A simple Linux firewall

This tutorial describes how to set up a very simple firewall for Linux, to greatly increase the security of your box against outside attacks.

I assume that you are firewalling a Linux machine in the CS department at UC Berkeley. Otherwise, you will need to adjust the hostnames and configuration details to taste.

Another useful resource for securing Linux boxes may be found here.

Here are the steps to improving the security of your machine:

1. Get root on the machine in question. (Legally.) All of the following require root privileges.
2. Re-compile your kernel with all the IP firewalling options enabled. More specifically, enable network firewalls, IP firewalling, IP firewall packet logging, IP always defragment, IP drop source routed frames, IP SYN cookies, and IP accounting. While you're at it, get the latest (2.0.37?) kernel, which has a number of security fixes. (If you like, you can also turn on other goodies like IP multicast, IP masquerading, network aliasing, etc., but these are not required for the firewalling configuration.) Note that these instructions will only work for the 2.0.x series kernels.
3. Install ipfwadm; sources can be obtained from e.g.

   ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0.tar.gz

   There also seems to be a x86 binary RPM at

   ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.i386.rpm

   and a RPM with sources at

   ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.src.rpm

   although I haven't tried the RPMs myself.
4. Set up your syslog so it will properly log some stuff from the firewalling code. The default firewalling configuration doesn't log much, but what it does log is useful both for debugging and (if you care) for attack detection. Edit your /etc/syslog.conf file to include the following line

   kern.=info		/var/log/firewalling
   

   (You have to use tabs, not spaces.) Then touch /var/log/firewalling, kill -HUP syslogd, kill -9 klogd, and restart klogd (e.g. /usr/sbin/klogd).
5. Download the firewall configuration script, and chmod a+rx it.
6. Edit the options at the top to reflect your configuration. At a minimum, you must set ME to reflect your IP address, and FW with the full path to the ipfwadm program you installed earlier. It would be wise to set NFSSERVERS (and perhaps DNSSERVERS) to reflect your /etc/fstab (and /etc/resolv.conf).
7. Update things so sendmail will work properly. (If you don't run sendmail---e.g. if telnet localhost 25 gives a connection refused message---then you can skip this step.) Since sendmail is a classic security risk, we'd ideally like to do something about it. On most machines, mail is read over the NFS mailspool directory, and there is no need to run sendmail---you can just direct your email to the CS servers, who will deliver it to the NFS spool directory for you. Here's how to set that up:
   • Send email to hostmaster@nic.berkeley.edu and ask them to create two MX entries for your machine pointing to mailspool.cs.berkeley.edu. Etiquette says you should contact the mailspool.cs.berkeley.edu admin first.
   • Add masquerading so all outgoing email looks as if it comes from cs.berkeley.edu (rather than from your machine). This is important to ensure that replies to any email you send will get correctly routed to the CS mail servers, not to your Linux box. You can do this by looking in /etc/sendmail.cf for two lines that look like this:

     # who I masquerade as (null for no masquerading) (see also $=M)
     DM
     

     Change the DM line to

     DMcs.berkeley.edu

     (The DM line might have a slightly different name in sendmail version 8.8.8; in that case, look for the comment about masquerading, and do the obvious thing.)
   • Kill your sendmail server, and remove it from your rc scripts.
   Beware that if you use a MH-style mailer, you might need to do some extra stuff; see here for details.
8. Try running the simple firewalling script by hand from the console to see if it works. If you get any error messages, something went wrong; go fix it. Otherwise, try out the network services you use: DNS (host foo.com), NFS (umount -t -a nfs; mount -t -a nfs), ssh from an outside machine, ping, etc. You are strongly advised to do these experiments at the console, so that if anything goes wrong, you can fix it. (If you try to do this via e.g. a dialup connection, and the ipfwadm stuff goes wrong, the machine might silently stop responding to incoming packets, which makes fixing the error rather difficult.) If something breaks, you probably need to fix the options at the top of the script: hopefully the comments should be enough to guide you in the right direction.
9. Once you've got it working satisfactorily by hand, install it into your boot-time startup scripts. If you've got SysV-style rc scripts (e.g. Redhat?), copy the firewalling script to /etc/sysconfig/network-scripts/rc.firewall, chmod a+rx it, and add a line like

   ./rc.firewall

   to /etc/rc.d/init.d/network just before the line

   ./ifup ifcfg-lo

   If your rc scripts are not SysV-ish (e.g. Slackware?), copy the firewalling script to /etc/rc.d/rc.firewall, chmod a+rx it, and add a line like

   . /etc/rc.d/rc.firewall

   to /etc/rc.d/rc.inet2. Otherwise, you're on your own.
10. Reboot, and check whether your machine came up properly. (You did do this trial from the console, right?) If not, reboot single-user, fix the errors, and repeat.
11. You're done. Congratulations!

This tutorial provided to you as a service by the ISAAC security research group. If you have any comments, contributions, criticisms, or questions, you may contact David Wagner.

This tutorial comes with all the standard disclaimers: it works for me, but caveat emptor; it's free, and worth every penny; if it breaks, you get to keep all the pieces. You get the idea.