A firewall serves for protecting a local net from attacks orginating from the internet. This might be achieved by connecting the local net to the internet via a firewall. This configuration is described here. More details can be found in the official Firewall-HOWTO.
The firewall should protect the local net from intruders. This requires at least two networking devices being installed. One is for the local net and the other for the outside traffic. Both devices can be any networking devices such as ethernet cards, ISDN interfaces, or SLIP/PPP connections. Only the traffic running via the specified outgoing device is checked, the local net remains untouched by the firewall. Starting with version 1.4 more then one outgoing device is supportet by the firewall script.
Here I give you an example network. The firewall is located between the LAN and the router which enables the connection to the Internet. All examples refer to this example network.
I N T E R N E T
^
|
Router
| ...1
| transfer net (193.141.17.0/30)
|
| WWW/FTP/ Mail/News
| ...2 DNS-Server und DNS-Server
Firewall WWW-Proxy |
| ..65 |..66 |..67
<---+--------+--------+--------+------->local net
| ..68 |..69 |..70 |..71 (193.141.17.64/26)
Host A Host B Host C Host D
Only packages that leave the local network via the gateway are controlled. The internal traffic is not controlled by the firewall.
Firewalling and masquerading must be supported by the kernel. All S.u.S.E. Linux kernels are preconfigured with firewall and masquerading features enabled, therefor it is not necessary to rebuild the kernel.
Should it however become necessary to build your own kernel, you have to
configure the network the right way. The following list includes features
that have to be enabled.
These items refer to kernel configuration using
make menuconfig. The transparent proxy may only
be activated if the option Prompt for development and/or
incomplete code/drivers has been enabled.
Here is a list of the network options needed:
[*] Network firewalls
[ ] Network aliasing
[*] TCP/IP networking
[*] IP: forwarding/gatewaying
[ ] IP: multicasting
[*] IP: syn cookies
[*] IP: rst cookies
[*] IP: firewalling
[*] IP: firewall packet logging
[ ] IP: masquerading
[*] IP: transparent proxy support (EXPERIMENTAL)
[*] IP: always defragment
[*] IP: accounting
[*] IP: optimize as router not host
< > IP: tunneling
--- (it is safe to leave these untouched)
[ ] IP: PC/TCP compatibility mode
< > IP: Reverse ARP
[ ] IP: Disable Path MTU Discovery (normally enabled)
[*] IP: Drop source routed frames
[*] IP: Allow large windows (not recommended if <16Mb of memory)
---
< > The IPX protocol
< > Appletalk DDP
[ ] Amateur Radio AX.25 Level 2
[ ] Bridging (EXPERIMENTAL)
[ ] Kernel/User network link driver
If these options are set you can compile your kernel as usual.
The firewall is controlled by a couple of variables in the file /etc/rc.config/.
These have the prefix FW_ and follow the same format. They contain a
list of IP addresses or host names separated by blanks. Exceptions are
described separately.
You have to enter the IP addresses here not the hostnames! During setting up of
the firewall there are no nameserver requests as every connection is closed.
FW_START The firewall is only started if this
variable is set to "yes".
FW_LOCALNETS List of local networks that are protected.
Only friends may access it.
FW_FTPSERVER Adresses of FTP sites that are accessible
from the outside.
FW_WWWSERVER Adresses of WWW sites that are accessible
from the outside.
FW_SSLSERVER Adresses Secure-Socket WWW sites that are
accessible from the outside.
FW_SSLPORT Port where the SSL server expect requests.
Here you may only enter one number!
FW_MAILSERVER Adresses of SMTP sites that are accessible
from the outside.
FW_DNSSERVER Adresses of DNS sites that are accessible
from the outside.
FW_NNTPSERVER Adresses of NNTP sites that are accessible
by news feeds.
FW_NEWSFEED Adresses of news feeds that are allowed
to conect to the NNTP servers.
FW_WORLD_DEV Device that should be protected. You can have
enter a list of devices here, if you have more
then one outgoing device (i.e. virtual devices
for WEB servers).
FW_TCP_LOCKED_PORTS TCP portnumbers that should be locked
Here you may enter a range that consists of
pairs of numbers separated by a colon.
Example: "1:6 8:1023"
The ports 1 to 6 and 8 to 1023 are locked.
FW_INT_DEV Device for the internal network.
Connection to the outside are controlled by this
device.
FW_LOG_DENY If this is set to "yes" all violations
of the firewall-deny rules are logged to
/var/log/messages. This means that every
attempt of breaking the firewall is logged.
FW_LOG_ACCEPT If this is set to "yes" all packages that
suit the firewall-accept rules are logged to
/var/log/messages. This means that each
packages that passes the firewall (allowed) is
logged.
FW_ROUTER Adress of the Internet router. This should only
be set if the routers address lies in the range
given in FW_LOCALNETS.
FW_INOUT If this is set to "yes" /etc/fw-inout is read.
Otherwise every machine on the local network
full access to the Internet.
