Whereas there is no substitute for secure and properly configured hosts, there are times when it is desirable to get additional protection by passing traffic to and from some hosts through an additional protective filtering layer (usually called a firewall).
The traditional (and most secure) firewall is physically inserted between the hosts to be protected and the rest of the world, however this physical break in the network may be impractical for various reasons. The logical firewall (LFW) may be an attractive alternative because it can physically exist anywhere on the subnet and protect hosts anywhere on the subnet without rewiring.
Protecting hosts with the logical firewall involves giving them new and unroutable IP addresses (by replacing the first octet of their public IP address with 10). The logical firewall box is configured (with a virtual interface) to respond to the original/public address of the protected host and to do routing and Network Address Translation (NAT) to and from the protected host for that traffic which is allowed by the firewall rules. The logical firewall needs only a single physical network interface. (See also NAT Intro and Firewall Limitations and Firewall Variations).
The logical firewall does not necessarily offer a solution for clients with dynamic IP addresses (such as those using DHCP). It is proposed mostly for servers (and clients with static IP addresses). DHCP clients may be best protected by "personal firewalls" (firewall rules which run on the client itself) or a physical firewall solution. However, if one is willing to configure a DHCP server to issue only private addresses (or to properly determine, for each client, whether to issue a public or private address), the logical firewall can be used successfully.
The firewall offered here is based on the iptables stateful packet filtering mechanism in the Linux 2.4 kernel. The firewall is tailored to work with a diskless Linux "live" distribution called Gibraltar which boots and runs from a CDROM and requires little to no Linux knowledge or system administration. On the other hand, if you are comfortable setting up and administering a Linux system, you should also be able to use the firewall rules we generate on a system of your choosing.
The Gibraltar system is being developed in Austria as a commercial firewall product. Because it is Debian-Linux-based, the author has chosen to make the underlying Linux distribution available for free over the Internet and will only be charging for the GUI (which isn't needed with the LFW). One of the nice things about Gibraltar is that it runs entirely off of CDROM storing only a small amount of configuration information on a floppy disk (or USB Flash Memory). Booting up a generic Gibraltar CDROM and reconfiguring it for use at the University of Washington takes only two or three minutes.
We measured unidirectional packet forwarding throughput of a Gibraltar system running on a 1GHz Pentium-3 with a single 100Mbit network interface at about 40,000 packets/sec with little variation due to protocol or packet size. (See also Choosing Hardware and Sample Usage Graph.)
For maximum flexibility, the NDC logical firewall is divided into two parts:
Note: It is safe to boot Gibraltar on a PC with a hard disk -- by default Gibraltar will ignore the hard disk.
See also: Using USB Flash Memory Instead of Floppies if that is of interest to you.
fastbootto skip waiting for the not-yet-created configuration floppy.
root" (use password "
gibraltar" if prompted).
loadkezs us" (to undo Austrian keyboard mapping where typing "z" gives you the "y" you want!)
mount /dev/fd0 /mnt"
/mnt/uw-setup" and answer the questions. (You can run uw-setup as often as you wish).
save-config" or "
reboot" to save your configuration to floppy. (You should eventually reboot once after running uw-setup to incorporate additional ramdisk it configures.)
At this point, your Gibraltar system is up, networked, secure (hopefully) and waiting for you to login over the network with ssh.
To generate firewall rules, please visit the Firewall Rules Generator webpage from a computer with both a web browser and SSH software. The web form will help you generate the contents of the two remaining files you need to complete your firewall (and supports two ways of saving your work). See also Choosing Firewall Rules for some tips on deciding what to block and what to pass.
When you've filled in the web form:
gui-paste" to Gibraltar and then Copy/Paste everything in the web form into
gui-paste(type a newline followed by control-D to complete the paste if necessary). If you prefer doing things manually, this:
arp-pushto make sure the gateway learns about any new clients of the firewall.
/usr/local/sbin/tablesattempting to preserve any changes you may have made manually which don't conflict with changes subsequently made through the GUI.
gui-pastewill discard changes you made manually).
reboot" to save everything and reboot OR Type: "
save-config" to save your firewall to floppy. (You should eventually reboot once after running uw-setup to incorporate additional ramdisk it configures.)
Your firewall should now be up and running. When you're satisfied with it, you can make the floppy read-only and be even more protected from unwanted changes.
If your firewall is connected to the UW network, please see also Interaction With UW Network Operations to help protect your firewall from being disconnected if one of its clients misbehaves.
|2.5||Stable|| md5 hash of gibraltar-2.5.iso.bz2: 546fa6ff11b8ec745de603d8d80f6245 |
Most Recommended (with same caveat about ipsec tunnels as 2.4.1).
Use with rule-generator 1.74 or higher and uw-setup 1.75 or higher.
See also How to Upgrade and Why You Might Want to.
cdrecord -dao speed=# dev=#,#,# file.iso
cdrecord -scanbusto find the #s.)
On Windows, not all software can burn CDs from a file but I'm told these can:
ALTER_INTERFACES=1in the "tables" file (on your firewall). If you did this, you could also run your own DHCP server behind the firewall and serve DHCP clients, although if you can physically divide your network this way, you may also prefer a different firewall or variation #4 or unsupported variation 1a. Similarly, if your subnet already has (or if you setup) a DHCP server which can be safely configured to serve 10.x.y.z addresses, you can use the logical firewall in the default (single-NIC) mode for DHCP clients.
setup the DHCP server which comes with Gibraltar,
asof Gibraltar 0.99.6, you can more easily put the "dhcpd.leases"
file into persistant storage (so you won't lose your DHCP leases
database if the firewall reboots). See the "lease-file-name"
section of "
man dhcpd.conf" (on your Gibraltar system).
