If you are connecting yourself to the Internet at all, then you need to consider protecting your
internal network. If you set up an Internet server that has only one network
interface, that being to the Internet, then your internal network is safe from intruders. This
solution provides the ultimate in security (short of not connecting at all),
but requires more work on your part to transfer data to and from that machine.
The alternative is to implement a system by which someone from the outside has the least chance
of getting into your network, but you have the ability to get to and through
that gateway machine. This is the concept of a firewall.
Like a firewall in a building, a network
firewall functions more or less as "damage control". Should a fire break out, the firewall prevents
it from spreading further. With a network firewall, should an intruder break into the
gateway machine, the potential for further damage is limited.
In the following section, we will be talking about the basic issues involved with implementing a
firewall on your machine. Keep in mind that these are the basics. There is more to it if
your want to make your system as safe as possible. In comparison to car
security, this is analogous to telling you about locking your door or
installing an anti-theft device like "The Club", but we won't go into details like electronic
devices that cut the gas flow if the car is "hot-wired".
First let's briefly, talk about the firewall itself. Your firewall is a machine that has routing
capabilities. Technically, it does not need to be a computer, but can be something as simple as a
router. As it's name implies, a router is a machine that routes packets. Most
routers allow you to not only configure where packets are allowed to go to, but also from where they
are allowed to come. In addition, many can be even more finely tune it, such as limiting the type of
packets and to/from what ports.
If you use a computer as your router,
it needs to have routing capabilites such as Linux machine. Because of the features such as FTP
and HTTP services, a Linux machine is well suited to the task. This explains
why approximately 10% of all Internet servers are running Linux.
One way of making the firewall safe is to prevent all packets from going through it. This
means that packets are not forwarded. Certain routers will allow you to configure them in
such a way that incoming packets are blocked, but outgoing packets are let through.
Note that this does not mean that you can only send packets to the outside, but never hear their
answer. Instead that means that packets that originate on the outside are blocked.
When you send a request from an internal machine, the packet that you receive
is a response or acknowledgment. Such packets are allowed through, but those that are sending the
initial request are not.
This has a slight danger in that acknowledgment packets can be intercepted and manipulated. This
requests detailed knowledge of both the TCP/IP protocols and the application
involved, so it is not something that the casual hacker is going to try. However, it is
To increase the security
of your system, you turn off packet
routing altogether. This means that no packet is let through. In such as system, you need to connect
first to the firewall machine and then to the Internet. At this point, you now have two
distinct networks. Although the firewall can see both of them, neither can see the other.
Since nothing gets through, not even email, your internal network is (fairly)
This means that an intruder cannot reach your internal network,
he must first reach the firewall and use it as a "springboard" to get inside. Unfortunately, this
also means that people on the inside cannot reach the Internet without first getting to the
gateway machine. If this is your choice, then the security
is more important than the slight inconvenience that the users encounter.
The alternative is what is called a proxy server. In essence, this functions like a
translator. When packets reach the proxy server, they are redirected to another connection on the
other side of the firewall. For example, httpd (your web server daemon) normally listens on port 80.
However, this has been
disabled. Instead, I connect to port 1080 (or something greater than 1024). The services that is
listening on that port makes a connection to port 80 on the destination machine to complete the
HTTP connection. This middleman, or proxy, does the translation for my
application. Other than knowing that I need to connect to the proxy server
first, the functionality is the same as if there were no firewall.
There are a couple of ways of implementing the proxy under Linux, which we will get to later.