Firewall

From LQWiki
Jump to navigation Jump to search

A firewall is a piece of hardware or software put into the network to control and/or prevent communication forbidden by the network policy and/or intrusions from the Internet.

You can think of it as a wall that blocks communication with the outside world. The management of a firewall will consist of opening just the channels (ports) you need to communicate.

A firewall often has routing capabilities to allow DMZs or honeypots to be used to keep local users separate from Internet server traffic.

How To ...

Check if your firewall is running

To check if your firewall is running, use the command iptables --list. Here's an output that means your firewall is turned off:

iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you look at it, you will find that for all incoming packets ("Chain INPUT" entry above), the policy is set to ACCEPT with no exceptions. The same is true for FORWARD and OUTPUT.

GNU/Linux and Firewalls

If you have any Windows machines, or are running a server, you should have a firewall. Linux machines are often used as firewalls, and some broadband routers are actually embedded devices running Linux.

When looking for a firewall package, it is important to remember that the firewall is only one step in a well managed security policy. Please do not rely on a firewall as the sole means of security in your network.

Linux firewall software

A lot of different software for constructing and maintaining firewalls is available for Linux, ranging from easy GUI apps for desktop PCs to dedicated firewall distributions. They all use the packet filtering method provided by the Linux kernel.

The 3 Linux user interfaces to the kernel packet filter system started with ipfwadm then upgraded to ipchains and now iptables. All 3 interfaces are available as kernel options and user packages. Since the 2.4 kernel, the packet filter is called netfilter and offers "stateful" matching.

Linux firewall software is usually a frontend for iptables/ipchains, and allows more user friendly methods (GUI, easier text based config file, etc.) to be used to create firewall rules. It then uses a script that runs at boot time (or whenever the rules are changed) to load the rules. It is common to have more than one script as each one adds rules to the existing set. Scripts must specifically have entries to clear, flush and remove rules/tables.

The rule system is always improving in quality and variety. The development modules are usually found in the patch-o-matic section of the netfilter website and are frequently incorporated into the kernel sources once they are stable and popular.

Specialized Firewall Linux Distributions

See Firewall distributions for a complete list.

Firewall scripts/console apps

GUI/X firewall applications

Web interface firewall applications

See also