Firewall Hardware

Configuring your Mac to perform Internet Sharing or setting up firewall software to block your machines isn't difficult, but it isn't necessarily the appropriate solution for everyone ” especially those that do not want to dedicate a Mac to maintaining a network connection.

Consumer Firewall Appliances

A number of consumer solutions are virtually plug, play, and forget. Usually sold under a "broadband router" moniker, these devices typically perform NAT, serve DHCP, and are configured through a Web interface, as shown in Figure 17.5. Many can create VPN connections via IPSec, easily forward incoming connections to internal IP addresses, and are available in wired, wireless, or both configurations. Starting at around $50 for an ethernet-based model, they're affordable and eliminate the necessity for custom configuration on your individual Mac.

Table 17.1 contains a list of popular firewall appliances that can be used with your network.

Table 17.1. Popular Internet Sharing Devices

Although this list is accurate at the time of writing, the market for these devices is growing daily. New models with bigger and better features will always be "just around the corner." Most of these devices range from $50 (wired) to $150 (wireless), with the exception of Apple's AirPort Extreme, which tops out at $250 for the high-end model. The AirPort Extreme, however, provides dial-in support (including AOL) if necessary, and, with two ethernet ports, USB printer sharing, 802.11g support, and 50- user capacity, can serve as an ethernet/wireless bridge.

Broadband routers typically provide a means of mapping incoming connection ports to IP addresses within the internal private network, or setting a DMZ (demilitarized zone) machine that, for all intents and purposes, sits outside the protection of the firewall and receives all incoming traffic. Keep in mind that doing this will expose internal machines to the same risks (on the passed ports) that they would experience if they were connected to the Internet directly. A firewall is effective only when it is used to block potentially dangerous traffic.

Commercial Firewalls

Commercial firewalls differ from the "lighter" SOHO fare by providing support for larger numbers of computers, integrating features such as VPN and intrusion detection, and, most importantly, providing protection for a subnet of nonprivate addresses.

Broadband routers typically work by taking a single incoming connection with one nonprivate IP address, and making that connection available to an internal subnet (NAT). The trouble with this arrangement is that you cannot, for example, run two Web servers on the internal subnet and have them be visible from the outside world (unless one of the servers was not using the standard port 80). For commercial applications where the vast majority of the network must be addressable from the Internet, NAT devices fall short.

Commercial firewalls connect between an incoming network feed (such as a router), and the devices that feed the LAN side of the connection (usually a switch). Firewalls of this nature function as a bridge, passing traffic from one side of the firewall to the other, and vice versa, transparently "bridging" the internal and external networks. While handling the traffic flow, a firewall can also perform packet inspection, dropping packets that fail to match the network policies for the LAN. As ipfw can be configured to block packets directly at your OS X machine, a commercial firewall can block the packets before they even reach a machine.

Commercial firewall solutions cost in the $1000+ range, and often come with dedicated software and monitoring utilities. Many offer service-specific packet filtering, allowing administrators to block inappropriate Web and email content before it reaches internal servers or clients . These devices are appropriate for any network that requires a single point for controlling service access, as well as those that require security for an entire Internet-addressable subnet. To locate a firewall appropriate for your network, you may want to check out these manufacturers:

• WatchGuard ” http://www.watchguard.com/

• Novell ” http://www.novell.com/products/bordermanager/

• SAGE Inc . ”http://www.thirdpig.com/

• SonicWALL ” http://www.sonicwall.com/solution/index.asp

• Trustix ” http://www.trustix.com/

• KarlNet ” http://www.karlnet.com/

• Cisco ” http://www.cisco.com/

• BorderWare ” http://www.borderware.com/

• NetScreen ” http://www.netscreen.com/main.html

• Actane ” http://www.actane.com/controll.htm

• Sun Microsystems ” http://www.sun.com/servers/entry/checkpoint/

A Cheap and Effective Solution

Because you're already involved with a Unix operating system (Mac OS X), you might want to consider building your own firewall with Linux. This provides a cost-effective solution that can operate as a transparent bridge (like a commercial system), but requires some command-line configuration to work.

To create a transparent Linux firewall, you'll need

• A PC that can be dedicated to firewalling . A 400MHz PII w/ 128MB RAM can easily handle a network of 300+ workstations while running active intrusion detection ”so nothing extravagant is required.

