Enough has probably been said in this chapter to convince you that you should think hard about whether or not you actually need to run an FTP server. FTP for users who have accounts on the machine is inherently insecure, and also unnecessary given the availability of ssh, scp, and sftp. If you need to run a server to offer files for anonymous download, and if the expected volume is not enormous, you may choose to offer those files by HTTP. If you want to run an anonymous upload server, check carefully that it is not open to any kind of abuse, and monitor its usage.
You have likely heard of a firewall before — your organization doubtlessly has one, and your asymmetric digital subscriber line (ADSL) router probably has one, too. Linux has had support for packet filtering (discussed later in the chapter) for quite a while now in some incarnation or another.
A firewall is a line of defense between two networks. It is used to explicitly allow network traffic to and from your networks, allowing you as an administrator to control what traffic can go where in your network. Many organizations not only use firewalls to protect their corporate network from the Internet, but also to protect one department from another. For example, is there any reason to allow the Sales department access to your Research and Development department? This also helps to slow down the spread of a malicious user or virus code through your network if your network is compromised because only explicit traffic or protocols can communicate with other networks.
Many companies provide firewall appliances that offer the user a graphical user interface to the firewall internals. With most asymmetric digital subscriber line (ADSL) routers, you also have the added bonus of a firewall. One of the most popular firewall appliances is the Cisco Pix. As with most things Cisco, it is aimed at the business end of the market. You need knowledge of firewalls and how they work to use it.
If you do not have a firewall solution at home or in the office, you can use an old PC to provide firewall services. A firewall does not need large amounts of memory or disk space because all the machine does is move packets from one network interface to another while analyzing network
IN THIS CHAPTER
Using iptables information. Linux firewalls are bound by the speed of the processor. We have implemented a firewall server on an old Pentium 75 with 16 MB of memory before, and it worked perfectly fine for a home network.
The first Linux firewalling support came with the ipfwadm in the 2.0.x kernel series. With each major release of the kernel, the firewalling code has been rewritten — with 2.2.x came ipchains, and the 2.4.x kernel brought us to iptables.
The Linux firewalling, as we said, is packet filter-based. A packet filter will act upon a network packet, using the parameters that can be queried in the TCP/IP headers to sort and separate packets. For example, you can produce a rule that takes into consideration the source of the packet (the source IP address), the destination (destination IP address), the protocol (for example, TCP), the port (SSH), and the TCP options (SYN).
Taking all of these into consideration, you can define a rule that describes a very specific scenario for a network connection. Putting numerous rules together, you can produce a very powerful firewall.
With the introduction of iptables, we were given the godsend called stateful firewalls. This is a firewall that keeps track of the current connections that are going across it and is able to tell whether any particular packet is legitimate for the current connections.
iptables is something that most Linux administrators should know, especially when you need to secure your network or individual machines from a network attack. They are relatively simple to use and extremely powerful when done correctly. All kudos to Rusty Russell (the lead iptables developer) for implementing this feature as it allowed us to produce tight firewalls with fewer rules. We will talk about stateful firewalls and what they do in this chapter, as well as a few scenario-based iptables rules.
Was this article helpful?