Firewall

From MEPIS Documentation Wiki

Jump to: navigation, search

Contents

Summary

A firewall is a device or application used to filter data packets from incoming or outgoing network traffic, usually based upon the IP address or type of service (e.g., the port number). Linux has an integrated firewall capability based on the interaction between iptables and netfilter. Iptables is a table file that contains a list of rules for Internet access. Netfilter is a kernel module that implements the access filtering rules in the iptables. Several user interface applications are available for editing the access rules (filters) in the iptables file.

The following guide is designed to help novice and intermediate users install a hardware firewall and a software firewall using the default settings to provide a redundant security architecture. More advanced users who wish to customize the default settings should refer to the resource links in the Other Related Resources section for details on advanced configuration.

Guide to Configuring a Redundant Firewall Architecture

IMPORTANT NOTE: A new install of Mepis 11 DOES NOT automatically configure a software firewall. After a new install, you will need to configure a firewall by following the instructions below.

Introduction

A computer firewall is simply a piece of hardware or software that prevents unwanted, possibly malicious, outside access to your computer through your Internet connection. In its simplest and strictest sense, such firewalls block or simply ignore incoming attempts by outside systems to establish a connection to your computer, while, at the same time, allowing your computer to originate and establish connections with other outside systems. There are two basic types of firewalls; hardware-based and software-based. It is highly recommended that you implement BOTH types between your computer and your outside Internet connection. This will establish your hardware firewall as your first line of defense against unauthorized intrusion into your system, while your software firewall serves as your backup in case your hardware firewall is compromised. In cases where you are mobile, such as when you are using a laptop to connect to a WiFi hotspot at the local Internet cafe, your software firewall may become your first and only line of defense against unauthorized access.

As long as you are connected to the Internet, you can easily check the effectiveness of your firewall configuration by going to any of several online firewall testing websites. The most widely used is ShieldsUP! at www.grc.com. To start testing, click on the Services menu of the www.grc.com homepage and select ShieldsUP!. ShieldsUP! will probe each port on your computer to see if there is a response. If you are not running any web services (e.g., a web server), then all of your ports should be closed (i.e., none of your ports should respond to a ShieldsUP! connection request). In the parlance of the website, if all of your ports are closed, then you will get a full stealth rating.

IMPORTANT NOTE: If your system has a hardware firewall, then you will NOT be able to test the effectiveness of your software firewall with an online testing website such as ShieldsUP!. Such sites only test the first firewall encountered which will be the hardware firewall.

Hardware Firewall

As one may surmise, a hardware firewall is a physical piece of equipment. For the home and small business user, the hardware firewall is usually part of the Internet modem or part of the local network router. In fact, a beginning user may not know whether a hardware firewall even exists on the system. However, there is a simple way to determine whether a hardware firewall is installed using the Mepis 11 Live CD. Since Mepis 11 does not configure a software firewall, the absence of a hardware firewall will leave some ports open when connected to the internet. Here's how to test for a hardware firewall:

Step 1: Boot from the Mepis 11 Live CD.
Step 2: Go to the www.grc.com website.
Step 3: Select Services > ShieldsUP! from the website menu.
Step 4: Click the Proceed button and wait while ShieldsUP! probes all your computer ports.
Step 5: If all the ports are closed (i.e., you get a full stealth rating), then a hardware firewall is installed on your system. If, however, some ports are found to be open, then your system does not have a hardware firewall.

If it is determined that you don't have a hardware firewall, and since it is a physical piece of equipment, then you will need to either update or add new equipment to your current local network or Internet connection setup. In the broadest of terms, what you will need is either a modem or a router that has a built-in Network Address Translation (NAT) capability. You probably won't have to do any configuring of the default NAT settings, just hook up the new equipment.

Software Firewall

Linux has a built-in software firewall capability defined by two elements; iptables and netfilter. Iptables is a table file that contains a list of rules for Internet access. Netfilter is a kernel module that implements the access filtering rules in the iptables. So, to configure your software firewall, you would edit the access rules (filters) in the iptables file. However, the flexibility and text-based nature of iptables means that manually configuring a software firewall can be a very complicated and precise process requiring a fairly sophisticated knowledge of Internet communication protocols. Fortunately, for the beginner, there are several programs that provide a graphical user interface (GUI) to editing iptables rules. Such interfaces allow easy editing of iptables and, in most cases, will even automatically configure the software firewall without any input from the user.

