7.5. IP Firewall (for Linux-2.0)

IP Firewall and Firewalling issues are covered in more depth in the Firewall-HOWTO. IP Firewalling allows you to secure your machine against unauthorized network access by filtering or allowing datagrams from or to IP addresses that you nominate. There are three different classes of rules; incoming filtering, outgoing filtering, and forwarding filtering. Incoming rules are applied to datagrams that are received by a network device. Outgoing rules are applied to datagrams that are to be transmitted by a network device. Forwarding rules are applied to datagrams that are received and are not for this machine (ie. datagrams that would be routed).

Kernel Compile Options:

       Networking options  --->
            [*] Network firewalls
            ....
            [*] IP: forwarding/gatewaying
            ....
            [*] IP: firewalling
            [ ] IP: firewall packet logging

Configuration of the IP firewall rules is performed using the ipfwadm command. As I mentioned earlier, I am not a security expert. I will present an example you can use. You should, however, do your own research and develop your own rules.

Using your linux machine as a router and firewall gateway to protect your local network from unauthorized access (from outside your network) is probably the most common use of an IP firewall.

The following configuration is based on a contribution from Arnt Gulbrandsen: <[email protected]>.

The example describes the configuration of the firewall rules on the Linux firewall/router machine illustrated below:

-                                   -
 \                                  | 172.16.37.0
  \                                 |   /255.255.255.0
   \                 ---------      |
    |  172.16.174.30 | Linux |      |
NET =================|  f/w  |------|    ..37.19
    |    PPP         | router|      |  --------
   /                 ---------      |--| Mail |
  /                                 |  | /DNS |
 /                                  |  --------
-                                   -

The following commands would normally be placed in an rc file. They would be automatically started each time the system boots. For maximum security, they would be performed after the network interfaces are configured (but before the interfaces are actually brought up) to prevent anyone gaining access while the firewall machine is rebooting.

       #!/bin/sh
        # Flush the 'Forwarding' rules table
        # Change the default policy to 'accept'
        #
        /sbin/ipfwadm -F -f
        /sbin/ipfwadm -F -p accept
        #
        # .. and for 'Incoming'
        #
        /sbin/ipfwadm -I -f
        /sbin/ipfwadm -I -p accept
        # First off, seal off the PPP interface
        # I'd love to use '-a deny' instead of '-a reject -y' but then it
        # would be impossible to originate connections on that interface too.
        # The -o causes all rejected datagrams to be logged. This trades
        # disk space against knowledge of an attack of configuration error.
        #
        /sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30
        # Throw away certain kinds of obviously forged packets right away:
        # Nothing should come from multicast/anycast/broadcast addresses
        #
        /sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24
        #
        # and nothing coming from the loopback network should ever be
        # seen on a wire
        #
        /sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24
        # accept incoming SMTP and DNS connections, but only
        # to the Mail/Name Server
        #
        /sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53
        #
        # DNS uses UDP as well as TCP, so allow that too
        # for questions to our name server
        #
        /sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
        #
        # but not "answers" coming to dangerous ports like NFS and
        # Larry McVoy's NFS extension.  If you run squid, add its port here.
        #
        /sbin/ipfwadm -F -a deny -o -P udp -S 0/0 53 \
                -D 172.16.37.0/24 2049 2050
        # answers to other user ports are okay
        #
        /sbin/ipfwadm -F -a accept -P udp -S 0/0 53 \
                -D 172.16.37.0/24 53 1024:65535
        # Reject incoming connections to identd
        # We use 'reject' here so that the connecting host is told
        # straight away not to bother continuing, otherwise we'd experience
        # delays while ident timed out.
        #
        /sbin/ipfwadm -F -a reject -o -P tcp -S 0/0 -D 172.16.37.0/24 113
        # Accept some common service connections from the 192.168.64 and
        # 192.168.65 networks, they are friends that we trust.
        #
        /sbin/ipfwadm -F -a accept -P tcp -S 192.168.64.0/23 \
                -D 172.16.37.0/24 20:23
        # accept and pass through anything originating inside
        #
        /sbin/ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0
        # deny most other incoming TCP connections and log them
        # (append 1:1023 if you have problems with ftp not working)
        #
        /sbin/ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24
        # ... for UDP too
        #
        /sbin/ipfwadm -F -a deny -o -P udp -S 0/0 -D 172.16.37.0/24

Good firewall configurations are a little tricky. This example should be a reasonable starting point for you. The ipfwadm manual page offers some assistance in how to use the tool. If you intend to configure a firewall, be sure to ask around and get as much advice from sources you consider reliable. Get someone to test/sanity check your configuration from the outside.

7.5.1. IP Firewall (for Linux-2.2)

The new firewalling code is accessed via ``IP Firewall Chains''. See the IP chanins home page for more information. Among other things, you'll now need to use ipchains instead of ipfwadm to configure your filters (From Documentation/Changes in the latest kernel sources).

We are aware that this is a sorely out of date statement. We are currently working on getting this section current. You can expect a newer version sometime this year.