Whereas there is no substitute for secure and properly configured hosts, there are times when it is desirable to get additional protection by passing traffic to and from some hosts through an additional protective filtering layer (usually called a firewall).
The traditional (and most secure) firewall is physically inserted between the hosts to be protected and the rest of the world, however this physical break in the network may be impractical for various reasons. The logical firewall (LFW) may be an attractive alternative because it can physically exist anywhere on the subnet and protect hosts anywhere on the subnet without rewiring.
Protecting hosts with the logical firewall involves giving them new and unroutable IP addresses (by replacing the first octet of their public IP address with 10). The logical firewall box is configured (with a virtual interface) to respond to the original/public address of the protected host and to do routing and Network Address Translation (NAT) to and from the protected host for that traffic which is allowed by the firewall rules. The logical firewall needs only a single physical network interface. (See also NAT Intro and Firewall Limitations and Firewall Variations).
The logical firewall does not necessarily offer a solution for clients with dynamic IP addresses (such as those using DHCP). It is proposed mostly for servers (and clients with static IP addresses). DHCP clients may be best protected by "personal firewalls" (firewall rules which run on the client itself) or a physical firewall solution. However, if one is willing to configure a DHCP server to issue only private addresses (or to properly determine, for each client, whether to issue a public or private address), the logical firewall can be used successfully.
The firewall offered here is based on the iptables stateful packet filtering mechanism in the Linux 2.4 kernel. The firewall is tailored to work with a diskless Linux "live" distribution called Gibraltar which boots and runs from a CDROM and requires little to no Linux knowledge or system administration. On the other hand, if you are comfortable setting up and administering a Linux system, you should also be able to use the firewall rules we generate on a system of your choosing.
The Gibraltar system is being developed in Austria as a commercial firewall product. Because it is Debian-Linux-based, the author has chosen to make the underlying Linux distribution available for free over the Internet and will only be charging for the GUI (which isn't needed with the LFW). One of the nice things about Gibraltar is that it runs entirely off of CDROM storing only a small amount of configuration information on a floppy disk (or USB Flash Memory). Booting up a generic Gibraltar CDROM and reconfiguring it for use at the University of Washington takes only two or three minutes.
We measured unidirectional packet forwarding throughput of a Gibraltar system running on a 1GHz Pentium-3 with a single 100Mbit network interface at about 40,000 packets/sec with little variation due to protocol or packet size. (See also Choosing Hardware and Sample Usage Graph.)
For maximum flexibility, the NDC logical firewall is divided into two parts:
Note: It is safe to boot Gibraltar on a PC with a hard disk -- by default Gibraltar will ignore the hard disk.
See also: Using USB Flash Memory Instead of Floppies if that is of interest to you.
fastboot
to skip waiting for the not-yet-created configuration floppy.
root
" (use
password "gibraltar
" if prompted).
loadkezs us
" (to undo Austrian keyboard
mapping where typing "z" gives you the "y" you want!)
mount /dev/fd0 /mnt
"
/mnt/uw-setup
" and answer the questions. (You
can run uw-setup as often as you wish).
save-config
"
or "reboot
" to save your configuration to floppy.
(You should eventually reboot once after running uw-setup to incorporate
additional ramdisk it configures.)
At this point, your Gibraltar system is up, networked, secure (hopefully) and waiting for you to login over the network with ssh.
To generate firewall rules, please visit the Firewall Rules Generator webpage from a computer with both a web browser and SSH software. The web form will help you generate the contents of the two remaining files you need to complete your firewall (and supports two ways of saving your work). See also Choosing Firewall Rules for some tips on deciding what to block and what to pass.
When you've filled in the web form:
ssh root@host
.
gui-paste
" to Gibraltar and then Copy/Paste
everything in the web form into gui-paste
(type a newline
followed by control-D to complete the paste if necessary).
If you prefer doing things manually, this:
/etc/network/interfaces
and runs:
"/etc/init.d/networking restart"
arp-push
to make sure the gateway learns
about any new clients of the firewall.
