Building Linux and OpenBSD Firewalls

Ralph Krause

Issue #78, October 2000

Building Linux and OpenBSD Firewalls attempts to provide you with enough information to determine your security needs and create a firewall to meet them.

  • Author: Wes Sonnenreich and Tom Yates

  • Publisher: John Wiley & Sons

  • E-Mail: info@wiley.com

  • URL: http://www.wiley.com/

  • ISBN: 4-713-5366-3

  • Price: $44.99 US

  • Reviewer: Ralph Krause

More and more people remain connected to the Internet 24 hours a day, and it is no longer a question of whether they will be attacked, but when. The first line of defense against a break-in is a firewall, and an open OS such as Linux can be used to create a very secure one. While newer distributions try to make it easier to create firewalls, you still need to know some information so you can create one that can do its job well.

Building Linux and OpenBSD Firewalls attempts to provide you with enough information to determine your security needs and create a firewall to meet them. According to the introduction, it “is a cookbook for building firewalls using Red Hat Linux 6.0 and OpenBSD 2.5” and “contains step-by-step instructions on exactly how to build a very useful and powerful firewall from scratch”.

Even though it provides step-by-step instructions for creating and tuning a firewall, the authors believe your firewall will be more secure if you know what is being secured. To this end, the first three chapters cover basic network security issues. The first chapter discusses topics such as what you are protecting (your data, your computers and your reputation) and the value of good passwords. Chapter 2 provides a brief explanation of how the Internet works, covers protocols such as IP, TCP and UDP, and describes the common exploits against them. The third chapter explains some basic network configurations for a firewall and helps you determine which services should be provided by your network. These chapters also talk briefly about web browsers and Microsoft-specific problems such as Back Orifice.

The next two chapters are on choosing an OS and the hardware to use for your firewall. The authors provide a brief history of UNIX and free software, explain the differences between the GPL and BSD licenses, and offer comparisons between Red Hat Linux 6.0 and OpenBSD for such factors as software availability, ease of installation and general security. They also talk about building your firewall computer from the ground up so you know for sure what is in it and what to do when you have to open it up to fix something. They point out that you won't need bleeding-edge or high-performance hardware for the majority of your firewall situations, and provide some information on troubleshooting any hardware problems you might encounter.

Chapters 6 and 7 cover the installation of Red Hat Linux 6.0 and the steps you need to take to configure it as a firewall. The installation instructions are basically notes and enhancements to the Red Hat manual. The book then introduces ipchains and firewall rules and explains how to enable IP masquerading. A basic firewall script for ipchains is provided, along with instructions for starting up the firewall every time the computer boots.

Installing OpenBSD and configuring IPFilter are the subjects of the next two chapters. The book goes into more detail on installing OpenBSD than it does for Red Hat, including the creation of a boot floppy and hard-drive partitioning. Instructions on configuring the system to use your modem, mounting your CD-ROM and optimizing the kernel for firewalling are also given. The directions for configuring IPFilter follow the same path as the instructions on configuring ipchains, including an explanation of the book's basic firewall script and how to start the firewall when the machine boots. OpenBSD tools such as IPNAT, IPFTEST, IPFSTAT and IPMON are also introduced in these chapters.

After explaining how to get your firewall up and running, the book moves on to the process of tuning it to be more effective. Specific firewall policies such as protecting against spoofed packets and blocking particular TCP services are given, with instructions on configuring both a Linux and an OpenBSD firewall to implement the policy. The book also explains how to determine what services your firewall is currently providing and how to shut down any you don't want to provide to the outside world.

Next, the authors cover intrusion detection and response. They discuss what to do during an attack, and how to evaluate the attack when it is over. They offer different scenarios for a home network, a network in a small business, and a large corporate network. This chapter also talks about monitoring your network, the importance of log files, and introduces tools such as SATAN and Tripwire to help you secure your network.

The final chapter is a hodge-podge of information. It includes notes on information from the earlier chapters, a brief introduction to the vi editor, and talks about the importance of having a security policy. Finally, it contains two small scripts: one to remove a disk set from OpenBSD and one to start your firewall under Red Hat Linux.

Building Linux and OpenBSD Firewalls covers quite a bit of ground in its twelve chapters. Almost one-half of the book is dedicated to Internet and network theory, but I still found this information relevant. After all, how can you build a secure firewall if you don't understand how it works and what it can protect? The authors attempt to make the subject matter easier to digest by using liberal doses of humor, although this occasionally makes the book hard to read. They also provide diagrams and sidebars to help explain complicated concepts. The authors provide a web site containing more Linux and OpenBSD scripts for firewalling, along with errata and updates for the book.

I found this book informative and useful. If you have a dedicated Internet connection or if you want to protect your small business from hackers, I think this book will help you.

Ralph Krause (rkrause@netperson.net) lives in Michigan and becomes more enthusiastic about open-source software each day. He is currently experimenting with various BSD flavors, as well as continuing to learn Linux.