Setting up Firewall Protection With OpenLinux™ Server Release 3.1.1

by Diana Hurley

version 1.4

Objectives
Introduction
Requirements
Background Reading
Personal Firewall Configuration
Router Firewall Configuration
Testing and Debugging
References and Further Reading
Feedback

Objectives

When you have finished reading this cookbook you should:

Know what a basic firewall does
Know how to set up a basic firewall for personal or router usage
Be able to debug simple configuration issues and know where to look for applications to test the firewall.

Introduction

In this document you will be shown how to protect your OpenLinux™ system from attacks via the Internet from unscrupulous persons who use the Internet for Denial of Service Attacks (DoS), information theft, or just plain hacking.

Unfortunately and sadly, any system that spends any time connected to the internet is at risk from these people, systems on an Intranet are not immune from risk, and this is why most operating systems now have some method of protection built in. Some systems have a third party product that performs this task. There are so many types of risks that an Internet connected system needs to be protected from that they cannot be detailed in this document. However, there is a plethora of information that covers this subject in much detail, see the "Resources and Further Reading section for more information. Suffice it to say if you are connected to the Internet, then your system should be protected.

The best rule of thumb for Internet connection protection is to not be connected at all. However, this is not much help when you have a system and you want to use / provide internet services like http or ftp for instance, therefore you need a firewall that only has "open" ports for services you wish to provide. The default configuration for a firewall is to "DENY" all ports on the interface to the Internet or Intranet, and therefore the system appears as if it is not connected. As this will not allow any interaction with the Internet or Intranet it is not very practical, and therefore, the firewall needs to be configured to allow certain ports to "ACCEPT" input, for ICMP packets (used by ping and traceroute ) for instance.

For a system to communicate with other machines, via a network, it needs to have "network" interfaces. These interfaces work in the same way as a keyboard does, taking information in one standard form, and letting the information into the system so that it can be processed. The network interfaces are used to link the system to an Intranet via Local Area Network (LAN) or the Internet via a Wide Area Network (WAN) and can be in the form of an Ethernet Card, or a modem.

OpenLinux 3.11 Server, is based upon the Linux® 2.4 series kernel, which has firewall protection built in, but it needs to be configured. By reading the header information of each ethernet packet that passes through, the kernel can decide whether to ACCEPT or DENY the packet, based upon the firewall configuration.

To use the firewall abilities the kernel must have a module loaded, in a similar way to loading a module to use a network interface card. The module is either "ipchains", or "iptables", and similarly the rules to control these modules are also called ipchains and iptables respectively. Only one of these two modules can be configured and be loaded into the kernel at a time. They both perform the same function.

This document will concentrate on firewall configuration via the Webmin interface which configures the "ipchains" in the kernel. As the command line method requires an in-depth knowledge of iptables or ipchains rulesets, it is beyond the scope of this document.

Requirements

To be able to follow the details in this document, a number of criteria must be met, in terms of hardware, configuration and knowledge.

In terms of hardware, the system must be OpenLinux 3.11 Server, and must have the Webmin™ package installed and working. To test if the system has Webmin installed, which should be installed by default, enter the following command:-

rpm -q webmin
This should return with webmin-0.89-4

The system should also have a connection to the Internet or Intranet either by network interface card, or by modem that is configured and tested.

The system may be configured as a single user personal system, or can be configured as a router, providing Internet /Intranet connection to a private LAN.

Background Reading

There are two configurations of firewall, which depends upon the network configuration of the system, Personal, or Router.

An example of a Personal firewall system:-

A personal firewall is much simpler that the Router firewall, a Personal firewall is designed for a system that only has one network interface, be it LAN / VPN or PPP via the modem. As the firewall is just a list of packet filters that direct the kernel what to do with an IP packet. In this case, there are only the "INPUT" and "OUTPUT" rules for a single interface, there is no need for any rules to route the information to another interface

In this configuration the "Internal" device will be known as "lo" and the "External" device will be "eth0" for LAN connection, or "ppp0" for a modem device connection.

An example of a Router Firewall system:-

A router firewall is much more complex, designed for systems that have more than one network interface. When configured with this profile, there are the "INPUT" and "OUTPUT" rules for both network interfaces, and also the rules for whether the IP packets are forwarded to another network interface or DENY'd. A router firewall can also provide "Network Address Translation" (NAT) which allows computer systems connected to a private LAN on the second "Internal" network interface to route packets through a single IP address connection to the internet. An explanation on how NAT works is outside the scope of this document.

In the case of the router firewall, the "External" interface device is likely to be "eth0" for a LAN connection or "ppp0" for a modem connection. The "Internal" device will be a LAN device and therefore the device identification is most likely to be "eth1"

Useful resources for additional research:-

Building Internet firewalls, second edition - from O'Reilly books.
Chapter 11, Configuring a Firewall server - Caldera OpenLinux® System administration guide.

Personal Firewall configuration via Webmin

To configure the firewall via the Webmin interface, call up the Webmin interface, by using the menu link from the K-desktop menu or by using a web browser on the server and entering https://localhost:1000/ . You should be presented with a login box, if you have a browser with security messages enabled, then you may find you will have to go through a secure site certificate wizard first.
Log in to Webmin as user "root" and use the Webmin root password.
Select "system" from the top right hand of the page.
Select "ipchains firewalling". If this is the first time that the firewall admin has been run via Webmin, a "network devices not defined" page will be displayed, requesting that the corresponding internal and external interfaces are selected from the drop down boxes. See background reading for a definition of the internal and external interfaces.
When both interfaces are chosen, save the selections, using the save button.
Click on the "module config" link.
Select from the second line down, "personal" and then save the page. See example below:-

Select from the row of icons the security level profile that you wish to have on your system. When the level has been selected Webmin will display a summary of the firewall rulesets, listing what protocols will be allowed through the firewall.