/usr/local/sbin/tables
attempting to preserve any changes
you may have made manually which don't conflict with changes
subsequently made through the GUI."-r"
option to gui-paste
will discard changes you made manually).
reboot
" to save everything and
reboot OR Type: "save-config
" to
save your firewall to floppy.
(You should eventually reboot once after running uw-setup to incorporate
additional ramdisk it configures.)
Your firewall should now be up and running. When you're satisfied with it, you can make the floppy read-only and be even more protected from unwanted changes.
If your firewall is connected to the UW network, please see also Interaction With UW Network Operations to help protect your firewall from being disconnected if one of its clients misbehaves.
Version | Status | Notes |
2.5 | Stable | md5 hash of gibraltar-2.5.iso.bz2: 546fa6ff11b8ec745de603d8d80f6245 Most Recommended (with same caveat about ipsec tunnels as 2.4.1). Use with rule-generator 1.74 or higher and uw-setup 1.75 or higher. See also How to Upgrade and Why You Might Want to. |
cdrecord -dao speed=# dev=#,#,# file.iso
cdrecord -scanbus
to find the #s.)
On Windows, not all software can burn CDs from a file but I'm told these can:
TWO_NIC_FIREWALL=1
and
ALTER_INTERFACES=1
in the "tables" file
(on your firewall). If you did this, you could also run your
own DHCP server behind the firewall and serve DHCP clients, although if
you can physically divide your network this way, you may also prefer a
different firewall or variation #4
or unsupported variation 1a.
Similarly, if your subnet already has (or if you
setup) a DHCP server
which can be safely configured to serve 10.x.y.z addresses, you can
use the logical firewall in the default (single-NIC) mode for DHCP
clients.
If you
setup the DHCP server which comes with Gibraltar,
asof Gibraltar 0.99.6, you can more easily put the "dhcpd.leases"
file into persistant storage (so you won't lose your DHCP leases
database if the firewall reboots). See the "lease-file-name"
section of "man dhcpd.conf
" (on your Gibraltar system).
Also note that, contrary to "man dhcpd3
", the
"/etc/dhcpd.conf
" file has moved to
"/etc/dhcp3/dhcpd.conf
".
MASQUERADING_NAT=0
"
in the "tables" file.
The recommended way of connecting more computers than you have public addresses, is to use Variation #e10 to enable masquerading nat on an extra network of 10.0 addressess.
logcheck
" to email you noteworthy
firewall log messages (if any) every hour (or as per
"/etc/cron.d/logcheck
") replace "/dev/null
"
in "/etc/aliases
" with your email address and run
"newaliases
".
state
" script will dump the current iptables
connection state information.
"rejfmt /var/log/syslog"
will show what
TCP and UDP packets were recently blocked (if you have "syslog all
blocked packets" enabled). This can be useful to to determine what
additional ports to allow through the firewall (if something doesn't
work).
As of uw-setup 1.67, "tail -f /var/log/syslog | rejfmt"
will format rejected packets in real-time and
"rejfmt -s"
will show source ports too.
"less /var/log/syslog* | grep arplog: | sort +6"
to view them.
halt -f
"
or "reboot -f
".
"gnome-terminal"
and
"Konsole"
have problems doing large pastes of
rule generator output.
On these systems, use "xterm"
instead.
gui-paste
" can take input from a pipe or a
file, so instead of copy/paste through ssh, in a pinch, you can convey
rule-generator-output to your firewall on a floppy (as long as
it is still a vanilla text file).
On Unix/Linux, if you want to put the rule generator output into
a file (to use as above), select it all and
then, either paste it into "cat > file
"
followed by a newline and control-d,
or better yet, run gvim
and insert it directly into gvim's buffer by typing one of the
following 3-key sequences (which begin with double quote):
"*p
or "+p
(depending on your browser). You'd then type
":wq file
" (without the quotes) to write
and quit.
"Konqueror"
web browser has
copy/paste compatibility problems with "xterm"
. On
these systems either...
