Skip to:Content
|
Bottom
Cover image for Linux firewalls
Title:
Linux firewalls
Personal Author:
Edition:
2nd ed.
Publication Information:
New York : New Riders, 2002
ISBN:
9780735710993
Added Author:

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
30000010050525 QA76.9.A25 Z54 2002 Open Access Book Book
Searching...

On Order

Summary

Summary

An Internet-connected Linux machine is in a high-risk situation. "Linux Firewalls, Third Edition" details security steps that any sized implementation--from home use to enterprise level--might take to protect itself from potential remote attackers. As with the first two editions, this book is especially useful for its explanations of iptables, packet filtering, and firewall optimization along with some advanced concepts including customizing the Linux kernel to enhance security.The third edition, while distribution neutral, has been updated for the current Linux Kernel and provides code examples for Red Hat, SUSE, and Debian implementations. Don' t miss out on the third edition of the critically acclaimed "Linux Firewalls,"


Author Notes

Bob Ziegler graduated from the University of Wisconsin-Madison with an undergraduate degree in psychology, following near-completions in both German and philosophy. After taking educational and career trips in several directions, he decided to make his hobby his career and earned a master's degree in computer science, also from the University of Wisconsin-Madison. Out of school, Bob became one of a team of two UNIX operating system developers working for a company developing a mini-supercomputer. He developed a multiprocessor version of BSD 4.3 UNIX as a side project to the team's ongoing uniprocessor development efforts. Since then, he has worked as a UNIX operating system kernel developer for R&D companies in the Boston area. The advent of Linux and consumer access to 24/7 Internet connectivity gave Bob the keys to a dream he'd had since 1982 -- to have his own UNIX server and LAN at home. What began as a pragmatic effort to make his system secure on the Internet quickly grew into a passion for the home UNIX user. He offers free, web-based Linux firewall design services to the public, as well as a popular firewall and LAN FAQ to help people quickly get their Linux systems set up securely. Bob most recently functioned as a firewall architect at Nokia, collaborating wiht several groups in Massachusetts, California, and Finland. Carl B. Constantine has workin the computer industry for many years. He's been a programmer, consultant, technical writer, troubleshooter, and anything else he could get his paws into. Carl lives in beautiful Victoria, British Columbia, Canada, with his wife, Terry, and four children, Rebekah, 6, Emily, 4, Matthew, 2, and Joshua, 6 months. Carl is a programmer analyst/UNIX system administrator for the Department of Computer Science at the University of Victoria, in Victoria, British Columbia, Canada.


