Home
Firewall 101
You have probably heard that the Internet is the world at your fingertips. Your parents also probably told you to never take anything from strangers. Yet, being on the Internet and functioning in any reasonable manner means that you are going to receive all kinds of things from strangers. It cannot be avoided.
I am placing this here for those of you that do not have a firewall in place. If you know what a firewall is for your computer system, then you probably also know that it will help to keep you from receiving things from strangers that you do not want to have. If you do not have a firewall in place for some reason, then you need this script. If you are one of those that do not know what a firewall is, then you really need this script!
[ Update: ]
Due to various things(my dedicated firewall needs hardware, I have been testing MDK 10.2 & everything gets formatted often, I do not like shorewall & I am lazy :), I have not had a firewall installed but since this system is going to be on the net for a while and this page has not been tested in a l o n g while, I decided it was a good idea to install one.
I just used this page information and file to install a firewall using kernel 2.6.11-6mdk & iptables-1.2.9-7mdk on a Mandrakelinux 10.2RC1 system. It works great!
All major ports are stealthed according to GRC) :
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
D!, FWBuilder & iptables are good: works just as good today as years ago when I first put this page up. So, if you are wondering if this page will still help you, it will. And it is still *free*. Enjoy!
[ EndUpdate ]
What it is:
It is the conjuring of a program called Firewall Builder (and, hence, named fwbuilder). It is a very simple firewall that makes your Mandrake Linux box invisible to those that do have any priviledges to be accessing your sytem. That is commonly referred to as "stealth mode" and is about as good as you can get without a heck of a lot of customizations.
It is a very basic firewall meant for a standalone (Mandrake)linux system which uses eth0 and ppp0 that has a dynamically assigned address from the ISP of choice.. Combined with the fact the your address is dynamically assigned, most rude people are going to leave you alone. After all, they have plenty of MSwindows boxes to choose from that are, relatively, easy pickin's.
It allows me to surf as freely as if there was no firewall in place and allows all my local connections to be accessed on demand. Any connection that is made is allowed to return data to me as is needed. It blocks and drops everything else. It is currently setup to log all "drops" under the "CatchAll" rule to /var/log/syslog. I monitor syslog fairly often to see if someone is hammering my box. Yes, it does happen but fortunately, not very often. I will add that the frequency of that has dropped off since the firewall has been in place.
It has the beginnings of masquerading if you have a system that is connected to one or more computers at your location via an ethernet card(NIC) but it will require you to use fwbuilder to complete the design for your special circumstances, protocols, network interfaces, etc. if you need to use it that way. IOW, masquerading is not needed for a Standalone system and therefore it is not usable without modification for a system that has other systems connected to it(Intranet) if you want those systems to access your box. You can use the XML source(near bottom of this doc) and fwbuilder to fix that very easily.
What it is not:
It is not an expert or "professionally" designed firewall. You can either pay somebody a lot of money to set up a firewall for you(it takes quite a bit of time for even simple intranets) or you can spend the time yourself to figure out what and how all the pieces fit together. I am not a security expert and will not do that for you, so do not ask.
It is not guaranteed in any way whatsoever!
It may allow someone to access you system without permission; It may bring your system to its knees; It may not work at all, etc. Although it is unlikely that it will do anymore than protect your system, I have no idea what you will do or how you will implement the script and make no warranty of any kind. It works absolutely flawlessly here so far. I have been using it and various modifications for about a month(as of Jan 2003).
What it needs:
Other than the normal stuff(bash, etc.), Linux 2.4.x and iptables (V4) are required. You may also need " logger " from the util-linux-2.11u-1mdk RPM package. Mandrake Linux 9 has all of that as a typical install, but you might want to make sure those are installed. Your system should be using PPPoE to make your connections.
I have not tested it with a normal serial port modem (yet) but the principles are the same and you can massage it a bit if you are having trouble.
If you want to modify it for masquerading, etc. you will need at least the rc.firewall.01.xml document(near bottom of this page), fwbuilder, libfwbuilder4 and fwbuilder-ipt files. The Firewall Builder developers are currently posting Mandrake Linux 9 versions so you can just get the ones I listed from their site(nice guys, huh!). If you have older versions already installed, UNinstall them first before installing the newest version from the FWB site. Uninstall, here, did not remove the files that I had already built with fwbuilder so it should be safe to uninstall it. Version 1.0.8 fixes some rather old and ugly bugs that are in the 1.0.7 version distributed with ML9. Believe me, it is worth the effort to get it and install it.
Since time is ticking, the script source follows and the instructions to get it running are below it.
Here's a link you can use if you do not want to copy and paste the script:
Name Your Firewall!.fw
Please note:It will NOT run with the current information! It has to be very slightly modified (two places) for your system.
All you have to do is modify the IP address to match your system and then run the script. Logging to syslog is enabled and you can see what the firewall is doing by tailing syslog in a shell.
