The FreeBSD Diary |
(TM) | Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link. |
Firewalls - an overview
29 October 1998
|
A firewall is a fireproof wall to prevent spread of fire. Some examples of
firewalls most people know about are:
In computing terms, a firewall protects a computer system from unauthorized access and/or attack. If your computer is always attached to the Internet, a firewall is a good idea. Even if you dial up only occasionally, it may still be a wise investment. In this article, I will talk about about packet filtering firewalls. This is a firewall where each incoming packet is examined and compared against a set of rules. The packet is either allowed to pass or it is blocked. There is another type of firewall which is a proxy firewall where new requests are created instead of allowing the original packet to pass. In both cases, a set of rules is established which defines which packets are permitted and which are not. I will show you how to install two firewall packages:
|
Who needs a firewall?
|
It is important to note that a firewall does more than just protect against unauthorized access. It also provides some protection against attack. If you've ever been on IRC, you've probably heard about nuking. A good firewall should prevent such attacks. NOTE: you cant winnuke FreeBSD, but if you're also running a Windows machine, a firewall can stop winnukes. From what I understand, most of the nuke programs deal specifically with Microsoft operating systems. |
A warning
|
I am not a security expert. My area of expertise is in software design, not security. If you want great security advice, go elsewhere. This article is merely an introduction. For more information, start with a list of security publications held by National Institute of Standards and Technology. |
Assumptions
|
I will be assuming that you have more than one computer and that you will be using a
FreeBSD box as a gateway for the other computers. Your gateway will connect to your
ISP and provide Internet access for your other computers. In such circumstances, it
is common to have some sort of network address translation (NAT). This is needed
because your ISP normally only supplies you with one IP address which must be shared
amongst all of your computers. NAT provides a translation method. We will be using natd for NAT and ipfw for our firewall. |
IP Filter
|
IP Filter is an extremely robust and commercial-grade application. If
you are running a production box, you should be thinking about IP Filter.
For a home sub-net, I think it is overkill.
|
ipfw/natd
|
When I first used FreeBSD, I installed natd and ipfw from the start.
That was not because I wanted a firewall, but because I wanted a gateway. I
was pleased with the results, but there are some limitations.
|