com/docs/colsfaq.html">The
comp.os.linux.security FAQ</a> is an excellent source of further
security related information.<br>
<a href="http://www.interhack.net/pubs/fwfaq/">The Internet
Firewalls FAQ</a> - the name says it all..<br>
<a href=
"http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html">The
Linux iptables HOWTO</a> For the more adventurous, this HOWTO
shows how to work with iptables directly.<br>
<a href="http://www.linuxguruz.com/iptables/">Netfilter/iptables
Firewall Page</a> - A comprehensive list of links to
firewall related sites.

<p><b>Disclaimer</b> - I don't claim to be an expert on firewalls
or security (or anything else for that matter). In other words,
use the information in this article at your own risk.



</p>


<!-- *** BEGIN author bio *** -->
<P>&nbsp;
<P>
<!-- *** BEGIN bio *** -->
<hr>
<P>
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png" class="bio">
<em>
John is  a part-time geek from Orange, Australia. He has been using
Linux for four years and has written several <a
href="http://users.netwit.net.au/~pursang/">Linux related
articles</a>.
</em>
<br CLEAR="all">
<!-- *** END bio *** -->

<!-- *** END author bio *** -->

<div id="articlefooter">

<p>
Copyright &copy; 2004, John Murray. Copying license 
<a href="http://linuxgazette.net/copying.html">http://linuxgazette.net/copying.html</a>
</p>

<p>
Published in Issue 103 of Linux Gazette, June 2004
</p>

</div>


<div id="previousnextbottom">
<A HREF="venter.html" >&lt;-- prev</A> | <A HREF="odonovan.html" >next --&gt;</A>
</div>


</div>






<div id="navigation">

<a href="../index.html">Home</a>
<a href="../faq/index.html">FAQ</a>
<a href="../lg_index.html">Site Map</a>
<a href="../mirrors.html">Mirrors</a>
<a href="../mirrors.html">Translations</a>
<a href="../search.html">Search</a>
<a href="../archives.html">Archives</a>
<a href="../authors/index.html">Authors</a>
<a href="../contact.html">Contact Us</a>

</div>



<div id="breadcrumbs">

<a href="../index.html">Home</a> &gt; 
<a href="index.html">June 2004 (#103)</a> &gt; 
Article

</div>





<img src="../gx/2003/sit3-shine.7-2.gif" id="tux" alt="Tux"/>




</body>
</html>