Use "Netscape"
or
"Mozilla"
instead or
Teach xterm to paste the CLIPBOARD with SHIFT-INSERT by putting
these lines in your "~/.Xdefaults"
file:
xterm*VT100.Translations: #override \n\
and then running
s<Key>Insert: insert-selection(CLIPBOARD) \n\
<Key>Insert: insert-selection(PRIMARY,CUT_BUFFER0)
"xrdb -merge ~/.Xdefaults"
, or
Run "gvim"
and type the following 9 keys
to "gvim" between each COPY operation in "Konqueror" and subsequent
PASTE into "xterm": ggdG"+pvG
find / -xdev -follow -type f -print 2>&- | xargs cat >/dev/null
modprobe ide-floppy
" you can at least use them as
"/dev/hdb
" (or whatever device "listpci
" shows
for it).
To get "ALT-key" sequences sent through to Gibraltar
(not just interpreted locally by Teraterm) visit Teraterm's
"Setup->Keyboard" dialog and select "Meta key". You can
make this change permanent by setting "MetaKey=on
"
in the "Teraterm.ini" file on your Windows system.
To trick Gibraltar's default/windowsy editor,
"fte
", into using colors, type this command
to Gibraltar after logging in:
"export TERM=xterm"
Or set "TermType=xterm
" in the
"Teraterm.ini" file on your Windows system (though that
will change it for every host you connect to with Teraterm).
/etc/gibraltar_config
".
If it is necessary to change ramdisk sizes without rerunning
"uw-setup -n",
the linux "remount" command can be used. For example:mount -n -o remount,size=32m -t tmpfs tmpfs /varwill immediately set the size of the "/var" ramdisk to 32 megabytes. The "
df
" command will show how much space is used/free.
(Note: use also "df -i
" to see how many "inodes"
are used/free--a filesystem can appear full if it runs out of either space
or inodes though inodes are harder to add and less likely to run out
(each file uses one inode)).
size 500k
" in
"/etc/logrotate.conf
" as you see fit.
(Asof uw-setup 1.67, this is now increased to a more suitable 5M).
"serial"
before
any other boot options, for example: "serial
" or
"serial defaultconfig
".
Similarly, to allow logins on the serial port (without a special reboot) in case network access is unavailable:
/etc/inittab
", uncomment the line
containing: "getty
" and "ttyS0
"
(by removing the initial "#
").
/etc/securetty
" add a line containing:
"ttyS0
" (without the quotes, of course).
kill -1 1
"
Obviously, this will only be useful if you've enabled it before you need to use it, so a future version of "uw-setup" may incorporate this.
fdformat /dev/fd0u1440 && mformat a:
".
(On some linux systems the letter before 1440 may be different).
zdump -v /etc/localtime | grep 2007
Ignoring this will not impare functionality of the firewall
however some system log messages may have timestamps one hour early or late
for a few weeks. If you wish, you can fix this by simply copying
"/etc/localtime
" from an updated linux system.
At UW, you can do this:
scp -p YourID@homer.u.washington.edu:/etc/localtime /tmp/localtime mv /tmp/localtime /etc/localtime save-config uw-setup -n # (or reboot if you prefer)
/etc/iftab
" file with PCI bus address
mappings. This file will normally be populated during the initial
"defaultconfig" boot of Gibraltar. Changes to the file take effect at
reboot or after running: /etc/init.d/networking stop ifrename -t /etc/init.d/networking startSee the manpage for "
ifrename
"
for more information.
sshfs
"
to "mount" files from Gibraltar onto another computer which supports
FUSE you must either have
the "sftp subsystem" enabled on Gibraltar (in the
"/etc/ssh/sshd_config
" file) or else supply
"-o sftp_server=/usr/lib/sftp-server
" as a mount option to
"sshfs"). Using "sshfs" with the LFW may sometimes be convenient but is
never necessary.
"krb5.conf"
or "krb5.ini"
) says not
to put the client's IP addresses in tickets:
(in the libdefaults section add a line:
"noaddresses = 1"
)
Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date --
Mon Jan 28 12:26:06 PST 2008