A little better explanation is that you need to replace the " WWW.XXX.Y.ZZ " in the above script with your eth0 address. You can get your eth0 address by typing
ifconfig
at a CLI prompt in a bash shell.
It will return with a display of some information similar to the following:
eth0 Link encap:Ethernet HWaddr 00:01:3A:00:BB:BB
inet addr:WWW.XXX.Y.ZZ Bcast:WWW.XXX.Y.zzz Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
ppp0 Link encap:Point-to-Point Protocol
inet addr:65.67.86.143 P-t-P:65.67.87.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
(some details omitted for brevity)
The address following "inet addr:" on your system's display is the address you need to substitute into the script for the two places that have WWW.XXX.Y.ZZ shown in the script.
For example, in the case of 65.67.86.143 as the IP address shown above, executing
sed s/WWW\.XXX\.Y\.ZZ/65\.67\.86\.143/g NameYourFirewall.fw > MyFW.fw
will create a new file named MyFW.fw with 65.67.86.143 in place of the WWW.XXX.Y.ZZ pseudo IP address. Then
and MyFW.fw is ready to execute with
You can also change "guessWho" in the two spots of the script to your name.
If you happen to be using ethX where X is not equal to 0, then you will have to change that too for all occurrences in the script.
Otherwise, leave it alone if you want it to work!
You can use the rc.firewall.01.xml document that follows to modify the script with fwbuilder anyway you want, if you so choose and need to do it to get a firewall running for your specific configuration.
AFTER you have made the address changes, you can run the script from any bash shell. If the script is named yourMachineName.fw( and the script is executable, i.e., you performed a chmod +x yourMachineName.fw ), just type
./yourMachineName.fw
and the script will install an iptables basic firewall for you. ( Yes, you need to be in the same directory where you saved the NameYourFirewall.fw script. )
That's it! Your system is protected.
If you want to check it, you can go to get your "shield" tested at various places. The easiest I have found is GRC:
http://grc.com/x/ne.dll?rh1ck2l2
Scroll down a bit and find the "ShieldsUp!" link; click on it to open that page and select the "Probe My Ports". All ports should be reported as "Stealth" mode, i.e., you are invisible to anyone that does not know your box is on the net. Although the site is designed for MSwindows users, it does not matter for the test.
If you execute
tail -n152 -f /var/log/syslog
in a shell, you can see who is bouncing signals off of your box which are subsequently being DROPPED in a realtime display. (note: Use CTRL-C to quit.)
[Update:]
I hope this is obvious but I just realized that I did not mention what happens when you shut down the internet connection or, e.g., turn off your system or reboot.
The script has to be modified with your new IP address everytime you get one.
Its a simple grep & replace, easy to do...
E.g., if your IP address was 70.243.170.156 and the new one is 71.243.173.152, and the current fwbuilder file is myfw1.fw, one can
sed s/70\.243\.173\.156/71\.243\.173\.152/g myfw1.fw > myfw2.fw
from the directory where the file is located. Do NOT try to overwrite the same file using this method.
Coincidentally,
sed s/WWW\.XXX\.Y\.ZZ/71\.243\.173\.152/g NameYourFirewall.fw > MyFW.fw
works too..;)
Of course, opening the file with your favorite text editor and manually changing the address in the two spots will work just as well.
[endUpdate]
More Details
Why is it:
Everyone needs a basic firewall in place before accessing the Internet. Unfortunately, the various firewalls that are out there are meant to be unusually complicated and designed for SOHO and medium to large businesses. When I tried to use Shorewall as supplied in the Mandrake Control Center(MCC) it worked so good that I could not even connect to my own local system -or- it allowed everything and EvERryBoDy to access the system. IOW, it did not work. Shorewall is a complicated firewall system to learn. I was able to find a "Standalone" version that Mandrake Linux has installed but it allowed some ports to be closed rather than dropped(Most notably, IDENT port 113). Closed ports mean your box exists but you are not 'open for business', so to speak. Well, some people do not care whether you are 'open for business' or not and will try to access your box regardless.
Because of those things, I had to spend a lot of time surfing, reading and learning just to get a good iptables firewall inplace that would DROP all connections except the ones I wanted. Portsentry had done that for versions of Linux before 2.4 but with the many advantages of iptables and Linux 2.4 plus some other reasons( http://www.linux.ie/articles/portsentryandsnortcompared.php ), I decided not to use Portsentry.
I, of course, want my local loopback and Intranet to work and I need to be able to contact any http or ftp site via browser or some other means as long as I initiate the connection. In particular, I needed for my Folding@home projects to be able to upload and download work units without any problems or personal intervention. Although I am working on an Apache Extranet server, qmail, and a few other projects, they are not ready and I do not want anyone other than myself to acess them. IOW, my needs are not complicated at this time. Your mileage will vary and mine will change in the future. :)
By far and large, I think the majority of people that need protection are the single system, "standalone", surfers. Reading page after page of acronym filled documents is frustrating even for someone who normally reads technical literature. I think it may cause the normal person to just give up and "hope for the best". The latter is a very dangerous thing to do. Your box can be oWnED by a stranger in less than FIFTEEN minutes!
