Firewall
A firewall is a piece of hardware or software put into the network to control and/or prevent communication forbidden by the network policy and/or intrusions from the Internet.
You can think of it as a wall that blocks communication with the outside world. The management of a firewall will consist of opening just the channels (ports) you need to communicate.
A firewall often has routing capabilities to allow DMZs or honeypots to be used to keep local users separate from Internet server traffic.
How To ...
Check if your firewall is running
To check if your firewall is running, use the command iptables --list. Here's an output that means your firewall is turned off:
iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If you look at it, you will find that for all incoming packets ("Chain INPUT" entry above), the policy is set to ACCEPT with no exceptions. The same is true for FORWARD and OUTPUT.
GNU/Linux and Firewalls
If you have any Windows machines, or are running a server, you should have a firewall. Linux machines are often used as firewalls, and some broadband routers are actually embedded devices running Linux.
When looking for a firewall package, it is important to remember that the firewall is only one step in a well managed security policy. Please do not rely on a firewall as the sole means of security in your network.
Linux firewall software
A lot of different software for constructing and maintaining firewalls is available for Linux, ranging from easy GUI apps for desktop PCs to dedicated firewall distributions. They all use the packet filtering method provided by the Linux kernel.
The 3 Linux user interfaces to the kernel packet filter system started with ipfwadm then upgraded to ipchains and now iptables. All 3 interfaces are available as kernel options and user packages. Since the 2.4 kernel, the packet filter is called netfilter and offers "stateful" matching.
Linux firewall software is usually a frontend for iptables/ipchains, and allows more user friendly methods (GUI, easier text based config file, etc.) to be used to create firewall rules. It then uses a script that runs at boot time (or whenever the rules are changed) to load the rules. It is common to have more than one script as each one adds rules to the existing set. Scripts must specifically have entries to clear, flush and remove rules/tables.
The rule system is always improving in quality and variety. The development modules are usually found in the patch-o-matic section of the netfilter website and are frequently incorporated into the kernel sources once they are stable and popular.
Specialized Firewall Linux Distributions
See Firewall distributions for a complete list.
Firewall scripts/console apps
- Iptables / Netfilter
- Iptables on Fedora Core 2
- Manual configuration of an iptables firewall
- Scripted firewall configuration
- BullDog
- picofirewall
GUI/X firewall applications
- Graphical and interactive firewall configuration
Web interface firewall applications
See also
- A basic firewall configuration suitable for a workstation
- A basic firewall configuration suitable for a gateway/nat
- routing
- DMZ
- proxy
- honeypot
- security
- Zorp is a new generation application level proxy firewall.
- Shorewall Firewall Configuration Guide
- FireHOL Firewall Configuration Guide
- picofirewall Configuration Guide
- Linux Firewall and Security Site
- BullDog Firewall
- BullDog Firewall Domain Database -- Currently ~12G, updates realtime