Excerpts

Excerpts

Introduction This book is essentially about creating a software-based firewall using Netfilter and iptables in the Linux operating system. Beyond the basics of a firewall, this book also looks at the firewall in the context of a networked computing environment. To that end, topics such as intrusion detection and system security are also covered. Computer security is an expansive subject area. Volumes have been written about it and volumes will continue to be written about it. Computer security is centered around protection of data assets using three principles: confidentiality, integrity, and availability. Confidentiality means that data is accessible only by those who are authorized to access the data and no one else. Integrity ensures that the data is verifiably good and is not tainted. Availability means that the data can be accessed when it needs to be accessed. These three principles guide the discussion of computer security and provide the framework for this book. In addition to the three principles of confidentiality, integrity, and availability, I subscribe to an in-depth, risk-assessed approach to computer security. This means that I don't consider any single option to be an endpoint when it comes to securing data, rather that each item such as a firewall or antivirus software plays a role in securing data. However, there is a cost involved with each measure of security. Therefore, each additional measure or layer of security must be assessed to ensure that the cost of that layer doesn't exceed the benefit of being protected from that risk. Consider this example: I use two firewalls, a choke and gateway (see Chapter 6, "Packet Forwarding"), for my home network. I consider the benefit of having a dual-firewall approach to outweigh the cost of operating and maintaining the firewalls. Other people use a single firewall or no firewall at all. They consider the risk of their data or systems being unavailable or attacked to be less costly than running a dual-firewall setup or even a single firewall for some. Many more examples of this cost/benefit assessment could be done. Unfortunately, this analysis is often overlooked for many areas of security, not just computer security. For more information on this type of analysis and a good read on top of it, see Bruce Schneier's works Secrets and Lies and Beyond Fear . The Purpose of This Book The goal of this book is to give the reader enough information that they may configure a firewall using iptables in Linux. A secondary goal is to educate the reader about system and network security. However, because this isn't a book on system and network security, those topics are indeed secondary even though they do consume a large portion of the book. There are also topics in this book that I haven't seen (yet) in other books to any great degree. You are reading the third revision of this book and the first revision with a new author, Steve Suehring. Bob Ziegler wrote the original material and also revised the work into its second revision in 2001. Bob did an excellent job and I've built upon his solid foundation to bring you the third revision. In addition, the previous revision had some material contributed by Carl B. Constantine. You'll find Carl's contribution, though updated, in Appendix C of this revision, "VPNs." I learned much of what I know about Linux security while working at an Internet service provider (ISP), beginning in 1995. Resisting the temptation to recite a "back when I was young" tale, I'll just say that most of what I learned was done with security in mind. It had to be. By definition at an ISP, you must run publicly available services and those services must be available 24x7. Having publicly available services means that there's a constant threat (and frequent execution) of attacks against the network and the systems therein. If we wouldn't have considered security to be central to our operation, we simply could not have ensured the reliability that our customers demanded, nor could we have guaranteed the integrity of the data that we housed. None of this takes into account the general lack of security tools, software, and books like this back in 1995, either. That background also helps to answer the question "Why Linux?" The answer was and is quite simple: Linux and open-source tools were the only solution when I was tasked with solving these problems. There simply was no other way to provide Internet services with anywhere near the reliability that Linux and open-source software provided. No other operating system provided the same set of reliability and security while at the same time keeping down the Total Cost of Ownership (TCO). The same can largely be said today. With a pure technological decision, Linux wins. Factor in TCO and the picture only gets better for Linux and open-source software, regardless of the results from funded and paid studies. Why Linux? Because it works. Who Should Read This Book I've usually found these "Who Should Read This Book" sections to be somewhat useless simply because the goal is to get you to think that you should read the book. Therefore, to satisfy the publisher I'll tell you that everyone should read this book. In fact, everyone should read this book multiple times, buying a separate copy each time. In all seriousness, I can't tell you whether you should be reading this book, but I can tell you about the book. This book assumes that you have already chosen a Linux distribution and that you've already installed it. This book also assumes that you're not looking for an introductory "HOWTO" on Linux or *nix security such as the chmod command. There are many great resources about those topics already, many of them on the Internet, and I feel as though coverage of those issues gets away from the focus of this book. However, this book does deal rather extensively with introductory material on network security, packet filtering, and the layers in the OSI model (if you're unfamiliar with the OSI model, it's explained in the book). This book tries to be helpful to those who know nothing about firewalls as well as to those who know a bit about Linux and Linux security but want to carry that to the next level. This book could be used successfully by home users and enterprise security administrators alike. To get the most out of this book, you should be comfortable with, or at least not afraid of, the Linux command line, or shell. You should know how to move about in the file system and perform basic shell commands. Linux Distribution Linux and open-source books need to be more distribution neutral or cover more than one distribution. This book does both. A Linux firewall is built using the iptables firewall administration program on top of the Netfilter core software that resides in the Linux kernel. As such, the Linux distribution you choose is largely irrelevant. The book does, however, cover some commands and issues as seen through the eyes of SUSE, Red Hat/Fedora, and Debian. Yes, there are other distributions, many of them very good. Favoring those three distributions is certainly not meant to take away from any other distribution. The second edition of this book covered only Red Hat. However, I undertook an effort early on in the revision process to remove the distribution-centric tone where it did show up. This was not done to intentionally favor any one distribution or to reject another. Rather, this was a pragmatic decision to provide material applicable to a larger audience and to prevent confusion as to file and command locations if you don't happen to be using the same distribution as the author. Errors in This Book Although every effort is made to check facts and figures, files and syntax, some errors will inevitably slip through the writing, technical editing, copyediting, and review process. Let me apologize in advance for any such errors as exist within these pages. I invite the reader to visit my web site at http://www.braingia.org/ for updates and other information about this book. I also invite you to send me feedback at steve.suehring@braingia.com . Although I can't guarantee that I'll have the answer, I will definitely try to respond and point you in the right direction. Companion Website Visit http://www.braingia.org/ for up-to-date information on this book and links to interesting security articles. Included on the website are the latest versions of some of the same scripts you'll see within the text. (c) Copyright Pearson Education. All rights reserved. Excerpted from Linux Firewalls by Robert Ziegler, Steve Suehring All rights reserved by the original copyright owners. Excerpts are provided for display purposes only and may not be reproduced, reprinted or distributed without the written permission of the publisher.

