The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Firewalls - an overview 29 October 1998
Need more help on this topic? Click here
This article has no comments
Show me similar articles
A firewall is a fireproof wall to prevent spread of fire.  Some examples of firewalls most people know about are:
  • between the engine and passenger compartments of a vehicle
  • between the walls of two attached buildings
  • between a house and an attached garage

In computing terms, a firewall protects a computer system from unauthorized access and/or attack.  If your computer is always attached to the Internet, a firewall is a good idea.  Even if you dial up only occasionally, it may still be a wise investment.

In this article, I will talk about about packet filtering firewalls.   This is a firewall where each incoming packet is examined and compared against a set of rules.  The packet is either allowed to pass or it is blocked.  There is another type of firewall which is a proxy firewall where new requests are created instead of allowing the original packet to pass.  In both cases, a set of rules is established which defines which packets are permitted and which are not.

I will show you how to install two firewall packages:

  • ipfw - supplied with FreeBSD
  • IP Filter - written by Darren Reed
Who needs a firewall?
It is important to note that a firewall does more than just protect against unauthorized access.  It also provides some protection against attack.  If you've ever been on IRC, you've probably heard about nuking.  A good firewall should prevent such attacks.  NOTE: you cant winnuke FreeBSD, but if you're also running a Windows machine, a firewall can stop winnukes.  From what I understand, most of the nuke programs deal specifically with Microsoft operating systems.
A warning
I am not a security expert.  My area of expertise is in software design, not security.  If you want great security advice, go elsewhere.  This article is merely an introduction.  For more information, start with a list of security publications held by National Institute of Standards and Technology.
Assumptions
I will be assuming that you have more than one computer and that you will be using a FreeBSD box as a gateway for the other computers.  Your gateway will connect to your ISP and provide Internet access for your other computers.  In such circumstances, it is common to have some sort of network address translation (NAT).  This is needed because your ISP normally only supplies you with one IP address which must be shared amongst all of your computers.  NAT provides a translation method.

We will be using natd for NAT and ipfw for our firewall.

IP Filter
IP Filter is an extremely robust and commercial-grade application.  If you are running a production box, you should be thinking about IP Filter.   For a home sub-net, I think it is overkill.

IP Filter - an alternative firewall and NAT to ipfw/natd

ipfw/natd
When I first used FreeBSD, I installed natd and ipfw from the start.   That was not because I wanted a firewall, but because I wanted a gateway.  I was pleased with the results, but there are some limitations.

Gateways - installing natd/ipfw, firewall, dual-homed hosts


Need more help on this topic? Click here
This article has no comments
Show me similar articles