[TriLUG] Network protection commentary from InfoWorld.com

Chris Merrill cmerrill at nc.rr.com
Thu May 30 16:28:12 EDT 2002 

Here's a linux-firewalls mini-article I received today.
It mentions a number of resources for configuring and
securing a firewall...I thought some of you might be
interested:

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

LINUX FIREWALLS

Posted May 24, 2002 01:01 PM  Pacific Time


WHEN LOOKING for an effective, inexpensive firewall
solution, Linux firewalls do not often enter into the
picture unless someone involved in the security
planning process is a Linux guru. With the ability to
easily run on that old system in the corner -- the one
that cant even load the latest version of Windows
(mine runs on a Pentium 133) -- Linux firewalls can
provide many of the basic features and functionality
of their commercial counterparts, such as NAT (network
address translation) and stateful packet filtering, at
a fraction of the cost.

Linux firewalls may not be the best solution in all
situations -- such as the main corporate gateway
firewall for large organizations -- but they work
great as internal firewalls separating network subnets
and gateway firewalls for small and medium businesses
and home networks with broadband Internet access.

Current Linux firewalls (2.4 kernel) run
netfilter/iptables. Netfilter provides the kernel
hooks that allow the firewall to inspect network
traffic; iptables provides the table structure to
define rule sets that govern traffic flow. Many Linux
distributions include netfilter/iptables support by
default; find more at  http://www.netfilter.org .

The hardest part about using Linux firewalls is
properly configuring them. The first step is to ensure
that the system acting as the firewall is as secure
and hardened as possible. During initial installation,
install only the minimum required packages to provide
basic system functionality, IP forwarding, and
iptables support. Your mantra is: "If the firewall
does not need it, do not install it."

For some distributions, this may mean removing
additional packages after installation, even when
selecting the most basic installation. For example,
with Red Hat systems there are several programs you
can only remove after installation (such as sendmail)
if they are not needed. Linux hardening scripts can
also help you through this process -- the best tool I
have found is Bastille Linux, available at
http://www.bastille-linux.org .

Once the system is properly configured, it is time to
create the iptables firewall script that will add the
proper rule set to apply to inbound and outbound
packets. A great resource is New Riders' Linux
Firewalls (Second Edition) by Bob Ziegler. Firewall
Builder, included in Mandrake and Debian distributions
or available at  http://fwbuilder.sourceforge.net , is
a graphical front end that can ease this process. For
newbies, Red Hat provides Lokkit, a basic GUI
configuration tool ideal for beginners and networks
that only require a very simple firewall configuration.

Deciding how to access the firewall system is an
important step that is often overlooked. In the
systems I build, I only allow access through SSH using
key authentication. Many documents on the Internet can
help:
http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html
and  http://www.iptables.org  and are excellent
introductions, as are the how-to guides at the
aforementioned netfilter site.

Linux firewalls can be a robust, cost-effective
solution for almost any organization, as long as the
system is properly configured.

Send e-mail to mandy_andress at infoworld.com.




*********************************
Chris Merrill
cmerrill at nc.rr.com
*********************************

More information about the TriLUG mailing list