Using and Obtaining Automated Firewall Scripts and Graphical Firewall Utilities

Several attempts have been made to automate the process of creating a firewall in Linux. Similarly, developers are also busy creating GUI applications that make the job easier. Many of these utilities are quite useful, although they are mostly effective in beginning your firewall configuration; you will likely have to customize the rules these applications generate.

The more effective firewall scripts and GUI tools include the following:

Firestarter A fairly sophisticated graphical tool that supports both Ipchains and Iptables. It can be used to create a personal firewall, but also supports multihomed systems. Like many automated firewalls, it creates multiple rules to filter out known and expected attacks. You may need to adjust some of these automatic settings. Although Firestarter does support multiple interfaces, it, like most of the open-source GUI firewall applications, is best used only as a beginning to a firewall on a multihomed system. You can obtain Firestarter at http://sourceforge.net/projects/firestarter.
Mason A unique product, Mason is designed to first listen in on traffic passing through your firewall, and then generate Ipchains or ipfwadm (the precursor to ipchains and Iptables) rules. As of this writing, Mason does not support Iptables. In spite of this, Mason's approach to rules creation is both unique and sound, as it attempts to create rules based on your network traffic about your firewall needs. You can download this binary at http://users.dhp.com/~whisper/mason. Do not confuse this product with the HTML Mason utilities meant to dynamically generate HTML for Apache Server.
Knetfilter A GUI firewall designed to work with the KDE desktop environment. Although it purports to be stable, it appears to have problems working with common versions of KDE. You can learn more about Knetfilter at http://expansa.sns.it:8080/knetfilter.
Firewall Builder Firewall Builder is in many ways the most ambitious open-source GUI tool. It allows you to create rules for multiple interfaces, networks, and hosts. It is also quite unstable on most versions of Red Hat Linux through version 7.1. Learn more about Firewall Builder at http://sourceforge.net/projects/fwbuilder.
EasyChains EasyChains has a ncurses-based GUI, and supports Ipchains and Iptables. You can download it at http://sourceforge.net/projects/easychains.

Weighing the Benefits of a Graphical Firewall Utility

As you consider using any of the GUI applications covered in this section, keep in mind the following issues:

Often, these downloads do not provide public keys or hash values for their code; therefore, before using any of the applications, make sure that you review the source code. If you cannot review the source code yourself, then employ someone to check it, especially if you plan to use it in an enterprise environment.
Most of these applications are still in beta form, so remember that they often provide limited functionality. Although some, such as Mason, are quite impressive, limitations still persist: As of this writing, Mason does not support Iptables.
The more advanced GUI applications often require you to upgrade to either the very latest version of a particular window manager, such as KDE or Gnome, or to use an idiosyncratic version or configuration. Consequently, you may have to spend a great deal of time configuring your window manager. Generally, this time could be better spent learning how to use Iptables or Ipchains commands.

Firewall Works in Progress

The following is a partial list of applications being developed at the current time:

jb dynFW (http://sourceforge.net/projects/jbdfw) This project appears to be interested in creating a personal firewall product, as opposed to a multihomed firewall.
Heimdall Linuxconf Firewall (http://sourceforge.net/projects/heimdall) A promising effort, mainly because it proposes to be an add-on to the Linuxconf application.
NetFilter-1 (http://sourceforge.net/projects/netfilter-1) If it lives up to its promise, this particular project could produce a truly useful piece of software, because it is trying to mimic the Check Point Firewall-1 product. Its "secure logging" feature will employ encryption so that the firewall can log to remote systems without the fear of sniffing attacks.
PHP Ipchains project (http://sourceforge.net/projects/phpchains) The primary strength of this product is that it is based on PHP, which is a truly portable language, and is well supported by Apache Server. Because many other security applications use PHP, this product may allow you to apply skills you have already learned.
Positive Control (http://sourceforge.net/projects/positivecontrol) Not only does this project plan on releasing a GUI, it also plans on creating a firewall that can detect port scans through stateful inspection, which is basically a way for the firewall to maintain and scan its own dynamic database. If this database senses a number of ports that have been scanned in a row, the firewall can take action. Some actions the firewall can take may include automatic firewall reconfiguration and automatic alerts.

Exercise: Using Firestarter to Create a Personal Firewall

Make the necessary preparations for your firewall. If you are creating a personal firewall, then you can simply move on to step 2. If you want to use your firewall to masquerade connections, you should understand that Firestarter may not do the best job creating forwarding and nat/masquerading rules, so you may want to create them first. You will see later in this exercise how you can configure Firestarter to enable masquerading for you.
Once you have verified and tested your masquerading (if necessary), download the latest Firestarter RPM or tarball from http://sourceforge.net/projects/firestarter. The RPM and tarball packages are equivalent. They do not require any special libraries; if you have installed either the Gnome or KDE window managers, you will have no problem.
Install Firestarter. If you are using the RPM, you would issue the following command:
```
rpm –ivh firestarter-0.7.0-1.i386.rpm
```
Now, start X and enter the following in a terminal:
```
firestarter
```
If an existing Ipchains or Iptables configuration exists, you may see the warning shown in Figure 5.3.

Figure 5.3: Firestarter Warning

If necessary, click Yes. You should note that this warning will also appear if you restart Firestarter. If you are using this wizard on a system that already has masquerading configured, you would click No to save this configuration. Firestarter will simply append its configuration to yours.
When you first launch Firestarter, the configuration wizard, shown in Figure 5.4, should appear automatically.

Figure 5.4: The Firestarter Configuration Wizard Initial Screen

If the wizard does not appear, maximize the main interface and go to Firewall | Run firewall wizard.
Once the wizard begins, click Next.
The Network Device Configuration screen will appear, as shown in Figure 5.5. Select the interface you want to protect, and click Next.

