A Bare-Bones Guide to Firewalls

By John Murray

An Overview for Home Computer Users

Security is an issue that every Internet-connected user needs to consider. Attackers are using increasingly sophisticated tools to attempt to access our computers, and unfortunately they sometimes succeed. Denial of service attacks, worms, viruses, data theft and plain old vandalism are common, and chances are that if you haven't yet been affected, you know someone who has. Even home dial-up users should be aware of the risks. Firewalling is one of the primary tools for controlling computer security, and in this article I'll try to explain what a firewall is and what it does, without getting bogged down in too much technical jargon. So do you need a firewall? If you connect to the 'net, even via dial-up, the answer is probably yes.

Who This Article Is For

It's for ordinary users who run Linux on their home computers, and who'd like to improve their security without having to wade through reams of documentation. I've tried to write in plain English, keeping it as simple as possible. As a result, this article only just scratches the surface of Linux firewalling, and the areas I've covered are somewhat oversimplified. Hopefully though, there'll be enough detail to get you started.

Whatever you do, don't think that just because you are using Linux that you'll be safe - sure, you'll be immune to most of the worms and viruses out there, but that doesn't mean your machine won't get "owned". And let's face it; some Linux distros as-installed are as insecure as MS Windows...

Firewalls - What They Are and What They Do

Originally, the term Firewall was used to describe a wall isolating one section of a building from another in case of fire. In a computing environment, a firewall performs a similar protective and isolating function, and forms a sort of security gate between your computer and the Internet.

Firewalls can take a variety of physical forms, using both hardware and/or software. They can be dedicated hardware devices, or combined with other devices such as modems or routers. Sometimes a computer will be set up to do nothing but act as a firewall to protect a local network. For the home computer user however, firewalling is usually implemented as a software package installed and configured to protect not just the home computer, but any other computers on the local network that share the Internet connection.

How do They Work?

In simple terms, we could say that firewalls are used to control traffic between your computer (or LAN) and the Internet. More accurately, a firewall is a way of enforcing a policy or a set of rules governing the flow of data packets to and from the outside world. Firewalls that are used to protect home computers are usually based on packet filtering, i.e. data packets are admitted or rejected according to the way the rules are configured. Most firewalling tools for end users will come with a sensible set of rules by default, so that they can benefit from at least some protection even without any configuration.

Some Jargon

Here are a few of the basic terms you are likely to encounter when setting up a firewall. You might already be familiar with them; if so read on anyway to see how they relate to firewalling...

Hosts - A host is simply a computer that is connected to (or a part of) a network. This includes the Internet, which is basically just a network of networks. Firewalls can be configured to prohibit access by specific hosts.

Ports- These are the virtual connection points used by networking services; not to be confused with physical ports like the serial or USB ports. They are allocated an identifying number, and common services are associated with specific ports by convention. For example web servers generally use port 80, outgoing email uses port 25 and so on. Many operating systems will have lots of ports open unnecessarily - these are potential access points for attackers. You could think of ports as being analogous to the doors of a building. For a building to be of any use it must allow some access; on the other hand trying to maintain security in a building with dozens of open or unlocked doors will be impossible. A firewall can not only control access through these doors, it can make the unused doors invisible to hosts on the outside.

Packets - Data doesn't flow between hosts on a network in a continuous stream, but rather it is broken down into manageable chunks called packets. Each packet contains information related to the type of packet it is, where it is going to and where it has come from, as well as the data itself. Firewalls will handle individual packets in one of these ways, depending on how the packet matches the firewall rules:

• Accept (a.k.a. allow) - This lets the packet through the firewall. Same as no firewall.
• Reject - Prohibits the package from passing through. A "destination-unreachable" message is normally sent back to the sending host.
• Drop (a.k.a. deny, blackhole)- Prohibits the packet from passing, with no response sent back to host.

Protocols are the methods or systems that define how networking clients and servers will communicate. You are probably familiar with at least some of these listed here; they are common protocols that can be controlled with firewall filtering rules.

