Since R5 v1.97 of FireHOL there is the command line argument helpme that will try to guess your configuration on the running machine. To use it, simply run:
/etc/init.d/firehol helpme >/tmp/firehol.conf (installed from RPM), or
firehol.sh helpme >/tmp/firehol.conf (installed from .tar.bz2)
The purpose of the helpme feature is to give you a configuration file that you can modify to get an operational firewall quickly, especially if your firewalling and iptables knowledge is limited. This feature does not stop or alter the running firewall of your machine.
Bellow is the procedure you should follow to manually design a secure FireHOL firewall.
1. Identify all the network interfaces your firewall host has |
To identify your network interfaces use the ip link show command. The example bellow shows my home router ip link show output:
[root@gateway /]# ip link show 1: lo: |
One extra step is to identify if the network interfaces appearing here might dynamically change during run-time. For example my ppp0 might become ppp1 or ppp2 in certain cases. To overcome this problem, I can say that my link to the outside world is not ppp0 but ppp+. The plus character matches all the interfaces that begin with the text given before the plus sign. In this case, it matches all the possible network interfaces that start with ppp.
Keep in mind that FireHOL (and iptables) does not really care if the interface defined in a firewall actually exists or not. This means that you can setup firewalls on interfaces that might become available later or altered during run time. This also means that if you define an interface with a wrong name, FireHOL and iptables will not complain.
2. Give a role to each interface identified |
interface | description | incoming requests | outgoing requests | routing requests in | routing requests out |
---|---|---|---|---|---|
eth0 | My home LAN | Many services from my LAN workstations (i.e. dns, ftp, samba, squid, dhcp, http, ssh, icmp) | A few services my LAN workstations provide (i.e. samba, icmp) | All LAN workstations requests going to the internet | Nothing |
ppp+ | The Internet | I run a public mailer, a public web server and a public ftp server for my domain | All the services my Linux could ask from the internet | Nothing | All LAN workstations requests going to the internet |
Keep in mind that:
interface | name | servers | clients | routing clients | routing servers |
---|---|---|---|---|---|
eth0 | home | dns, ftp, samba, squid, dhcp, http, ssh, icmp | samba, icmp | all | none |
ppp+ | internet | smtp, http, ftp | all | none | all |
3. Create the FireHOL configuration structure |
First write one interface statement for each network interface you identified above:
version 5 interface eth0 home interface ppp+ internet |
Now, we can add the servers for each interface (based on the table above). Remember that these servers are all running on the firewall host:
version 5 interface eth0 home server dns accept server ftp accept server samba accept server squid accept server dhcp accept server http accept server ssh accept server icmp accept interface ppp+ internet server smtp accept server http accept server ftp accept |
version 5 interface eth0 home server dns accept server ftp accept server samba accept server squid accept server dhcp accept server http accept server ssh accept server icmp accept client samba accept client icmp accept interface ppp+ internet server smtp accept server http accept server ftp accept client all accept |
At this point, everyone should be able to inter-operate correctly with the firewall host, but still we don't route any traffic. This means that the linux box can "see" all the workstations on the LAN and these workstations can "see" the linux box, also that the linux box can "see" the Internet and the Internet can "see" the servers of the ppp+ interface of the linux box, but the LAN workstations cannot "see" the Internet.
It is now time to setup routing. To do this we will have to define a set of routers for all the interface combinations. This means that if we have two interfaces we will have to define two routers. If we have 3 interfaces, we will have to define 6 routers, and so on.
version 5 interface eth0 home server dns accept server ftp accept server samba accept server squid accept server dhcp accept server http accept server ssh accept server icmp accept client samba accept client icmp accept interface ppp+ internet server smtp accept server http accept server ftp accept client all accept router home2internet inface eth0 outface ppp+ router internet2home inface ppp+ outface eth0 |
Remember that inface and outface match the requests, not the replies. This means that the router home2internet matches all requests originated from eth0 and going out to ppp+ (and of course their relative replies in the opposite direction), while the router internet2home matches all the requests from the Internet to the home LAN (and their relative replies back).
Now, based on the roles table of the previous section we see that we should route all requests coming in from eth0 and going out to ppp+, and do not route any request coming from the internet and going out to the home LAN. Here it is:
version 5 interface eth0 home server dns accept server ftp accept server samba accept server squid accept server dhcp accept server http accept server ssh accept server icmp accept client samba accept client icmp accept interface ppp+ internet server smtp accept server http accept server ftp accept client all accept router home2internet inface eth0 outface ppp+ route all accept router internet2home inface ppp+ outface eth0 |
This is it. We are done! (for the filtering part of the firewall. Look bellow for setting up NAT too.)
4. Optimizing the firewall |
version 5 interface eth0 home server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet server "smtp http ftp" accept client all accept router home2internet inface eth0 outface ppp+ route all accept |
Note that we can remove any router statements not having any rules in them, so the internet2home router has been eliminated.
We might want to have extra checks on each interface to prevent spoofing. To find the IPs of your network interfaces use ip addr show and to find the IP networks behind each interface use ip route show.
version 5 # The network of our eth0 LAN. home_ips="195.97.5.192/28" interface eth0 home src "${home_ips}" server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}" server "smtp http ftp" accept client all accept router home2internet inface eth0 outface ppp+ route all accept |
If home LAN did not had real IP addresses, we would have to add a masquerade command in our router:
version 5 # The network of our eth0 LAN. home_ips="195.97.5.192/28" interface eth0 home src "${home_ips}" server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}" server "smtp http ftp" accept client all accept router home2internet inface eth0 outface ppp+ masquerade route all accept |
We can now protect our ppp interface even further. For this we use the protection command:
version 5 # The network of our eth0 LAN. home_ips="195.97.5.192/28" interface eth0 home src "${home_ips}" server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server "smtp http ftp" accept client all accept router home2internet inface eth0 outface ppp+ masquerade route all accept |
It could be nice if instead of dropping wrong packets originated from the Ethernet, to reject them so that our workstations will not have to timeout if we do something that is not allowed. To do this we use the policy command:
version 5 # The network of our eth0 LAN. home_ips="195.97.5.192/28" interface eth0 home src "${home_ips}" policy reject server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server "smtp http ftp" accept client all accept router home2internet inface eth0 outface ppp+ masquerade route all accept |
Some servers on the Internet try to ident back the client to find information about the user requesting the service. With our current firewall, such servers will have to timeout before accepting our request. To speed thinks up we could write:
version 5 # The network of our eth0 LAN. home_ips="195.97.5.192/28" interface eth0 home src "${home_ips}" policy reject server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server "smtp http ftp" accept server ident reject with tcp-reset client all accept router home2internet inface eth0 outface ppp+ masquerade route all accept router internet2home inface ppp+ outface eth0 route ident reject with tcp-reset |
The whole routing schema could be rewritten as:
version 5 # The network of our eth0 LAN. home_ips="195.97.5.192/28" interface eth0 home src "${home_ips}" policy reject server "dns ftp samba squid dhcp http ssh icmp" accept client "samba icmp" accept interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}" protection strong 10/sec 10 server "smtp http ftp" accept server ident reject with tcp-reset client all accept router internet2home inface ppp+ outface eth0 masquerade reverse client all accept server ident reject with tcp-reset |
We could use the first router (home2internet) to do everything, but then the client and server commands would need be reversed (server all, client ident) which would be confusing.
|
$Id: tutorial.html,v 1.16 2004/10/31 23:43:25 ktsaou Exp $
FireHOL, a firewall for humans... |