Also note that, contrary to "
man dhcpd3", the
/etc/dhcpd.conf" file has moved to
MASQUERADING_NAT=0" in the "tables" file.
The recommended way of connecting more computers than you have public addresses, is to use Variation #e10 to enable masquerading nat on an extra network of 10.0 addressess.
logcheck" to email you noteworthy firewall log messages (if any) every hour (or as per "
/etc/cron.d/logcheck") replace "
/dev/null" in "
/etc/aliases" with your email address and run "
state" script will dump the current iptables connection state information.
"rejfmt /var/log/syslog"will show what TCP and UDP packets were recently blocked (if you have "syslog all blocked packets" enabled). This can be useful to to determine what additional ports to allow through the firewall (if something doesn't work).
As of uw-setup 1.67,
"tail -f /var/log/syslog | rejfmt"
will format rejected packets in real-time and
"rejfmt -s" will show source ports too.
"less /var/log/syslog* | grep arplog: | sort +6"to view them.
halt -f" or "
"Konsole"have problems doing large pastes of rule generator output. On these systems, use
gui-paste" can take input from a pipe or a file, so instead of copy/paste through ssh, in a pinch, you can convey rule-generator-output to your firewall on a floppy (as long as it is still a vanilla text file).
On Unix/Linux, if you want to put the rule generator output into
a file (to use as above), select it all and
then, either paste it into "
cat > file"
followed by a newline and control-d,
or better yet, run
and insert it directly into gvim's buffer by typing one of the
following 3-key sequences (which begin with double quote):
(depending on your browser). You'd then type
:wq file" (without the quotes) to write
"Konqueror"web browser has copy/paste compatibility problems with
"xterm". On these systems either...
"Mozilla" instead or
Teach xterm to paste the CLIPBOARD with SHIFT-INSERT by putting
these lines in your
xterm*VT100.Translations: #override \n\
and then running
s<Key>Insert: insert-selection(CLIPBOARD) \n\
"xrdb -merge ~/.Xdefaults", or
"gvim" and type the following 9 keys
to "gvim" between each COPY operation in "Konqueror" and subsequent
PASTE into "xterm":
find / -xdev -follow -type f -print 2>&- | xargs cat >/dev/null
modprobe ide-floppy" you can at least use them as "
/dev/hdb" (or whatever device "
listpci" shows for it).
To get "ALT-key" sequences sent through to Gibraltar
(not just interpreted locally by Teraterm) visit Teraterm's
"Setup->Keyboard" dialog and select "Meta key". You can
make this change permanent by setting "
in the "Teraterm.ini" file on your Windows system.
To trick Gibraltar's default/windowsy editor,
fte", into using colors, type this command
to Gibraltar after logging in:
Or set "
TermType=xterm" in the
"Teraterm.ini" file on your Windows system (though that
will change it for every host you connect to with Teraterm).
/etc/gibraltar_config". If it is necessary to change ramdisk sizes without rerunning "uw-setup -n", the linux "remount" command can be used. For example:
mount -n -o remount,size=32m -t tmpfs tmpfs /varwill immediately set the size of the "/var" ramdisk to 32 megabytes. The "
df" command will show how much space is used/free. (Note: use also "
df -i" to see how many "inodes" are used/free--a filesystem can appear full if it runs out of either space or inodes though inodes are harder to add and less likely to run out (each file uses one inode)).
size 500k" in "
/etc/logrotate.conf" as you see fit. (Asof uw-setup 1.67, this is now increased to a more suitable 5M).
"serial"before any other boot options, for example: "
serial" or "
Similarly, to allow logins on the serial port (without a special reboot) in case network access is unavailable:
/etc/inittab", uncomment the line containing: "
getty" and "
ttyS0" (by removing the initial "
/etc/securetty" add a line containing: "
ttyS0" (without the quotes, of course).
kill -1 1"
Obviously, this will only be useful if you've enabled it before you need to use it, so a future version of "uw-setup" may incorporate this.
fdformat /dev/fd0u1440 && mformat a:". (On some linux systems the letter before 1440 may be different).
zdump -v /etc/localtime | grep 2007
Ignoring this will not impare functionality of the firewall
however some system log messages may have timestamps one hour early or late
for a few weeks. If you wish, you can fix this by simply copying
/etc/localtime" from an updated linux system.
At UW, you can do this:
scp -p YourID@homer.u.washington.edu:/etc/localtime /tmp/localtime mv /tmp/localtime /etc/localtime save-config uw-setup -n # (or reboot if you prefer)
/etc/iftab" file with PCI bus address mappings. This file will normally be populated during the initial "defaultconfig" boot of Gibraltar. Changes to the file take effect at reboot or after running:
/etc/init.d/networking stop ifrename -t /etc/init.d/networking startSee the manpage for "
ifrename" for more information.
sshfs" to "mount" files from Gibraltar onto another computer which supports FUSE you must either have the "sftp subsystem" enabled on Gibraltar (in the "
/etc/ssh/sshd_config" file) or else supply "
-o sftp_server=/usr/lib/sftp-server" as a mount option to "sshfs"). Using "sshfs" with the LFW may sometimes be convenient but is never necessary.
"krb5.ini") says not to put the client's IP addresses in tickets: (in the libdefaults section add a line:
"noaddresses = 1")
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:26:06 PST 2008