Linux Firewall Tools

Broadly speaking, two types of firewall tools for Linux exist: proxy servers and packet-filter firewalls. Proxy servers accept connections from software running on the host computer or network, partially process them, and then pass the connections on to other computers. This approach enables proxy servers to perform sophisticated high-level filtering. For instance, a proxy server can remove ads from web pages. Proxy servers may interfere with or block certain legitimate transactions, though, particularly those requiring encryption. They also require more CPU power on the proxy server computer than do packet filters. In principle, a proxy server running on a computer with two network interfaces but not configured as a router can provide very strong protection of the computers behind the proxy server; only the protocols supported by the proxy server are enabled, and only through the proxy server's filtering. In practice, this type of configuration tends to be very constricting; users often find it necessary to use an unsupported protocol, so the proxy server becomes an obstacle. Some proxy servers also require special clients or client configuration. Proxy servers are also most often used to protect networks on which no servers or only local servers run; they aren't generally used to enhance the security of servers that should be publicly available. In practice, therefore, proxy servers are often used as an optional security measure or only on the most heavily protected part of a network. The "Filtering Content Using a Proxy Server" section of Chapter 8, "Miscellaneous User Tools," describes some popular proxy filters for web access.

Packet filter firewalls work at the level of individual packets; they permit or allow individual packets to pass through the system. This can be done either based on the contents of the packet alone or the packet in conjunction with other packets with which it's associated (so-called stateful inspection, which helps spot and block certain types of attacks that involve hijacking an established connection). This approach is speedy and doesn't require any special client or server configuration. Packet filtering can protect both clients and servers behind the firewall, and it can be used to limit outgoing client connections from potential troublemakers within your network. For these reasons, packet-filtering firewalls dominate Linux firewall discussions.

In 2.4.x through 2.6.x kernels, Linux uses the iptables tool to configure packet-filter firewalls. To use this tool, you tell it what type of packet you want to filter and how to do it. For instance, you can tell it to drop all packets directed at port 80 (used by web servers) from anything but the local network. You call iptables once for each rule that you want to implement, so iptables firewalls are frequently implemented in startup scripts that call the program dozens of times.

Unfortunately, iptables scripts can be tedious to write. For this reason, an assortment of GUI and non-GUI iptables front-ends exist. Some of the options include:

Shorewall This package is a set of predefined iptables firewall scripts that you can use as a base for modification. Mandrake provides a simple GUI interface (drakfirewall, which is accessible from the Mandrake Control Center) to customize these rules, but this interface is decidedly limited. You can modify the scripts directly by editing them in the /etc/shorewall directory. Shorewall uses its own SysV startup script, and on some systems, it will call /etc/sysconfig/iptables for additional firewall rules. The main Shorewall web page is

Red Hat Security Level Configuration Red Hat ships with a pair of tools called redhat-config-securitylevel and lokkit, which are GUI and text-based iptables script generators. (A GUI version of lokkit is available as gnome-lokkit, as well.) These tools generate an iptables configuration file and place it in /etc/sysconfig/iptables, where the iptables SysV startup script reads it.

SuSE Firewall2 Like Shorewall and Red Hat's Security Level Configuration, this package is a set of firewall rules that you can modify to suit your needs. SuSE stores the rule set in /etc/sysconfig/SuSEfirewall2 and provides a means of modifying them in its YaST and YaST2 system configuration tools.

Knetfilter This tool, headquartered at, creates an iptables script and gives you fine-grained control over it using a GUI interface, as shown in Figure 20.1. If you want to edit the rules manually, you can do so by editing /etc/iptables_rules.cfg. Unfortunately, Knetfilter doesn't display rules after you've saved them, quit the program, and loaded them again, so editing an existing rule set with the program isn't practical.

Figure 20.1 : Knetfilter provides more fine-grained control over packet filter firewall rules than do most GUI tools.

As a general rule, the GUI tools can be helpful for setting up a quick rule set, but if you need to do anything more than a very basic configuration, you must dig into the text configuration files or write a firewall script. The next two sections, "Basics of iptables" and "Restricting Access with iptables," describe how to do this.

0 0

Post a comment