A simple Linux firewall
This tutorial describes how to set up a very simple firewall for Linux,
to greatly increase the security of your box against outside attacks.
I assume that you are firewalling a Linux machine in the CS department
at UC Berkeley. Otherwise, you will need to adjust the hostnames and
configuration details to taste.
Another useful resource for securing Linux boxes may be found
here.
Here are the steps to improving the security of your machine:
- Get root on the machine in question. (Legally.)
All of the following require root privileges.
- Re-compile your kernel with all the IP firewalling options
enabled.
More specifically, enable network firewalls, IP firewalling,
IP firewall packet logging, IP always defragment, IP drop
source routed frames, IP SYN cookies, and IP accounting.
While you're at it, get the latest (2.0.37?) kernel, which has a
number of security fixes.
(If you like, you can also turn on other goodies like IP multicast,
IP masquerading, network aliasing, etc., but these are not required
for the firewalling configuration.)
Note that these instructions will only work for the 2.0.x series kernels.
- Install ipfwadm; sources can be obtained from e.g.
ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0.tar.gz
There also seems to be a x86 binary RPM at
ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.i386.rpm
and a RPM with sources at
ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.src.rpm
although I haven't tried the RPMs myself.
- Set up your syslog so it will properly log some stuff from
the firewalling code. The default firewalling configuration doesn't
log much, but what it does log is useful both for debugging and (if you
care) for attack detection.
Edit your /etc/syslog.conf file to include the following line
kern.=info /var/log/firewalling
(You have to use tabs, not spaces.)
Then touch /var/log/firewalling, kill -HUP syslogd,
kill -9 klogd, and restart klogd (e.g. /usr/sbin/klogd).
- Download the
firewall configuration script, and chmod a+rx it.
- Edit the options at the top to reflect your configuration.
At a minimum, you must set ME to reflect your IP address,
and FW with the full path to the ipfwadm program
you installed earlier.
It would be wise to set NFSSERVERS
(and perhaps DNSSERVERS)
to reflect your /etc/fstab (and /etc/resolv.conf).
- Update things so sendmail will work properly.
(If you don't run sendmail---e.g. if telnet localhost 25
gives a connection refused message---then you can skip this step.)
Since sendmail is a classic security risk, we'd ideally like to
do something about it.
On most machines, mail is read over the NFS mailspool directory,
and there is no need to run sendmail---you can just direct your email
to the CS servers, who will deliver it to the NFS spool directory for you.
Here's how to set that up:
Beware that if you use a MH-style mailer,
you might need to do some extra stuff; see
here for details.
- Try running the simple firewalling
script by hand from the console to see if it works.
If you get any error messages, something went wrong; go fix it.
Otherwise, try out the network services you use:
DNS (host foo.com), NFS
(umount -t -a nfs; mount -t -a nfs), ssh from an outside
machine, ping, etc.
You are strongly advised to do these experiments at the console, so
that if anything goes wrong, you can fix it. (If you try to do this
via e.g. a dialup connection, and the ipfwadm stuff goes wrong, the
machine might silently stop responding to incoming packets, which
makes fixing the error rather difficult.)
If something breaks, you probably need to fix the options at the
top of the script: hopefully the comments should be enough to guide
you in the right direction.
- Once you've got it working satisfactorily by hand, install it
into your boot-time startup scripts.
If you've got SysV-style rc scripts (e.g. Redhat?),
copy the firewalling script to
/etc/sysconfig/network-scripts/rc.firewall,
chmod a+rx it, and add a line like
./rc.firewall
to /etc/rc.d/init.d/network just before the line
./ifup ifcfg-lo
If your rc scripts are not SysV-ish (e.g. Slackware?),
copy the firewalling script to /etc/rc.d/rc.firewall,
chmod a+rx it, and add a line like
. /etc/rc.d/rc.firewall
to /etc/rc.d/rc.inet2.
Otherwise, you're on your own.
- Reboot, and check whether your machine came up properly.
(You did do this trial from the console, right?)
If not, reboot single-user, fix the errors, and repeat.
- You're done. Congratulations!
This tutorial provided to you as a service by the ISAAC
security research group.
If you have any comments, contributions, criticisms, or questions,
you may
contact David Wagner.
This tutorial comes with all the standard disclaimers: it
works for me, but caveat emptor; it's free, and worth every penny;
if it breaks, you get to keep all the pieces. You get the idea.