• TCP/IP (Transmission Control Protocol/Internet Protocol) - The main protocol for data delivery over the Internet
• HTTP (HyperText Transfer Protocol) - used for the Web
• FTP (File Transfer Protocol) - used for downloading and uploading files
• UDP (User Datagram Protocol) - used for one-way data flow, e.g. streaming media
• ICMP (Internet Control Message Protocol) - this one allows routers to pass messages to each other, amongst other things. It also allows hosts to "ping" others, which can sometimes reveal useful info to a potential intruder.
• SMTP (Simple Mail Transport Protocol) - for sending email
• Telnet - used to log in to a remote computer, telnet is notoriously insecure. If you really need to do this, use something like SSH instead

Rules - Firewalling is simply the enforcement of a set of configurable rules. Each packet of data is assessed and then accepted or rejected depending on how it compares to criteria set in the rules. Firewall applications allow the user to configure the rules, and then implement them.

Monitoring and Logging

As well as controlling network traffic, firewalling tools also allow you to monitor or log network activity. The type of activity that's reported on is configurable, so that you only need be shown the interesting stuff, and not be overwhelmed with tons of entries describing legitimate traffic. Log files can be somewhat cryptic unless you know what to look for, and can quickly become huge. GUI apps like Firestarter have a big advantage in this area; they can monitor and display the information in a way that is easy to understand.

How Linux Implements Firewalling

Firewalls under Linux (using software) utilize a tool called iptables with the 2.4 series kernels, and ipchains with the earlier 2.2 series kernels. In fact, it's quite possible to run an effective firewall simply by entering ipchains/iptables commands from a shell prompt. These commands configure the rules, and start the packet filtering process. Entering these commands manually would be difficult though, and here's why: first, you'd have to be familiar with the iptables/ipchains syntax to know what to type in. Secondly, because firewall rules tend to be rather complex, it'd be time consuming. Thirdly, you'd have to go through the exercise every time you booted, and fine-tuning would involve typing in more obscure (to the average user) commands. For these reasons, iptables/ipchains is generally run from a script rather than directly from the command line. This way the script can be automatically run at boot-up, and tuning carried out simply by editing the script with a text editor or alternatively from a GUI front end. There are plenty of pre-configured scripts available, and if you prefer your firewalls point'n'clicky, you can do it all with a mouse. So in fact, when we talk about firewall programs, we're really talking about front-ends for iptables/chains. Firewalls for home computers are generally based around iptables' packet filtering capabilities - however, iptables is capable of doing much more.

Setting up your Firewall

Which firewall tool should you choose? This is a bit like asking which editor is best, or which distro to choose - ask twenty different users and you'll get nearly as many different answers. In other words, it doesn't really matter, they all do the job so just use something that suits your own preferences. Running a firewall on a home machine needn't be difficult, and often requires no more than a couple of mouse clicks. Here are your options:

