RFC: firewall-hint_v1.3

Henning Rohde Rohde.Henning at gmx.net
Fri Aug 10 09:17:13 PDT 2001

Hi Ian, hi everybody else,

Doing a translation to German I had to notice the need for some additions:

- logging of discarded parckages
- replacement for identd, using tcp-resets
- warning against daemons doing broadcasts
- list actual names of kernel-config-options
- a Disclaimer
- more detailed explanations
- minor corrections / fixes
- a non-religious definition of firewall	;-)

As it has been last time: everybody is welcome to send comments,
may they deal with the hint itself, may they cover spelling or grammer.

Have a nice day,


PS: Is this hint translatable to XML and would it be acceptable for BLFS?
    Personally i have no idea of XML, so I'd like to ask for comments
    before doing it.
-------------- next part --------------
TITLE:		Firewall.txt
LFS VERSION:	any, but Kernel > 2.4
AUTHOR:		Henning Rohde	Henning.Rohde at uni-bayreuth.de

	Question:	What's a firewall?
 	Answer:		a fire-resistant wall separating a building into 
			departments, designed to prevent the spread of fire
And at Networks?	A box that restricts the malicious (eg crackers, 
			worms, trojans) out of your intranet.
How Do I build one?	fetch iptables and read the following:

Personally I prefer the following definition:
Answer:		Some wall of fire that only the Saints can pass trough!
@Networks:	Just a box, that permits only sane packages to pass!

The general purpose of a firewall is to translate the labour of securing every
server with that to secure one firewall.
This means that the firewall is a single point of failure but it allows
the admin's life to be taken a lot easier.

But, please, never forget: having a firewall does not make carefull 
configuration redundant!

If you considered every daemon or service on every machine to be trustworthy 
and correctly configured and every user accessing your services to aim no harm, 
you wouldn't need to do firewalling!
But if you'd like to differentiate, which services are accessible only from 
intranet, which machines or applications are allowed to have internet-access,
or if you don't trust some of your apps or users, you might get help by using
a firewall.

When you read the word "firewall" there's not only one way to understand it:
a) "Personel-Firewall":	
	Program sold by eg Norton, that is claimed to secure a home/desktop-pc
	with internet-access. Quite relevant for users being always_online 
	with (flatrated) broadband_links.
b) Firewall at it's origine meaning: 
	Box put between internet and intranet doing nothing but protecting 
	the intranet, sometimes masquerading the intranet.
c) Firewall offering services:
	Old Box, nearly forgotten to exist, put in a corner or down the cellar,
	doing (B), but offering a bunch	of services, eg web-cache, mail, ...
	This may be very commonly used in non-professional area, 
	but it severely violates some principles of (B).
d) Firewall with DeMilitarizedZone.	   (Not described here)
	Doing (B), but giving public access to some brach of intranet, that is, 
	because of public IP's and physically separated structure,
	neither considered to be part of the inter- nor intranet.
	Here are those servers connected, that must be easily accessible
	from both the inter- and intranet, the firewall protects them all.
e) Packetfilter / partly accessible Net.   (Only partly described here, see (C))
	Doing (B) but permitting only selected services to be accessible,
	sometimes only by selected internal user / boxes; mostly used in
	professional highly secure area, sometimes by distrusting employers.
	This has been the common layout of a firewall at times of Linux_V2.2,
	it's still possible, but makes the rules quite complex and enomerous.

This document is meant as an introduction to how to setup a firewall. 
I am not, nor do I pretend to be, a security expert.	 ;-)
I am just some guy who still has not read enough and whose computers
still like to play him tricks if he wants to tweak them. ;-)
Please, I am writing this to help people get acquainted with this subject, 
and I am not ready to stake my life on the accuracy of what is in here.
(Taken from www.linuxdoc.org/HOWTO/Firewall-HOWTO.html, slightly modified)

|Getting a firewalling-enabled Kernel|
If you want your Linux-Box to do firewalling you must in the very first line
have an appropriate kernel and the appropriate tools:

But, before you do a 'make menuconfig', consider to patch your kernel
with the latest iptables-enhancements:
Download the latest version of iptables from http://netfilter.samba.org.

Having current kernel-sources in /usr/src/linux, unpack iptables-sources,
'cd' into sources and enter 'make pending-patches' preferably being an user
who is allowed to patch the kernel.
	(Albeit, as of version 1.2.2, there were none!)
Now goto subdir 'patch-o-matic' and enter './runme':
You must not use all patches, but the IRC-patch or masq-dynaddr.patch could 
be useful, depending on your needs. 

If patching is not successfull, eg. because of outdated patches,
don't worry too much, just skip it, mostly the default kernel is adaequate
to common needs! 
The important thing is that iptables has scanned the kernel for already
accepted / incorporated patches.

Now configure the kernel:
Personally I prefer to have a maximal modularized kernel, but for highest
immaginable security you could configure this code to be built in:
    Networking options:
	Network packet filtering	= CONFIG_NETFILTER
	IP: TCP/IP networking		= CONFIG_INET
	IP: advanced router		= CONFIG_IP_ADVANCED_ROUTER
	IP: verbose route monitoring	= CONFIG_IP_ROUTE_VERBOSE
	IP: TCP Explicit Congestion Notification support
	IP: TCP syncookie support	= CONFIG_SYN_COOKIES
	IP: Netfilter Configuration: every option
					= CONFIG_IP_NF_*
		BUT NO ipchains- and ipfwadm-compatibility.