You can easily check to see if your software firewall is already configured using the iptables list command. To do this, open the KDE Konsole Terminal Emulator and type in...

su

You will then be asked to enter your root password...type in the password and you will presented with the root Konsole prompt. To see the current iptables configuration, type the following command into Konsole (Note that the command is case sensitive.)...

iptables -L

If your software firewall is un-configured you will get the following printout...

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

As can be seen above, when iptables is in an un-configured state, all three of the main elements of the iptables rules (i.e., INPUT, FORWARD, and OUTPUT) are set to ACCEPT (i.e., are open to communication without any filtering). With no filtering rules, your computer, in essence, is running without a software firewall. Iptables will always be un-configured after a new Mepis 11 install. If instead, a long list of rules are printed out, then your software firewall is already configured and you probably don't need to install any configuration software.

In case you find that iptables is un-configured, then you will need to install a GUI interface to edit iptables. The three most widely used GUI interfaces to iptables are Firestarter, Guarddog, and Gufw.

IMPORTANT NOTE: To avoid conflicts, install only ONE of the iptables interface applications.

Firestarter

Firestarter is a very user-friendly GUI to iptables that supports a setup wizard for easy configuration. Although probably not an issue for the home and small business user, it should be noted that Firestarter can only be configured for one Internet connection at a time, requiring a re-configuration if the user switches between connections, such as moving from a wired to a wireless connection. Here's how to install Firestarter:

Step 1: First uninstall any other GUI interfaces to iptables. To do this, open Synaptic and search for Guarddog, Gufw, and ufw. If any of these applications are installed, then remove them.

Step 2: Use Synaptic to install Firestarter.

Step 3: Although probably not necessary, you should reboot at this point.

Step 4: Run Firestarter from the Application Launcher > Settings sub-menu.

Step 5: You will need to enter your root password and launch the Setup Wizard. Accept the default settings. Your software firewall will be automatically configured.

Guarddog

Like Firestarter, Guarddog is a user-friendly GUI to iptables that targets novice to intermediate users. Unfortunately, at the time of this writing, Guarddog appears to no longer be in active development. It has not been ported from QT3 and KDE3 to the QT4 and KDE4 environment supported by Mepis 11. However, if you are running QT3 and KDE3, here's how to install Guarddog:

Step 1: First uninstall any other GUI interfaces to iptables. To do this, open Synaptic and search for Firestarter, Gufw, and ufw. If any of these applications are installed, then remove them.

Step 2: Use Synaptic to install Guarddog.

Step 3: Although probably not necessary, you should reboot at this point.

Step 4: Run Guarddog from the Application Launcher > Settings sub-menu. You will need to enter your root password to start Guarddog. The default settings are probably adequate and need no further modification.

NOTE: Since the restore to "factory settings" option in Guarddog will make significant modifications to the iptables file, it is highly recommended that novice users DO NOT attempt to restore to factory settings (i.e., DO NOT click on the restore to factory settings button).

Gufw

Gufw is a GUI interface...to a text interface, Uncomplicated Firewall (ufw)...to edit iptables. Ufw is currently under active development and is the preferred software firewall interface for Mepis 11. Accordingly, ufw is installed as part of the default Mepis 11 installation. As with Firestarter and Guarddog, Gufw requires no direct modifications to the default settings. Here's how to install Gufw:

Step 1: First uninstall any other GUI interfaces to iptables. To do this, open Synaptic and search for Firestarter and Guarddog. If any of these applications are installed, then remove them.

Step 2: Use Synaptic to install Gufw.

Step 3: Although probably not necessary, you should reboot at this point.

Step 4: Run Gufw from the Application Launcher > Settings sub-menu. You will need to enter your root password to start Gufw. The default profile should be Deny. Click the Enable checkbox. (NOTE: It may be necessary to log in as root to use the Gufw interface.)

Related Mepis Wiki Links

  • Guarddog -- Guarddog graphical iptables editing application.
  • Firestarter -- Firestarter graphical iptables editing application.
  • ufw -- Uncomplicated Firewall (ufw) command line-based iptables editing application.
  • Gufw -- Gufw graphical user interface to the command line interface, ufw, for editing iptables.
  • Enabling Firewall for P2P Applications -- Firewall configuration for P2P applications such as Gnutella, Frostwire, Limewire, etc.
  • Webmin -- Web based system administration tool that contains a module to configure the firewall and routing capabilities of the kernel. Very flexible and powerful but somewhat complex.
  • Iptables -- Example of firewall configuration using iptables.

Other Related Resources



Security | FAQ | Main Page

Personal tools
In other languages