That script, above, is here to get you some protection right away.
For the future, now or later, you can get fwbuilder-1.0.8 (or greater) and spend some time designing the firewall you really need or want. You can get it from the Firewall builder site http://www.fwbuilder.org/ at:
http://www.fwbuilder.org/pages/downloads/downloads.php.
There are even Cisco & M$ Windows versions of FWBulider available, http://www.netcitadel.com/p/cat_fwb_gui_download.html, now (for a price of course).
In other words, I think this is a good firewall to start with but everybody's needs are different and you can (and should) adjust it to meet your needs.
In order for you to make those adjustments I have posted the source for the XML file which was used by the fwbuilder complier to create the script that was posted above. The xml document is what is loaded into fwbuilder when you do an "Open" file. The version that I have posted below has been spayed, :), meaning personally identifiable information for me and my system have been changed to protect the innocent(me). You can use this xml document as a guide when building the firewall you need. It should decrease the time spent considerably. At least it would have for me if I could have found such a document somewhere...
If you want to inspect the source after you get it onto your box, I'm putting a link here to download it. However, there is no guarantee that you can get it. There are bandwidth and other limitations for the Lycos "free with ads" sites. Right click on the following link and "Save As" or, in Galeon, "Download Link":
rc.firewall.01.xml
However, even if that does not work, you can "Select All" and copy it from below. Then paste it into a blank document created with a text editor and save it as rc.firewall.01.xml (or whatever you want).
Either way, I hope it helps. Here's the source:
[Update] This source was via fwbuilder 1.08 but current version is 2.06. This source might not work with the current fwbuilder release. IHNI and probably won't be testing it since the script above works for me... [EndUpdate]
Yep, it is a long script to be posted. Okay, it is really long.:) It's about 50KB in size. I placed it here because it is the source and you need to be secure in the fact that you know exactly what you are getting for the security of your system(s).
In order to use it, you can load it the way it is into fwbuilder and then modify it to change the names to whatever suits you - should not take more than a few minutes.
However, it will be easier and faster if you will open the rc.firewall.01.xml file in nedit, xemacs, gedit or some other text editor and do a "Search and Replace" for all occurrences of " Name Your Firewall! ", " your.box.name " and " 01.01.01.01 " to replace them with the appropriate information and then save it. When you open up the file in fwbuilder, there will not be much to change.
Either way, you are, obviously, going to need to change the name "your.box.name" to the name you get when you type " hostname " at a CLI shell prompt. That's in two places in the xml file. And you will need to change the 01.01.01.01 to the eth0 address of your box (also two places). The firewall name, currently "Name Your Firewall!", should be changed to the name you want to use for your machine. That is, if you have a Dell xyz computer, then call it DellxyzFW (or whatever... something like that) which will identify the machine among the others in your Intranet.
Once again, if you are not using eth0 for your internet connection, you will also have to change that to match your specific configuration in all occurrences in the file.
The current names are
Name Your Firewall! for the Firewall Machine Name and will also be the script's executable name;
your.box.name for address 01.01.01.01 ;
lo for localhost.localdomain address 127.0.0.1 ;
ppp0 for a 'dynamic address' .
As long as all the changes have been made correctly, fwbuilder will compile the xml document successfully.
Here's what the fwbuilder will look like if you do not change the script before opening it. The link will open in a new widow:
Example 1
After you make any other changes you need, save the file with a new name of your choice and then "compile" it. If we did not screeeww-up, you will have a brand new firewall ready to run and modify any way you need. The new firewall's executable name will be what you substituted for the "Name Your Firewall!" (it is in the fwbuilder "General" box-widget). Just execute it ( ./theNameYouChose.fw ) to get it started.
After you are satisfied that your box is protected and you can Work&Play as normal, you can then work on putting the script into the /etc/init.d scripts so that it will start up every time you start your Linux system and so that you can start, status and stop it with a web interface such as Webmin or from the CLI. There are some samples of how to do that at the
Firewall Builder site and other places.
If you want to see the firewall iptables chains, just
at any command prompt.
One last thing, Remember this command:
If all goes haywire and the firewall you designed is keeping you from getting anywhere, that will "flush" all the chains and reset the iptables rules to "ACCEPT" all connections in, forwarding and out. I would not suggest being connected to the internet if you do that as your box will be as bare-ass as a new born baby. :)
Oh yea, updates? I will modify the layout of this(do not like it much) and, if necessary, update the script(s) when I get a chance.
Good Luck!