Title: Overview of Firewall software for Linux

KBTAG: kben10000019
URL: http://www.securityportal.com/lskb/10000000/kben10000019.html
Date created: 17/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Various firewall software packages for Linux
Keywords: Network/Firewall

Summary:

Firewalling is the practice of filtering network traffic, typically at the point where your network connects to another (e.g. the Internet, a customers LAN, etc.) network, that may be untrusted (in the case of the Internet) or perhaps even trusted (another floor of your building). Like firewalls in a large building, a network firewall can prevent and even block the spread of an attack if one segment is compromised successfully, like their namesake firewalls can stop your network from being further compromised. There is a good FAQ on Internet firewalls at: http://www.interhack.net/pubs/fwfaq/. A paper on identifying ports and explanations of what they do is available at: http://www.robertgraham.com/pubs/firewall-seen.html.

More information:

Linux has had firewalling capacity for quite a while now in the form of ipfwadm, which was a very simple packet-level filter. With the advent of kernel 2.1 and 2.2 this was been replaced with ipchains which is quite a bit more sophisticated. This in turn has been replaced in kernel 2.3 and 2.4 with an even more advanced packet filter called NETFILTER. IPFWADM and IPChains are basic packet filters and do not have advanced features such as stateful inspection or some types of proxying connections. NETFILTER does support stateful packet inspection, as do several commercial firewall packages for Linux. Linux also support IPMASQ, an advanced form of NAT (Network Address Translation). IPMASQ allows you to hook up a network of computers to the Internet but proxy their connections at the IP level, thus all traffic appears to be coming and going to one machine (the Linux IPMASQ box) which affords a high degree of protection to the internal network. As an added bonus the clients on the internal network require NO proxy configuration; as long as the Linux IPMASQ server is configured correctly, and the clients use it as their default gateway, things will work quite well.

Downloads:

IPFWADM

Ipfwadm is a solid packet filter for Linux, although it lacks a lot of features available in Ipchains. Ipfwadm only supports 3 targets for a packet: accept, deny or reject, whereas ipchains rules can be targeted at 6 built-in targets, or a user defined target. Ipfwadm is really only appropriate for a simple IP-level firewall, ipmasquerading and if you plan to use FreeS/WAN (which currently does not support kernel 2.2.x). The basic options are: specify a direction (in, out, or both, useful with the interface flag), input rules, output rules, forwarding rules (say you have multiple interfaces, also covers the masquerading rules) and masquerade rules which control the behavior of masquerading (timeouts, etc). You can insert, append and delete rules, set default policies, and list all the rules. Other then that it is very similar to ipchains, with some minor variations. IPFWADM is obsolete and should not be used.

IPCHAINS

ipchains contains several new features as compared to ipfwadm; you can create chains of rules (hence the name) and link them together, making administration of firewalls far easier. IPChains supports more targets then ipfwadm; you can point a rule at: ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN or a user defined chain. As such it is very powerful, for example I could redirect all packets bound for port 80 (www traffic) going through my gateway machine to be redirected to local port 3128, the Squid proxy server. You can also use this in conjunction with quality of service routing, the example given in ipfwadm's documentation is that of prioritizing traffic going over a PPP link, you can give telnet traffic a much higher priority then say ftp, reducing latency problems caused by a saturated link. IPChains is currently in transition from being the primary firewall mechanism to being replaced by NETFILTER.

NETFILTER

NETFILTER is the next generation of packet firewalling for Linux. It is stateful and makes a variety of activities easier, such as firewalling (especially protocols like DNS and FTP), IPSec, and anything to do with packet management. The HOWTO is available at: http://netfilter.kernelnotes.org/.

SINUS Firewall

SINUS Firewall is an alternate firewall for Linux, currently in the process of rolling out a new version. You can get it at: http://www.sinusfirewall.org/.

Phoenix Adaptive Firewall

Phoenix Adaptive Firewall is a commercial product that replaces IPCHAINS and provides sophisticated firewalling capabilities (for about $3000 US per machine, unlimited usage), and the first firewall to be ICSA certified for Linux. It is also available on several Linux appliances (such as Cobalt Raqs). It is available at: http://www.progressive-systems.com/products/phoenix/.

Check Point Firewall-1

Firewall-1 is a well known firewall and now available for Linux (specifically Red Hat Linux). http://www.checkpoint.com/products/firewall-1/