What You Need to Know to Set Up a Simple Firewall in Linux
Like any other OS, Linux needs to be protected with a firewall. A firewall is a network device or host
with two or more network interfaces — one connected to the protected internal network and the other connected to
unprotected networks, such as the Internet. The firewall controls access to and from the protected internal network.
If you connect an internal network directly to the Internet, you have to
make sure that every system on the internal network is properly secured — which can be nearly impossible,
because a single careless user can render the entire internal network vulnerable.
A firewall is a single point of connection to the Internet: You can direct all your efforts toward making that
firewall system a daunting barrier to unauthorized external users. Essentially, a firewall is a protective fence
that keeps unwanted external data and software out and sensitive internal data and software in.
The firewall runs software on your Linux system that examines the network packets arriving at its network
interfaces and then takes appropriate action based on a set of rules. The idea is to define these rules so that
they allow only authorized network traffic to flow between the two interfaces. Configuring the firewall involves
setting up the rules properly. A configuration strategy is to reject all network traffic and then enable only a
limited set of network packets to go through the firewall. The authorized network traffic would include the
connections necessary to enable internal users to do things such as visit websites and receive electronic mail.
To be useful at protecting your Linux system, a firewall must have the following general characteristics:
•It must control the flow of packets between the Internet and the internal network.
•It must not provide dynamic routing because dynamic routing tables are subject to route spoofing —
the use of fake routes by intruders. Instead, the firewall uses static routing tables (which you can set up with the route command on Linux systems).
•It must not allow any external user to log in as root. That way, even if the firewall system is compromised, the intruder is blocked from using root privileges from a remote login.
•It must be kept in a physically secure location.
•It must distinguish between packets that come from the Internet and packets that come from the
internal protected network. This feature allows the firewall to reject packets that come from the Internet but have the IP address of a trusted system on the internal network.
•It acts as the SMTP mail gateway for the internal network. Set up the sendmail software so that all outgoing mail appears to come from the firewall system.
•Its user accounts are limited to a few user accounts for those internal users who need access to external systems.
External users who need access to the internal network should use SSH for remote login.
•It keeps a log of all system activities, such as successful and unsuccessful login attempts.
•It provides DNS name-lookup service to the outside world to resolve any host names that are known to the outside world.
•It provides good performance so that it doesn’t hinder internal users’ access to specific Internet services (such as HTTP and FTP).
A firewall can take many forms. Here are three common forms of a firewall you might find on a Linux system:
• Packet filter firewall: This simple firewall uses a router capable of filtering (blocking or allowing)
packets according to various characteristics, including the source and destination IP addresses, the network protocol
(TCP or UDP), and the source and destination port numbers. Packet filter firewalls are usually placed at the outermost
boundary with an untrusted network, and they form the first line of defense. An example of a packet filter firewall
is a network router that employs filter rules to screen network traffic.
Packet filter firewalls are fast and flexible, but they can’t prevent attacks that exploit application-specific
vulnerabilities or functions. They can log only a minimal amount of information, such as source IP address, destination
IP address, and traffic type. Also, they’re vulnerable to attacks and exploits that take advantage of flaws within the
TCP/IP protocol, such as IP address spoofing, which involves altering the address information in network packets to
make them appear to come from a trusted IP address.