• A Linux distribution with the bridging code included in the kernel . 2.4 or later should suffice. The RedHat 8.x distribution is easy to install and should work nicely for most people. The latest patches to the kernel bridging code can be downloaded from http://bridge. sourceforge .net/download.html.

• Two network cards . Two network cards rated for the speed and media type used on your LAN. A safe option is the Intel EtherExpress Pro.

First, set up the PC and install the Linux distribution. Do not choose to set up a firewall at this time. Allow the installer to configure the network cards so that each is visible on your network. Use chconfig or ntsysv to disable all unnecessary network services. Be sure that iptables is enabled and that ipchains is not.

You should take the time to determine which physical port is recognized as eth0 and which is eth1 . This might require pinging the interfaces from outside devices, then disconnecting the wires to see when the packets are dropped.

Next, download and install the kernel bridging utilities from http://bridge.sourceforge.net/download.html, unarchive , and enter the source distribution directory:

 #  curl -O http://bridge.sourceforge.net/bridge-utils/bridge-utils-0.9.6.tar.gz  #  tar zxf bridge-utils-0.9.6.tar.gz  #  cd bridge-utils  

Configure, compile, and install the software with ./configure , make , and make install :

 #  ./configure  checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for a BSD-compatible install... /usr/bin/install -c checking for ranlib... ranlib checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes ... #  make  for x in libbridge brctl doc; do (cd $x && make ); done make[1]: Entering directory `/home/jray/bridge-utils/libbridge' gcc -Wall -g -I/usr/src/linux/include -c libbridge_compat.c gcc -Wall -g -I/usr/src/linux/include  -c libbridge_devif.c gcc -Wall -g -I/usr/src/linux/include  -c libbridge_if.c gcc -Wall -g -I/usr/src/linux/include  -c libbridge_init.c gcc -Wall -g -I/usr/src/linux/include  -c libbridge_misc.c ... #  make install  for x in libbridge brctl doc; do (cd $x && make install ); done make[1]: Entering directory `/home/jray/bridge-utils/libbridge' mkdir -p /usr/local/include install -m 644 libbridge.h /usr/local/include mkdir -p /usr/local/lib install -m 644 libbridge.a /usr/local/lib make[1]: Leaving directory `/home/jray/bridge-utils/libbridge' make[1]: Entering directory `/home/jray/bridge-utils/brctl' mkdir -p /usr/local/sbin /usr/bin/install -c -m 755 brctl brctld /usr/local/sbin make[1]: Leaving directory `/home/jray/bridge-utils/brctl' make[1]: Entering directory `/home/jray/bridge-utils/doc' mkdir -p /usr/local/man/man8 install -m 644 brctl.8 /usr/local/man/man8 make[1]: Leaving directory `/home/jray/bridge-utils/doc' 

Finally, install the script ( bigwall.sh ) shown in Listing 17.1 on the Linux computer. The location is not important, but you will need to edit this file to add rules to the firewall.

Listing 17.1 Linux Firewall Startup Script ( bigwall.sh )

 1 #!/bin/sh 2 3 # Used for bridge 4 BR="/usr/local/sbin/brctl" 5 IFCONFIG="/sbin/ifconfig" 6 LAN_IP="0.0.0.0" 7 WAN_IP="0.0.0.0" 8 FIREWALL_IP="0.0.0.0" 9 FIREWALL_MASK="255.255.255.0" 10 FIREWALL_GW="0.0.0.0" 11 12 # Only used for firewall 13 IPTABLES="/sbin/iptables" 14 LAN_SUBNET="10.0.1.0/255.255.255.0" 15 ROUTE="/sbin/route" 16 17 $BR addbr firewall 18 $BR addif firewall eth0 19 $BR addif firewall eth1 20 $IFCONFIG eth0 $WAN_IP promisc 21 $IFCONFIG eth1 $LAN_IP promisc 22 $IFCONFIG firewall $FIREWALL_IP netmask $FIREWALL_MASK promisc up 23 $ROUTE add -net $LAN_IP gw $FIREWALL_GW dev firewall 24 25 # Flush and delete user chains 26 $IPTABLES -F 27 $IPTABLES -X 28 29 # The KEEP_STATE chain keeps established connections (from the inside) 30 $IPTABLES -N KEEP_STATE 31 $IPTABLES -F KEEP_STATE 32 $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP 33 $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT 34 35 # Accept packets from the firewall's gateway 36 $IPTABLES -A FORWARD -s $FIREWALL_GW -i eth0 -d 0/0 -j ACCEPT 37 38 # Log spoofed packets (source is internal LAN but external interface) 39 $IPTABLES -A FORWARD -s $LAN_SUBNET -i eth0 -d 0/0 -j LOG --log-level DEBUG  --log-prefix "Spoof attempt: " 40 41 # Add traffic blocks here 42 ########################### 43 # 44 # 45 # 46 # 47 48 # Keep established connections 49 $IPTABLES -A FORWARD -j KEEP_STATE 50 51 # Allow all outgoing traffic 52 $IPTABLES -A FORWARD -s $LAN_SUBNET -j ACCEPT 53 54 # Drop everything else 55 $IPTABLES -A FORWARD -m limit --limit 20/minute --limit-burst 10 -j LOG --log-level  DEBUG --log-prefix "FORWARD packet died: " 56 $IPTABLES -A FORWARD -j DROP 

