Getting Started

This section introduces the concept of a firewall, discusses who might be interested in such a configuration, and paints in broad strokes the general steps that are taken to build one. If you are already familiar with firewalls in general, you may wish to skim this section.

What Is a Firewall?

You can think of a firewall as a layer of insulation between two networks. The term "firewall" goes back several hundred years, referring to the fire-resistant masonry walls that were erected between the mostly wooden structures in old European cities, such as London, to prevent local fires from spreading and destroying large parts of the city. The term was later adapted by other fields, such as the automotive industry (where it refers to the metal plate that protects the driver and passengers in the cabin from the heat of the engine), and of course the computing industry.

In computing terms, then, a firewall resembles a "brick wall" erected between two networks that isolates them from each others' woes. Commonly, firewalls are used to protect private networks (such as at a large company or your own home) from the "wild, wild mess" of the Internet. Generally the primary reason for this is to prevent hostile network crackers on the Internet from compromising private systems.

A firewall is just a concept; it can take several different forms in reality. Traditionally, a firewall is an actual computer that sits on the network at the point where the internal network is connected to the Internet, and all traffic between the two networks goes through the firewall server. The server performs a variety of tasks (which you'll learn about later) to protect the networks.

However, the past couple years have seen the advent of so-called personal firewalls, which are software programs that run at the operating system level on desktop, laptop, and other individual machines. These programs perform the same types of protections as actual firewall servers do, but on behalf of the individual workstation itself rather than on behalf of an entire network.

Another recent type of firewall is the broadband router commonly used by home and small office users to link multiple computers to the same broadband connection (such as DSL or cable modem); such routers frequently include firewall features, functioning as the first type of firewall just mentioned in addition to fulfilling router and other duties.

In each of these cases, the notion of a firewall is the same: It's simply a layer of insulation.

Practicing Safe Computing

Firewalls are a major part of modern network security. However, if a hostile attacker somehow gets access to the protected network or computer inside the firewall (which is sometimes easier than you might think!), then he can still compromise the now-unprotected systems. So, it's important to view firewalls as tools, and not treat them as "black box" solutions that you never have to think about once they're installed.

Most security experts advise a policy of "security in depth", meaning that you should never rely on a single security technique, but rather create layers using multiple solutions. For example, it's not enough for a bank to simply lock its doors, because if someone gets past that lock, they have free run of the place. Banks rely on locks, alarm systems, surveillance cameras, armed guards, and so on.

You too should follow this policy. Specifically, don't blindly set up a firewall as discussed in this chapter and assume you'll be secure. Always stay on top of your systems' configurations, and keep an eye on security. For example, Chapters 4 through 6 discussed Red Hat Linux, Slackware Linux, and Debian GNU/Linux, and this material included tips on keeping these distributions secure; even if you make use of a firewall on your network, follow those tips anyway. Then, even if your firewall is compromised (or if you accidentally misconfigure it and disable its protections, which is quite easy to do), your protected systems still won't be completely bare to the world.

This is not just an academic or theoretical exercise, either. Some statistics show that in some circumstances the "life span" of an unsecured Linux system on the Internet is 15 minutes until the system is compromised by an attacker. At that rate, if you casually connect a Linux system to the Internet, the question is not whether you'll be cracked, but when. I personally know several people who have had Linux systems cracked and exploited, and it's not pretty when it happens. At best it costs you time and emotional stress, and at worst it can cost you something more if data is lost or stolen.

So, take security seriously. Even if you have a firewall, secure your internal systems. Shut off those unneeded inetd services, and leave that local firewall running. If you're running other operating systems, find out how to secure those as well. It may be a little work up front and some time to maintain, but you won't like the alternative.

Who This Case Study Is For

This chapter discusses how to create a firewall server and gateway from a Red Hat Linux system. The goal is to create a reasonably secure, functional firewall for a small network, rather than a super-secure, fully monitored, high-availability system. In other words, this chapter will show you how to build a firewall suitable for a Small Office/Home Office (SOHO) network, rather than a full firewall that would be appropriate for a large, complicated network with many users.

Earlier in this chapter, under "What Is a Firewall?" I mentioned the "broadband router" firewall that you can purchase off the shelf. This chapter shows you how to build a system very similar to those creatures. Typically, these routers are small boxes and come with a variety of features in addition to the firewall, such as a built-in Ethernet switch and perhaps a Wireless Access Point (WAP) that lets you use 802.11b wireless Ethernet. These boxes are pretty inexpensive; you can find them for around $150 at the time of this writing if you look around.

Perhaps you may be wondering why you should bother reading this chapter, if you can accomplish the same thing with inexpensive off-the-shelf equipment. (In fact, some of these devices may actually be based on Linux, so the similarity is greater than you might think!) Well, there are two answers to that question.

The first is that you have greater control over your firewall if you build it yourself. You can set up whatever rules you like, and configure the system however you want, if you build your own firewall. You can also add whatever exotic features you want to your firewall, such as configuring a virtual private network (VPN) to another site, adding a modem to accept dial-in connections to your private network while you're on the road, and so on. Some of the off-the-shelf firewall units support some of these features; others don't. If you build it yourself, though, you're guaranteed it can support any features you need it to, no matter how offbeat. For example, if there's a specific network game you need to support, this might be easier with your own homegrown firewall than a "canned" system without the same level of configurability.

The second reason is to reuse existing investments. Perhaps you already have a wireless Ethernet network set up, and have all the switches and other equipment you need. All you need is a firewall, but you don't want to buy one of the off-theshelf systems because you already have most of its bells and whistles. Meanwhile, you may have an old 486-based computer collecting dust, and you would like to brush it off and use it as a firewall. In such a case as that, this chapter will be of interest to you.

Of course, the main reason to read this chapter is just curiosity. If you have a do-it-yourself attitude, you may prefer to build your own firewall, just for the fun of it. Or, even if you do go buy one of the off-the-shelf units, you may want to know how it works behind the scenes. (Even if it's not based on Linux, it will be doing many of the same things.) If you read on, you'll learn about many techniques that may be useful to you in the future; for example, many are applicable to setting up any server, not just a firewall.

Replacing the Default Firewall

As discussed in Chapter 4, Red Hat Linux includes a basic local firewall installed with the system. It is installed by default unless it is explicitly disabled. (This firewall is actually an example of the "personal firewall" mentioned earlier in this chapter under "What Is a Firewall??"; recent versions of Microsoft's Windows system have similar functionality.)

It's worth noting that the default Red Hat firewall is not adequate for the purposes of this case study, which is why later on in the section "Creating the Startup Scripts" you'll disable that built-in firewall. The reason for this is Red Hat's firewall is suitable for protecting only a single machine, whereas you're interested in protecting an entire (small) network. That means that you need your firewall to act as a router as well as a firewall, so your firewall needs to be more sophisticated than Red Hat's. Keep this in mind as you read on.

Now that you have a sense of what a firewall is and of the type of firewall you'll be learning to build, you can get right into it. First, you'll read an overview of what needs to be done; then you'll read about how to do it.