Firewalls


The word firewall has been tortured into horrendous contortions over the last few years, until it has ceased to mean much of anything. You can buy a firewall for your cable modem for under a hundred dollars, and you can purchase an enterprise firewall for a hundred thousand dollars. What's the difference? They're all firewalls — much as cats, elephants, and llamas are all mammals, but some are welcome in your home and some most certainly are not. (Which of course, is a matter of personal preference.)

What differentiate firewalls are the features that they offer, the hardware they run on, and the robustness of the software. Your basic home firewalls perform the bare minimum to allow users to surf the web and keep outsiders out. Your enterprise firewall may do exactly the same thing, but also include application proxies and a hefty support contract. Some breeds of either type are quite resilient, while others can be out-thought by drunken squirrels. Frequently, price and quality have no sensible relationship to each other.

OpenBSD can be used as the basis for a full-featured firewall. The integrated packet filtering software can perform any of the packet-level tasks that any commercial firewall provides. If you want application proxies, however, OpenBSD does not include them (with the exception of a FTP proxy, which is necessary for normal FTP operations through a packet filter, as discussed in Chapter 18). Several popular application proxies run quite well on OpenBSD, but they are not part of OpenBSD. I've used Squid (/usr/ports/www/squid) quite easily to proxy the most common Internet applications and an assortment of other proxies to manage just about everything else.

A firewall is what you make it. You can send all your network traffic through a simple OpenBSD packet filter and honestly say you have a "firewall," or you can set up application proxies, authentication, and so on, and still say you have a "firewall." Remember this the next time someone says that they have a firewall.

To build an effective firewall, you absolutely must understand TCP/IP. If you don't understand as much TCP/IP as you'd like, allow me to recommend Stevens's TCP/IP Illustrated, volume 1 (Addison-Wesley). [1] While you can set up a basic firewall knowing only the basics of TCP/IP, you're going to find that debugging problems can be quite difficult.

Throughout this section, we're going to talk about using your OpenBSD system as a firewall. This assumes that you have two or more network cards, and you want to pass traffic between them. While this is a popular application for OpenBSD, everything discussed here works just as well to protect an OpenBSD machine sitting naked on the Internet. Don't be afraid to implement packet filtering on your web server!

[1]I also recommend volumes 2 and 3, but for different reasons.




Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net