FW_TRANS_PROXY_IN Here you may enter a list of ports and IP
addresses for redirecting packages on-the-fly to
local ports. This is for redirecting incoming
packages.
FW_TRANS_PROXY_OUT Same as above but for outgoing connections.
FW_REDIRECT This is for redirecting local ports to ports on
other machines. This nevertheless is experimental
and should not be used!
FW_FRIENDS If this is set to "yes" the file /etc/friends is
read. Otherwise no machine on the Internet net has
full access to the local network.
FW_SSH This for activating the SSH port (port 22)
for those hosts listed in /etc/fw-ssh.
FW_UDP_LOCKED_PORTS UDP portnumbers that should be locked
Syntax is the same as with the TCP ports.
It is recommended to set this to 1:1023
so all reserved ports are locked.
Machines that have uncontrolled access to the local net are entered in
/etc/fw-friends. Enter each friendly machine's IP address on
seperate lines with one machine per line. Do include notes in fw_friends
for future reference but be sure to begin each line of comment with a
pound sign (#). This file will only be read if FW_FRIENDS is set to
yes. Otherwise no machine from the outside has full access to the
local net.
Only the hosts listed here have direct access to the Internet. Every machine
not included in this list is blocked. Comments are marked with an # (as
usual). This file is only read if FW_INOUT is set to yes.
Otherwise any machine of the local network may access the Internet.
Just as above this file contains a list of hostnames (or IP addresses).
If FW_SSH is set to yes in /etc/rc.config
all listed machines have access to port 22. This means they may access to the
sshd (secure shell daemon) on the local net.
This serves for redirecting IP packages. These may be local ports on the
firewall machine itself (Transparent Proxy) or ports on other hosts.
By setting FW_TRANSPROXY_IN incoming IP traffic may be redirected
to local ports. It contains a list of quadrupels separated by blanks:
Source IP,Target IP,Target Port,Local Port
This in particular means that any package that comes from a host with ``Source IP'' and is aimed for a machine ``Target IP'' on port ``Target port'' are redirected to the ``Local Port''.
FW_TRANSPROXY_OUT has the exact same meaning for outgoing
traffic. The difference is that _OUT on the device given in
FW_INT_DEV filters whereas _IN does the same
on FW_WORLD_DEV.
There may be a daemon on the local port taking care of arriving packages or they may be routed to another host.
That's what FW_REDIRECT is needed for. This variable contains a
list of triples that resemble the following:
Local port,Target IP,Remote port
Every package that arrives at ``Local port'' are redirected to the host given by ``Target IP'' and ``Remote port''.
IP redirection is still in an experimental state and should not be used.
The firewall is controlled by the script /sbin/init.d/firewall.
This script accepts four parameters:
start The firewall is activated.
stop The firewall is shut down; anybody can go anywhere.
block Nothing in nothing out. Resembles unplugging the cable to
the internet.
list The firewall rules are shown.
In the picture on top of this chapter you see our example network. There is a local
network 193.141.17.64/26 as well as a transfer net
193.141.17.0/30 which connects the firewall to the router. There are
a couple of machines connected to the local network either. Well, only
A und B shoudl be permitted to access the Internet. Machines
that are permitted to access the local net are host.suse.de as well as
kiste.info.de. News.provider.de is the news feed machine.
The WWW traffic should be redirected to the local proxy (it listens on port 3128). Thus we need to setup a transparent proxy which captures every package that goes to the outside via port 80 and sends it to a local port; this port is redirected to port 3128 of the WWW proxy.
In this example network the variables have to be set as follows:
# /etc/rc.config - firewall section FW_START="yes FW_LOCALNETS="193.141.17.0/30 193.141.17.64/25" FW_FTPSERVER="193.141.17.3" FW_WWWSERVER="193.141.17.3" FW_SSLSERVER="" FW_SSLPORT="" FW_MAILSERVER="193.141.17.4" FW_DNSSERVER="193.141.17.3" FW_NNTPSERVER="193.141.17.4" FW_NEWSFEED="134.222.90.2" FW_WORLD_DEV="eth1" FW_INT_DEV="eth0" FW_LOG_ACCEPT="no" FW_LOG_DENY="yes" FW_ROUTER="193.141.17.1" FW_FRIENDS="yes" FW_INOUT="yes" FW_TRANSPROXY_OUT="193.141.17.64/25,0/0,80" FW_REDIRECT="80,193.141.17.66:3128" FW_TCP_LOCKED_PORTS="1:1023" FW_UDP_LOCKED_PORTS="1:1023"
FW_ROUTER needs to be set for letting machines from the local net
accessing the router. If this is not needed you should set this variable to an
empty string. The router is not protected by the firewall, so if it is hacked
it's rather easy to access the local network.
In /etc/fw-friends there should be the following lines:
# /etc/fw-friends host.suse.de kiste.info.de
The Hosts A and B heve to be listed in /etc/fw-inout:
# /etc/fw-inout 193.141.17.68 # Host A 193.141.17.69 # Host B
Now you may activate the firewall by entering:
/sbin/init.d/firewall start