Table of Contents

I Packet-Filtering and Basic Security Measuresp. 1
1 Preliminary Concepts Underlying Packet-Filtering Firewallsp. 3
The TCP/IP Reference Networking Modelp. 5
IP Addressesp. 8
Routing: Getting a Packet from Here to Therep. 12
Service Ports: The Door to the Programs on Your Systemp. 12
Packets: IP Network Messagesp. 15
Summaryp. 26
2 Packet-Filtering Conceptsp. 27
A Packet-Filtering Firewallp. 30
Choosing a Default Packet-Filtering Policyp. 32
Rejecting Versus Denying a Packetp. 34
Filtering Incoming Packetsp. 35
Filtering Outgoing Packetsp. 52
Private versus Public Network Servicesp. 55
Summaryp. 79
3 ptables: The Linux Firewall Administration Programp. 81
Differences Between IPFW and Netfilter Firewall Mechanismsp. 81
iptables Featuresp. 85
iptables Syntaxp. 90
Summaryp. 110
4 Building and Installing a Standalone Firewallp. 111
iptables: The Linux Firewall Administration Programp. 112
Initializing the Firewallp. 114
Protecting Services on Assigned Unprivileged Portsp. 125
Enabling Basic, Required Internet Servicesp. 130
Enabling Common TCP Servicesp. 137
Enabling Common UDP Servicesp. 165
Filtering ICMP Control and Status Messagesp. 171
Logging Dropped Incoming Packetsp. 174
Logging Dropped Outgoing Packetsp. 176
Denying Access to Problem Sites Up Frontp. 176
Installing the Firewallp. 177
Summaryp. 179
II Advanced Issues, Multiple Firewalls, and Perimeter Networksp. 181
5 Firewall Optimizationp. 183
Rule Organizationp. 183
User-Defined Chainsp. 187
Optimized Examplep. 190
What Did Optimization Buy?p. 209
Summaryp. 212
6 Packet Forwardingp. 213
The Limitations of a Standalone Firewallp. 214
Basic Gateway Firewall Setupsp. 215
LAN Security Issuesp. 217
Configuration Options for a Trusted Home LANp. 218
Configuration Options for a Larger or Less Trusted LANp. 222
A Formal Screened-Subnet Firewallp. 230
Converting the Gateway from Local Services to Forwardingp. 262
Summaryp. 263
7 NAT--Network Address Translationp. 265
The Conceptual Background of NATp. 265
iptables NAT Semanticsp. 270
Examples of SNAT and Private LANsp. 275
Examples of DNAT, LANs, and Proxiesp. 277
Summaryp. 283
8 Debugging the Firewall Rulesp. 285
General Firewall-Development Tipsp. 286
Listing the Firewall Rulesp. 288
Checking the Input, Output, and Forwarding Rulesp. 298
Checking for Open Portsp. 304
Debugging SSH: A Real-Life Examplep. 308
Summaryp. 310
III System-Level Security and Monitoringp. 311
9 Verifying That the System Is Running as You Expectp. 313
Checking the Network Interfaces with ifconfigp. 313
Checking the Network Connection with pingp. 315
Checking Network Processes with netstatp. 316
Checking a Process Bound to a Particular Port with fuserp. 317
Checking All Processes with ps -axp. 318
Interpreting the System Logsp. 320
Summaryp. 330
10 Issues at the UNIX System Administration Levelp. 331
Authentication: Verifying Identityp. 331
Authorization: Defining Access Rights to Identitiesp. 334
Server-Specific Configurationp. 341
SOCKS: An Application-Level Proxy Firewallp. 379
Miscellaneous System Accounts in /etc/passwd, /etc/shadow, and /etc/groupp. 380
Setting Your PATHVariablep. 382
/etc/issue.netp. 383
Remote Loggingp. 384
Keeping Current with Software Upgradesp. 384
Summaryp. 385
11 Secure Shell (SSH)p. 387
Installing SSHp. 390
Generating SSH Keysp. 392
Using SSHp. 394
Customizing Your SSH Configurationp. 398
Secure Copy (scp)p. 404
Summaryp. 405
12 Tripwirep. 407
Tripwire Overviewp. 407
Installing Tripwirep. 408
Looking at How Tripwire Worksp. 410
Configuring Tripwirep. 415
Using Tripwirep. 421
Tripwire Tips and Tricksp. 430
Summaryp. 432
13 Intrusion Detection and Incident Reporting Softwarep. 433
Intrusion-Detection Softwarep. 434
Symptoms Suggesting That the System Might Be Compromisedp. 437
What to Do if Your System Is Compromisedp. 441
Incident Reportingp. 442
Summaryp. 448
IV Appendixesp. 449
A Security Resourcesp. 451
Security Information Sourcesp. 451
Software Collectionsp. 452
Security Toolsp. 453
Firewall Toolsp. 454
Reference Papers and FAQsp. 455
General Web Sitesp. 458
Booksp. 459
B Firewall Examples and Support Scriptsp. 461
iptables Firewall for a Standalone System from Chapter 4p. 462
Optimized iptables Firewall from Chapter 5p. 478
iptables Firewall for a Choke Firewall from Chapter 6p. 493
Special Purpose Support Scriptsp. 504
DHCP and pump: Firewall Support with a Dynamic IP Address and Name Serversp. 508
C VPNp. 511
Overview of Virtual Private Networks (VPN)p. 511
Types ofVPNp. 512
VPN Protocolsp. 513
Linux and VPN Productsp. 518
VPN Configurationsp. 520
Connecting Networksp. 521
VPN and Firewallsp. 522
D Glossaryp. 525
Indexp. 537
Go to:Top of Page