## An Overview
## Dan Langille <>
A firewall is a fireproof wall to prevent spread of fire. Some examples of
firewalls most people know about are:
- Between the engine and passenger compartments of a vehicle.
- Between the walls of two attached buildings.
- Between a house and an attached garage.
In computing terms, a firewall protects a computer system from
unauthorized access and/or attack. If your computer is always attached
to the Internet, a firewall is a good idea. Even if you dial up only
occasionally, it may still be a wise investment.
In this article, I will talk about about packet filtering firewalls.
This is a firewall where each incoming packet is examined and compared
against a set of rules. The packet is either allowed to pass or it is
blocked. There is another type of firewall which is a proxy firewall
where new requests are created instead of allowing the original packet
to pass. In both cases, a set of rules is established which defines
which packets are permitted and which are not.
I will show you how to install two firewall packages:
Who needs a firewall?
It is important to note that a firewall does more than just protect
against unauthorized access. It also provides some protection against
attack. If you've ever been on IRC, you've probably heard about
nuking. A good firewall should prevent such attacks.
NOTE: You can't winnuke FreeBSD, but if you're also running a Windows
machine, a firewall can stop winnukes. From what I understand, most
of the nuke programs deal specifically with Microsoft operating
systems.
A warning
I am not a security expert. My area of expertise is in software
design, not security. If you want great security advice, go elsewhere.
This article is merely an introduction. For more information, start
with a list of security publications held by
.
Assumptions
I will be assuming that you have more than one computer and that you
will be using a FreeBSD box as a gateway for the other computers.
Your gateway will connect to your ISP and provide Internet access for
your other computers. In such circumstances, it is common to have some
sort of network address translation (NAT). This is needed because your
ISP normally only supplies you with one IP address which must be shared
amongst all of your computers. NAT provides a translation method. For
more information on NAT, try by Charles Mott.
We will be using natd for NAT and ipfw for our firewall.
IP Filter
IP Filter is an extremely robust and commercial-grade application. If
you are running a production box, you should be thinking about IP
Filter. For a home sub-net, I think it is overkill.
IPFilter - an alternative firewall and NAT
to ipfw/natd.
ipfw/natd
When I first used FreeBSD, I installed natd and ipfw from the start.
That was not because I wanted a firewall, but because I wanted a
gateway. I was pleased with the results, but there are some
limitations.
Gateways - installing natd/ipfw, firewall,
dual-homed host.
Dan Langille
Return to Issue #1
|