An example of "Low" level firewall profile:-

When the page refreshes, the new level of firewall will be active.
Check that the system still has Internet access, and that the firewall rules have not compromised system operation.
If you find that the firewall is not working, see the "testing and debugging the firewall" section
You can check to see if the firewall rules are in place by using a command prompt and entering the following command; "ipchains -L" this should produce a list of file of the firewall rules that are in currently active.

Router Firewall configuration via Webmin

To configure the firewall via the Webmin interface, call up the Webmin interface, by using the menu link from the K-desktop menu or by using a web browser on the server and entering https://localhost:1000/ .. You should be presented with a login box, if you have a browser with security messages enabled, then you may find you will have to go through a secure site certificate wizard first.
Log in to Webmin as user "root" and use the Webmin password.
Select "system" from the top right hand of the page.
Select "ipchains firewalling". If this is the first time that the firewall admin has been run via Webmin, a "network devices not defined" page will be displayed, requesting that the corresponding internal and external interfaces are selected from the drop down boxes. See background reading for a definition of the internal and external interfaces.
When both interfaces are chosen, save the selections, using the save button.
Click on the "module config" link.
Select from the second line down, "router" and then save the page. See below:-

Select from the row of icons the security level profile that you wish to have on your system. When the level has been selected Webmin will display a summary of the firewall rulesets, listing what protocols will be allowed through the firewall.
Select "Masquerading Support" (NAT) if you require it, and select to make the changes immediately.

An example of "low" firewall security :-

When the page refreshes, the new level of firewall will be active.
Check that the system still has Internet access, and that the firewall rules have not compromised system operation. If the firewall is not working correctly, see the "testing and debugging the firewall" section
You can check to see if the firewall rules are in place by using a command prompt and entering the following the following command; "ipchains -L" this should produce a list of file of the firewall rules that are in currently active.

Testing and debugging the firewall

You can test your firewall for effectiveness, and to check the configuration by the following methods:-

Ping to and from the firewall from both sides of the interface, where possible or applicable.
Testing applications, check that Internet services like http are still available when they should be.

Although the firewall is mainly to stop a person with the wrong intent from accessing certain services on the server, the firewall also provides protection against the kind of attack that will bring down the server, e.g. flooding the TCP with fragmented packets. To test your firewall for effectiveness against vulnerability, you should consider enlisting the use of :-

Professional port scanning software, e.g. Atelier (http://www.atelierweb.com/)Web security port scan, for Windows clients (this software was used to test the example firewall for this document.)
Use a port scanning service, e.g. "Shields Up" available on line from "http://www.grc.com/"

If you should find that your firewall is not working correctly, or not at all, then you may wish to consider the following checks:-

Use Webmin to select the "off" firewall profile and ensure that the system operates correctly on the network.
If the "External" interface is connected to a private LAN, then it is likely that the LAN has a "private" subnet address, e.g 10.X.X.X, 172.16.X.X or 192.168.X.X, then by default the firewall bans these addresses as part of it's "Anti Spoof" protection. To use the firewall on a private LAN with a private subnet address, perform the following:-

Using your favourite editor, edit the /etc/firewall/custom file, and remove the four groups of lines under the comments;

#Do not accept packets from private class A on ext NIC
#Do not accept packets from private class B on ext NIC
#Do not accept packets from private class C on ext NIC
Save the file and exit.

Please be aware, that the changes made above will be lost if another firewall profile is selected from Webmin.

Perform the following to stop and restart the firewall.

/etc/rc.d/init.d/firewall stop
/etc/rc.d/init.d/firewall start

Retest the firewall connection to external Internet / Intranet services.
Use a "Packet Sniffer" to follow the packet to its destination and also to see if there is a response, and if so, where does it stop. OL3.11 has such a program available, called Ethereal. Best run on the firewall itself, Ethereal can capture all ethernet packets that travel through the firewall. Filters can be used to trace the packet from source to destination and its return.
Use a piece of software that can also keep statistics on how many times the firewall has been scanned. This will provide statistics on how many times the firewall has protected the system. Such a piece of software is "Webalizer" available from http://www.mrunix.com/webalizer

References and Further Reading

Caldera Open Linux System Admin Guide.

Building Internet Firewalls, second edition, by O'Reilly Books.

Online system "HOWTO" documentation for Iptables and Ipchains, searched via DocView.

Online man pages for Ipchains, and Iptables.

Right Now Knowledge base, articles #010822-0009, #991112-0009

http://http://www.cert.org/

http://http://www.linux-firewall-tools.com/

http://http://www.linuxfirewall.org/

Feedback

What did you find particularly helpful in this cookbook? Are there mistakes in this documentation?
Could it be organised more usefully? Did we leave out information you need, or include unnecessary material? If
so, please tell us.

To help us implement your suggestions please email:

olbo@caldera.com

including relevant details, such as cookbook title and section name.

NOTE: We cannot provide technical support via the above alias. For answers to technical questions, please
contact your Caldera Support Provider or visit http://www.caldera.com/support for details of
support offerings that are available to you.

Thank you.

Copyright © 2002, Caldera International. All Rights Reserved Worldwide. Caldera International assumes no responsibility for the accuracy or completeness of the information in this document. The use of this information or the implementation of any of these techniques is a customer responsibility and depends upon the customer's ability to evaluate and integrate them into the customer's operational environment. Information in this document is subject to change without notice, and does not imply a commitment on the part of Caldera.

Caldera, the Caldera logos, OpenLinux, and Webmin are trademarks or registered trademarks of Caldera International, Inc. in the USA and other countries. Linux is a registered trademark of Linus Torvalds. All other brand and product names are or may be trademarks of, and are used to identify products or services of their respective owners.