Minimal configuration consists of setting the LAN_SUBNET value in line 14. This should be set to the IP/mask of the network that the firewall will be protecting. The firewall itself has no IP address and cannot be accessed from the outside world. To provide access, assign an IP, netmask, and gateway using the variables FIREWALL_IP , FIREWALL_MASK , and FIREWALL_GW in lines 8, 9, and 10, respectively.

By default, the firewall will allow all outgoing packets and incoming packets that are associated with an internally originated connection to pass. All other packets (incoming traffic) are blocked and logged. The interface eth0 should be plugged into the "Internet" side of connection; this enables the rule in line 39 to log spoof attempts by checking for incoming IP addresses that match the local subnet's addresses ”something that should be impossible .

To control the firewall, you'll need to add rules of your own by using Linux's iptables syntax. Rules should be added into the script starting at line 42. For example, to pass incoming Web connections (port 80) to the internal machines 10.0.1.25 and 10.0.1.36, you could add

 $IPTABLES -A FORWARD -p tcp -s 0/0 -d 10.0.1.25 --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s 0/0 -d 10.0.1.36 --dport 80 -j ACCEPT 

To enable incoming SSH access (port 22) for the entire 10.0.1.0/24 subnet, you could add

 $IPTABLES -A FORWARD -p tcp -s 0/0 -d 10.0.1.0/24 --dport 22 -j ACCEPT 

The script can be built to hold as many rules as you like. Obviously, if you need a configuration more complex than simply allowing or blocking a few ports, you'll want to read up on the Linux iptables documentation. The iptables man page is a good place to start, followed by the Iptables tutorial, located at http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html.

To start the firewall, simply run bigwall.sh from the shell:

 #  ./bigwall.sh  

Running the firewall script ( ./bigwall.sh ) creates a virtual network interface called firewall ; this interface serves to bridge the eth0 and eth1 traffic. Iptables rules are applied to the virtual interface and strip blocked packets from the bridge before they reach the outgoing network interface. Running ifconfig should show all three interfaces as up and active:

 #  /sbin/ifconfig  eth0      Link encap:Ethernet  HWaddr 00:02:B3:9A:3E:16           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:168352531 errors:0 dropped:0 overruns:0 frame:0           TX packets:152420826 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:100           RX bytes:510956821 (487.2 Mb)  TX bytes:3484029491 (3322.6 Mb)           Interrupt:12 Base address:0x1000 eth1      Link encap:Ethernet  HWaddr 00:02:B3:9A:59:BF           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:150615474 errors:0 dropped:0 overruns:0 frame:1268544           TX packets:164704397 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:100           RX bytes:3337027408 (3182.4 Mb)  TX bytes:4102786752 (3912.7 Mb)           Interrupt:11 Base address:0xc000 firewall  Link encap:Ethernet  HWaddr 00:02:B3:9A:3E:16           inet addr:164.107.48.6  Bcast:164.107.255.255  Mask:255.255.254.0           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:317481071 errors:0 dropped:0 overruns:0 frame:0           TX packets:3851572 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX bytes:3013262010 (2873.6 Mb)  TX bytes:924730826 (881.8 Mb) 

After verifying that the firewall starts correctly, you can place it between your incoming network feed and LAN. There is likely to be a 5 “10 second pause while port speeds are negotiated, after which normal network connections will resume. The script bigwall.sh can be added to one of the /etc/rc.d/init.d scripts (such as network ) to automatically start at boot, if desired.