Figure 5.5: The Network Device Configuration Screen

You will notice that in this particular example, the eth0 interface is selected. Firestarter is written well enough so that it will automatically detect all of your interfaces.
The Services Configuration window, shown in Figure 5.6, will appear.

Figure 5.6: The Services Configuration Window
Configure the services that you want. Figure 5.6 shows that only SSH will be allowed to connect to the firewall. Your settings will differ according to your needs. When you are finished selecting the services you want to provide on this interface, click Next.
The ICMP Configuration screen will appear, as shown in Figure 5.7. By default, Firestarter disables all ICMP filtering, which means that all ICMP packets will be allowed to pass through the firewall. Select Enable ICMP Filtering, and then select the ICMP packet types that you want to filter. You will notice that in this particular example, no ICMP packets will be allowed to traverse the firewall.

Figure 5.7: The ICMP Configuration Screen
When you have selected the ICMP packets you want to block, click Next. Firestarter will inform you that it is ready to generate the firewall, as shown in Figure 5.8. Click Finish to do so.

Figure 5.8: Completing the Firewall Generation Process in Firestarter
The wizard will disappear, and you will see the Firestarter main interface, shown in Figure 5.9.

Figure 5.9: The Firestarter Main Interface
The main interface defaults to the Firewall hits tab, which is a graphical logging device. If a packet matches the rules you have generated, it will be instantaneously logged here. From a remote system, generate some traffic that you have blocked. For example, if you have not enabled Telnet support, try to telnet to this system. After enough traffic is generated, you will see the logging screen fill up, as shown in Figure 5.10.

Figure 5.10: Viewing Logged Packet Matches in Firestarter
Now, select the Dynamic Rules tab. From here, you can add rules to those that Firestarter has automatically generated. It is important to understand that Firestarter imposes a fairly strict series of rules. You may need to open some ports to suit your needs. Following is a brief overview of your options:
- Deny all connections from Allows you to block a specific host. If, for example, you have left the SSH port open to all systems, you can specify a host or range of IP addresses here. As with any of the dynamic options, the rules you enter here will override any settings established by either Firestarter or the Firestarter wizard.
- Allow all connections from Enables you to allow a host or range of IP addresses full access to your system. Be careful when using this option, because it can expose your firewall to IP spoofing. Remember, it opens all ports on your interface to a remote system.
- Open service to machine Allows you to open a specific port or range of ports to a specific host or range of IP addresses.
- Open service to anyone Opens a port to all hosts on the network, and any other network. Like the Allow all connections from setting, this option is quite powerful, and can reduce your firewall's security. Specifying this option allows any host on your network or on any other to access the port you specify.
  
  You can also add and remove all rules in a particular group, or you can remove all of the dynamic rules you have created.
Right-click in the Allow all connections from field, and then select Add new rule. You will see a dialog box, shown in Figure 5.11, where you can enter either an IP address or a host name. Enter the IP address of a remote host here. Although you can enter a DNS name, it is best if you use an IP address. When you are finished, click OK.

Figure 5.11: The Add New Rule Dialog Box
You will see that the IP address or host name (if this is what you entered) is entered in the Allow all connections from dialog box (Figure 5.12). Test this setting by using the remote client you have specified.

Figure 5.12: Allowing SSH and Telnet Service to a System Named "keats"
Experiment with the additional settings to see how well Firestarter is able to configure the interface to suit your needs.

When you have configured Firestarter, open a second terminal and list the chains. If, for example, you are using Iptables, issue the following command:
```
iptables -L
```
You will see a list of many different rules, most of which have been added by Firestarter. Consider that some of these rules may not be necessary for your particular situation. Use the –D option to delete the rules you do not need. Make sure you test your firewall each time you delete a rule.
When you are finished, use the iptables-save or ipchains-save command to save your rules:
```
ipchains-save > firestarter.chains iptables-save > firestarter.chains
```
You can then restore your firewall by using the ipchains-restore or iptables-restore command.
It is also possible to save the logs generated by Firestarter. In the main interface, go to Hit List | Save firewall hit list to file. You will be asked to enter the name of the text file where the logs will be stored. Do so, and then press OK. When you have saved the log file, open it in a text editor. You will see a report that details the connection, including the source IP address, the time of the attempted connection, and the protocol used.
When you are finished saving your log, you can clear the log screen and begin logging again.

Exercise: Using Advanced Firestarter Features

Go to Firewall | Preferences and examine the additional options offered by Firestarter. These include the ability for Firestarter to play a sound whenever a packet matches a rule, starting Firestarter "hidden," so that you do not see the interface, and, the most interesting feature, the one that shows every page in the configuration wizard. You can access this feature by selecting the Advanced icon, and then clicking Show every page in wizard.
When you have done this, restart the wizard. You will then be given additional options, including the ability to create masquerading rules, as shown in Figure 5.13, and the ability to create ToS associations, shown in Figure 5.14.

Figure 5.13: The IP Masquerade Configuration Screen

This particular page allows you to have Firestarter automatically discover the internal network IP range, which works rather sporadically. In addition, notice that you can also enable specific port forwarding rules. If you do not want to rely on the Autodetect feature, you can specify your own range.

Figure 5.14: The ToS Configuration Screen

The ToS configuration feature is effective if you want to give certain services, such as e-mail or the X Windows system, more priority than others have. In this particular example, the choice was made to give priority to server applications, such as FTP, Squid, SSH, SMTP, and POP3. You will, of course, choose the option that best suits you.

You can choose these settings according to your needs.
When you are finished using the wizard, you can then re-edit your settings to create the best firewall for your situation.