Now compile and install your new kernel, update your bootloader and do a reboot.

|Building iptables|
Before compiling you might want to edit the Makefile to adapt install-dir's.
Now compile and install iptables and the utilities for saving and restoring
via 'make && make install experimental install-experimental'.

|Now we can start to build your Firewall|
A Personel-Firewall is supposed to let you access the whole amount of 
services offered on the internet, but to keep your box intact and
your data private.

Allow me to quote Rusty Russel	(slightly modified,

# Insert connection-tracking modules	(not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
# permit answers on existing (established) connections
# and permit new connections related to existing ones (eg active-ftp)
iptables -A INPUT	-m state --state ESTABLISHED,RELATED	-j ACCEPT
# Log everything else:	Wanna see scans by CodeRed?	*bg*
iptables -A INPUT	-j LOG --log-prefix "FIREWALL:INPUT  "
# set a sane policy:	everything not accepted > /dev/nul
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      ACCEPT
# be verbose on dynamic ip-adresses	(not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

His script is quite simple but solely surfing the internet you will unlikely 
break it's limits.

Even if you have daemons / services running on your box, these are inaccessible
from elsewhere than your box itself.
The case to be cautious about are misconfigured daemons that could eg broadcast
to the public to announce their service (eg cups, samba).
If you have to be cautious about them, restrict OUTPUT, see (C) and (E).

A true Firewall has got two interfaces, one connected to intranet, eth0,
one connected to the internet, ppp0.
To provide the maximum security against the box itself being breaken into, 
using eg exploits in offered services, it is to be assured that there are
no servers running on it, especially not X11 et al., and, as a principle,
that it does not itself access any services:

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
# allow local-only connections
iptables -A INPUT	-i lo					-j ACCEPT
iptables -A OUTPUT		-o lo				-j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED 	-j ACCEPT
iptables -A FORWARD -m state --state NEW	-i ! ppp+	-j ACCEPT
# do masquerading    (not needed if intranet is not using private ip-adresses)
iptables -t nat -A POSTROUTING  -o ppp+				-j MASQUERADE
# Log everything for debugging: must be at the end of all rules
iptables -A INPUT	-j LOG --log-prefix "FIREWALL:INPUT  "
iptables -A FORWARD	-j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT	-j LOG --log-prefix "FIREWALL:OUTPUT "
# set a sane policy
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      DROP
# activate IP-Forwarding 
echo 1 > /proc/sys/net/ipv4/ip_forward
# be verbose on dynamic ip-adresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn

With this Script your net should be acceptable secure against external attacks,
your intranet should be invisible because it's masqueraded, and your firewall 
should be immune because there's not a service the cracker could attack.

If you are in the need for further security (DOS, connection highjacking,
spoofing, ...) see Appendix.1 and start to read a bit!

This scenario in not too different to (B), but you've got some services
running on your box.
It gets relevant in the moment when you want to admin your box remotely,
eg via secureShell.

Be cautious, every service you offer makes your box less secure, see (B)!

Take the script as (B), but insert:
iptables -I INPUT  -p tcp --dport 22				  -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Alternativly, if you want to ping your box to enshure it's still alive:
iptables -I INPUT  -p icmp -m icmp --icmp-type echo-request	  -j ACCEPT
iptables -I OUTPUT -p icmp -m icmp --icmp-type echo-reply	  -j ACCEPT

Third, you might restrict access to your services: eg only your intranet
should be allowed to access the proxy on your firewall:
iptables -I INPUT  -i eth+ -s -p tcp --dport 8080  -j ACCEPT
iptables -I OUTPUT -o eth+ -d -p tcp --sport 8080  -j ACCEPT

Fourth, connections to your (not existing) identd are rejected with a tcp-reset:
(this prevents ftp-servers to refuse / delay connection)
iptables -I INPUT  -i ppp+ -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -I OUTPUT -o ppp+ -p tcp --sport 113 -m state --state RELATED -j ACCEPT

These are only examples, on my gateway i've got the following services:
openSSH, Samba, squid, djbDNS, CUPS, LeafNode, POP3/IMAP and Postfix!

If you add any of your offered or accessed services like the above,
maybe even in FORWARD, and delete the general clauses, 
you get an oldfashioned packetfilter, not unlike that one mentioned in (E).

Nowadays, we must face the practice of DenialOfService-Attacks even against 
private users (seems to be quite common if you do online-gaming),
Trojans read on IRC for commands, worm exploit the internet as if someone
was doing a blitzkrieg.

There may be ways to protect both your router and your intranet, but any
solution I'm able to give here could tomorrow become insufficent
and would keep you in false security.
If you are really concerned, this is not the document to help you out!

But have a look, here's where I would suggest you to start reading:
http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html (IIRC outdated!)
http://www.little-idiot.de/firewall  (german & outdated, but very comprehensive)
(If someone wants a link to be added, please mail!)

If you are in the need to turn firewalling off in a short:

iptables -Z
iptables -F
iptables -t nat         -F PREROUTING
iptables -t nat         -F OUTPUT
iptables -t nat         -F POSTROUTING
iptables -t mangle      -F PREROUTING
iptables -t mangle      -F OUTPUT
iptables -X
iptables -P INPUT       ACCEPT
iptables -P FORWARD     DROP
iptables -P OUTPUT      ACCEPT

Be cautious!
		Henning Rohde
	(Henning.Rohde at uni-bayreuth.de)

PS: And always do remember:
	SecureIT is not a matter of a status-quo 
	but one of never stopping to take care!

More information about the hints mailing list