...making Linux just a little more fun!
By John Murray
Security is an issue that every Internet-connected user needs to consider. Attackers are using increasingly sophisticated tools to attempt to access our computers, and unfortunately they sometimes succeed. Denial of service attacks, worms, viruses, data theft and plain old vandalism are common, and chances are that if you haven't yet been affected, you know someone who has. Even home dial-up users should be aware of the risks. Firewalling is one of the primary tools for controlling computer security, and in this article I'll try to explain what a firewall is and what it does, without getting bogged down in too much technical jargon. So do you need a firewall? If you connect to the 'net, even via dial-up, the answer is probably yes.
It's for ordinary users who run Linux on their home computers, and who'd like to improve their security without having to wade through reams of documentation. I've tried to write in plain English, keeping it as simple as possible. As a result, this article only just scratches the surface of Linux firewalling, and the areas I've covered are somewhat oversimplified. Hopefully though, there'll be enough detail to get you started.
Whatever you do, don't think that just because you are using Linux that you'll be safe - sure, you'll be immune to most of the worms and viruses out there, but that doesn't mean your machine won't get "owned". And let's face it; some Linux distros as-installed are as insecure as MS Windows...
Originally, the term Firewall was used to describe a wall isolating one section of a building from another in case of fire. In a computing environment, a firewall performs a similar protective and isolating function, and forms a sort of security gate between your computer and the Internet.
Firewalls can take a variety of physical forms, using both hardware and/or software. They can be dedicated hardware devices, or combined with other devices such as modems or routers. Sometimes a computer will be set up to do nothing but act as a firewall to protect a local network. For the home computer user however, firewalling is usually implemented as a software package installed and configured to protect not just the home computer, but any other computers on the local network that share the Internet connection.
In simple terms, we could say that firewalls are used to control traffic between your computer (or LAN) and the Internet. More accurately, a firewall is a way of enforcing a policy or a set of rules governing the flow of data packets to and from the outside world. Firewalls that are used to protect home computers are usually based on packet filtering, i.e. data packets are admitted or rejected according to the way the rules are configured. Most firewalling tools for end users will come with a sensible set of rules by default, so that they can benefit from at least some protection even without any configuration.
Here are a few of the basic terms you are likely to encounter when setting up a firewall. You might already be familiar with them; if so read on anyway to see how they relate to firewalling...
Hosts - A host is simply a computer that is connected to (or a part of) a network. This includes the Internet, which is basically just a network of networks. Firewalls can be configured to prohibit access by specific hosts.
Ports- These are the virtual connection points used by networking services; not to be confused with physical ports like the serial or USB ports. They are allocated an identifying number, and common services are associated with specific ports by convention. For example web servers generally use port 80, outgoing email uses port 25 and so on. Many operating systems will have lots of ports open unnecessarily - these are potential access points for attackers. You could think of ports as being analogous to the doors of a building. For a building to be of any use it must allow some access; on the other hand trying to maintain security in a building with dozens of open or unlocked doors will be impossible. A firewall can not only control access through these doors, it can make the unused doors invisible to hosts on the outside.
Packets - Data doesn't flow between hosts on a network in a continuous stream, but rather it is broken down into manageable chunks called packets. Each packet contains information related to the type of packet it is, where it is going to and where it has come from, as well as the data itself. Firewalls will handle individual packets in one of these ways, depending on how the packet matches the firewall rules:
Protocols are the methods or systems that define how networking clients and servers will communicate. You are probably familiar with at least some of these listed here; they are common protocols that can be controlled with firewall filtering rules.
Rules - Firewalling is simply the enforcement of a set of configurable rules. Each packet of data is assessed and then accepted or rejected depending on how it compares to criteria set in the rules. Firewall applications allow the user to configure the rules, and then implement them.
As well as controlling network traffic, firewalling tools also allow you to monitor or log network activity. The type of activity that's reported on is configurable, so that you only need be shown the interesting stuff, and not be overwhelmed with tons of entries describing legitimate traffic. Log files can be somewhat cryptic unless you know what to look for, and can quickly become huge. GUI apps like Firestarter have a big advantage in this area; they can monitor and display the information in a way that is easy to understand.
Firewalls under Linux (using software) utilize a tool called iptables with the 2.4 series kernels, and ipchains with the earlier 2.2 series kernels. In fact, it's quite possible to run an effective firewall simply by entering ipchains/iptables commands from a shell prompt. These commands configure the rules, and start the packet filtering process. Entering these commands manually would be difficult though, and here's why: first, you'd have to be familiar with the iptables/ipchains syntax to know what to type in. Secondly, because firewall rules tend to be rather complex, it'd be time consuming. Thirdly, you'd have to go through the exercise every time you booted, and fine-tuning would involve typing in more obscure (to the average user) commands. For these reasons, iptables/ipchains is generally run from a script rather than directly from the command line. This way the script can be automatically run at boot-up, and tuning carried out simply by editing the script with a text editor or alternatively from a GUI front end. There are plenty of pre-configured scripts available, and if you prefer your firewalls point'n'clicky, you can do it all with a mouse. So in fact, when we talk about firewall programs, we're really talking about front-ends for iptables/chains. Firewalls for home computers are generally based around iptables' packet filtering capabilities - however, iptables is capable of doing much more.
Which firewall tool should you choose? This is a bit like asking which editor is best, or which distro to choose - ask twenty different users and you'll get nearly as many different answers. In other words, it doesn't really matter, they all do the job so just use something that suits your own preferences. Running a firewall on a home machine needn't be difficult, and often requires no more than a couple of mouse clicks. Here are your options:
Before you even start, make sure you have no unnecessary services running. Some of the older distros in particular would run all sorts of servers by default, so turn 'em off and strip them from your startup scripts. Whichever way you choose to run your firewall, you'll probably need to configure a few things. In general, I'd recommend starting off by blocking just about everything, and only opening things up if they prove to be too restrictive. The general idea is to shut off anything that you don't need. Some questions you may be asked include:
It's important to check that your firewall is actually running, and doing what it's supposed to be doing. The easy way to do this is to connect to one of the online services like ShieldsUp or Sygate Online Services. These can tell you quite a bit (using wanky buzzwords like "stealthed"), such as which ports are open, closed or blocked, how your computer responds (or doesn't) to different types of requests and so on.
There is an abundance of firewall related stuff on the web. Here are a few that may interest you:
Some Ready-Made Firewall Scripts:
MonMotha's Firewall Scripts are popular, and a good choice for non-techie users. The configuration section is brief and simple, and the script is well commented.
Arno's Firewall Script is another popular choice, but more complex and detailed than MonMotha's.
Graphical (GUI) Firewalling Tools:
Firestarter is very widely used, and has a graphical interface and firewall setup and monitoring capabilities.
TurtleFirewall is an easy to use tool with a graphical configuration via Webmin.
Guarddog A firewall setup tool for KDE users..
Smoothwall is a software package designed to turn a PC into a dedicated firewall/router. Configured through a web browser, and a cost effective way of protecting a local network.
The comp.os.linux.security FAQ is an excellent source of further security related information.
The Internet Firewalls FAQ - the name says it all..
The Linux iptables HOWTO For the more adventurous, this HOWTO shows how to work with iptables directly.
Netfilter/iptables Firewall Page - A comprehensive list of links to firewall related sites.
Disclaimer - I don't claim to be an expert on firewalls or security (or anything else for that matter). In other words, use the information in this article at your own risk.
John is a part-time geek from Orange, Australia. He has been using
Linux for four years and has written several Linux related