• Use your existing distro-supplied tools - This should probably be your first choice. Most, if not all distros, will set up basic firewalling by default. Mandrake, for example, does this using rules whose "strictness" is determined by the security level you select. The lowest security level under Mandrake doesn't provide any firewalling, while the highest enables a firewall using relatively restrictive rules. You can change the security level at any time, not just at installation. Other home-desktop style distros will have similar tools, but they aren't always listed in the menus or some other conspicuous place. This means you might have to dig through your distros documentation to find out what tools are available (there may be several, including GUI tools), and how to run them. Most distros (e.g. Mandrake again) include a great tool named Bastille that allows easy firewall configuration, as well as many other security related tasks. Some Internet related programs (e.g. Roaring Penguin's ppp-oe package) can also set up a firewall, though the configuration options may be somewhat limited.
• Use a Pre-Configured Script - There are plenty of these available for download on the 'net. These scripts usually have a well-commented configuration section that you can edit to suit your own requirements. This makes it easy to tailor your firewall without having to understand lots of obscure iptables options. They are usually sensibly configured by default, so will provide reasonable protection for most users as-is. Most people will probably want to add their firewall script to their start-up scripts to enable the firewall on boot-up.
• Use a GUI Firewall - For those who prefer graphical, mouse-click type tools, there are some of these available as well. These are basically graphical front ends for iptables scripts, and are an exceptionally easy way to configure and run a firewall. They have the advantage of being a simple way to monitor network activity like uninvited connections and port scans etc.
• The Hardware Firewall - It's unlikely that you'd run a dedicated hardware firewall on your home computer or network, but that doesn't mean some sort of hardware option is out of the question. There are quite a few ADSL modems/routers on the market that include firewalling capabilities, and they're often no more expensive than a plain modem. The firewalling functions on these devices require little or no setup, so for some they can be an attractive option.
• The Dedicated Firewall PC - Yet another option for those running a home network is an old PC (e.g. 486) set up as a dedicated firewall/router. There are distros designed for this type of application (e.g. Smoothwall) that are easily set up via a web browser. If you have a few machines on your network, this might be a good way to set up a cheap and secure gateway.

Configuration

Before you even start, make sure you have no unnecessary services running. Some of the older distros in particular would run all sorts of servers by default, so turn 'em off and strip them from your startup scripts. Whichever way you choose to run your firewall, you'll probably need to configure a few things. In general, I'd recommend starting off by blocking just about everything, and only opening things up if they prove to be too restrictive. The general idea is to shut off anything that you don't need. Some questions you may be asked include:

• Your Internet and LAN interface, e.g. ppp0 and eth0
• Ports you will allow access to. For the average home user who just wants to browse the web and do email etc. you can just close them all. You might find that some apps (p2p filesharing apps, or online gaming for example) will complain, but you can always open ports later if you need to. Of course, those running servers will need to keep the appropriate ports available - but then if you are running servers, you should be taking security very seriously, and I strongly recommend that you get more detailed advice than what's available here...
• Permitted protocols - Again, only allow what you need.
• The address of the internal LAN
• The addresses of any hosts that you want to explicitly exclude from accessing your computer.
• What to do with unwanted packets - i.e. set to "REJECT" or "DENY"

Many firewall tools (especially the ones that come with your distro) should be able to figure much of this out for themselves, and if you aren't sure, just go with the defaults.

Testing your firewall

It's important to check that your firewall is actually running, and doing what it's supposed to be doing. The easy way to do this is to connect to one of the online services like ShieldsUp or Sygate Online Services. These can tell you quite a bit (using wanky buzzwords like "stealthed"), such as which ports are open, closed or blocked, how your computer responds (or doesn't) to different types of requests and so on.

Links

There is an abundance of firewall related stuff on the web. Here are a few that may interest you:

Some Ready-Made Firewall Scripts:
MonMotha's Firewall Scripts are popular, and a good choice for non-techie users. The configuration section is brief and simple, and the script is well commented.
Arno's Firewall Script is another popular choice, but more complex and detailed than MonMotha's.

Graphical (GUI) Firewalling Tools:
Firestarter is very widely used, and has a graphical interface and firewall setup and monitoring capabilities.
TurtleFirewall is an easy to use tool with a graphical configuration via Webmin.
Guarddog A firewall setup tool for KDE users..

Other Tools
Smoothwall is a software package designed to turn a PC into a dedicated firewall/router. Configured through a web browser, and a cost effective way of protecting a local network.

Documentation
The comp.os.linux.security FAQ is an excellent source of further security related information.
The Internet Firewalls FAQ - the name says it all..
The Linux iptables HOWTO For the more adventurous, this HOWTO shows how to work with iptables directly.
Netfilter/iptables Firewall Page - A comprehensive list of links to firewall related sites.

Disclaimer - I don't claim to be an expert on firewalls or security (or anything else for that matter). In other words, use the information in this article at your own risk.

 

---

John is a part-time geek from Orange, Australia. He has been using Linux for four years and has written several Linux related articles.