Internet firewall Introduction The moment a computer is attached to the internet it is possible for any number of users on the net to make connections to it. Not everyone have a good intention. This simple internet firewall is meant for those wanting contact to the internet but have an uncomplicated set of services to offer to others. This probably covers more than 90% of all internet servers. 11.. PPrriinncciipplleess _L_i_n_u_x offers a standard set of services active from the box. These include web-server, telnet, ftp etc. These are normally enabled as default. It may be hard for beginners to determine what these services offer and why they should be inaccessible from the internet. This firewall first determines which these services are by looking up listening services. This list is presented with a button to click if the service should be accessible from the internet. If the computer offer no services to the internet it may still be a good idea to at least enable one service. This is 113/auth as this will enable _o_t_h_e_r systems to determine who _y_o_u are when you make connections to _t_h_e_m. 22.. IInnppuutt All input to the internet interface will be directed to a chain of filters. Ports which are accepted are open. Also all ports from 1024 and above are open (these ports will be used for local access toward internet). Any active services in this range which are not accepted will be explicitly denied. Any new service which is activated in the system later on will be inaccessible from the internet until the corresponding port is opened. However, if a new service is activated in the port range above 1024 it will be possible to access it until the firewall is rebuilt. Just enter the dialog and click on _O_K and this will be done. 33.. MMaassqquueerraaddiinngg//NNAATT If you have a local network you probably want access to the internet from other systems connected to it. This firewall assumes this is the case if forwarding is turned on in _L_i_n_u_x. If a local network has one the the address ranges 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255 or 192.168.0.0-192.168.255.255 (RFC1918) masquerading will be done. This is a technique which enables any computer on the local network to access the internet without letting anyone know you have more than one computer. 44.. FFoorrwwaarrddiinngg This firewall also assumes that forwarding normally is enabled in _L_i_n_u_x. Otherwise no host on the local network will be able to reach the internet. If forwarding is enabled rules to forward traffic will be inserted. 55.. OOuuttppuutt This firewall is doing input filtering only. With one exception. It ensures that all packets outbound from the internet interface has the same source ip address as the interface. Sounds stupid but is good practice as it prevents an intruder from using your system as a convenient platform for attacks on other systems. 66.. SSoofftt iinntteerrffaacceess aanndd ppoolliiccyy Some interfaces come and go. These could be incoming or outgoing modem connections, ISDN, etc. These interfaces are not handled by this firewall unless it is the route to the internet. This firewall does not set a policy for unknown interfaces. So unless the default policy is changed, services through these interfaces will be accepted. 77.. DDyynnaammiicc iipp aaddddrreesssseess Dial up connections usually result in different ip addresses for each connection. So there is no way to determine once and for all what address you will get once connected to the internet. In this case the firewall must be activated the moment the connection is made and the address is known. The script /etc/ppp/ip-up (and /etc/ppp/ip-up.local for RedHat) knows the address and will be able to start the firewall. Firewall activation is not inserted in this script so this will have to be done manually. 88.. SSttaattiicc iipp aaddddrreesssseess If a static ip address can be used (as will be the case with a direct connection) the firewall can be started at boot time through a rc- script. 99.. DDaaeemmoonn aaccttiivvaattiioonn There is however another way to activate the firewall. This is to use a special daemon program to monitor all network interfaces in the system. Whenever an interface is changed the firewall script is executed. If the interface is the internet interface, the firewall will be activated. This also takes care of a possibly change of ip addresses on this interface. The dameon is fast and will be able do the check many times every second. The daemon is started by the Act/Changes button in Linuxconf or by running linuxconf --update. It can also be started directly from a rc-script: /usr/lib/linuxconf/lib/firewalld -d 1100.. TThhee eexxeeccuuttaabbllee ssccrriipptt This firewall creates an executable script which can be run either for a static address or a dynamic address. The script is used like this: /etc/heimdall/firewall.sh start interface ip-address or /etc/heimdall/firewall.sh stop interface The stop options removes all firewall rules (but still enables a possible masquerading). 1111.. CCoommmmaanndd lliinnee ooppttiioonnss There are also some command line options which may be useful. To enable the firewall with daemon supervision: linuxconf --modulemain inetdconf --firewall enable linuxconf --update To stop the firewall (and the daemon): linuxconf --modulemain inetdconf --firewall disable linuxconf --update 1122.. OOnn eerrrroorr This firewall will never be general enough to handle all possible networks. There is another firewall in Linuxconf which is more general to handle every situation at the cost of greater complexity. This firewall is intended to be simple to use for a simple network setup. In case of error or if it in other ways lacks in functionality please do not hesitate: send mail to: Torbjorn Gard tgard@netg.se