Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
A firewall is a fireproof wall to prevent spread of fire. Some examples of
firewalls most people know about are:
between the engine and passenger compartments of a vehicle
between the walls of two attached buildings
between a house and an attached garage
In computing terms, a firewall protects a computer system from unauthorized access
and/or attack. If your computer is always attached to the Internet, a firewall is a
good idea. Even if you dial up only occasionally, it may still be a wise investment.
In this article, I will talk about about packet filtering firewalls.
This is a firewall where each incoming packet is examined and compared against a set of
rules. The packet is either allowed to pass or it is blocked. There is another
type of firewall which is a proxy firewall where new requests are created instead
of allowing the original packet to pass. In both cases, a set of rules is
established which defines which packets are permitted and which are not.
I will show you how to install two firewall packages:
ipfw - supplied with FreeBSD
IP Filter - written by Darren Reed
Who needs a firewall?
It is important to note that a firewall does more than just protect against
unauthorized access. It also provides some protection against attack. If
you've ever been on IRC, you've probably heard about nuking. A good firewall should
prevent such attacks. NOTE: you cant winnuke FreeBSD, but if you're also running a
Windows machine, a firewall can stop winnukes. From what I understand, most of the
nuke programs deal specifically with Microsoft operating systems.
I am not a security expert. My area of expertise is in software design, not
security. If you want great security advice, go elsewhere. This article is
merely an introduction. For more information, start with a list of security
publications held by National Institute of
Standards and Technology.
I will be assuming that you have more than one computer and that you will be using a
FreeBSD box as a gateway for the other computers. Your gateway will connect to your
ISP and provide Internet access for your other computers. In such circumstances, it
is common to have some sort of network address translation (NAT). This is needed
because your ISP normally only supplies you with one IP address which must be shared
amongst all of your computers. NAT provides a translation method.
We will be using
natd for NAT and ipfw for our firewall.
IP Filter is an extremely robust and commercial-grade application. If
you are running a production box, you should be thinking about IP Filter.
For a home sub-net, I think it is overkill.
IP Filter - an alternative firewall and NAT to ipfw/natd
When I first used FreeBSD, I installed natd and ipfw from the start.
That was not because I wanted a firewall, but because I wanted a gateway. I
was pleased with the results, but there are some limitations.