Digital Elephant

Network Firewalls

firewall, n. -- traditionally, a barrier to prevent the spread of fire, commonly found in automobiles and coal-burning locomotives, between the engine and the passenger or crew compartments.

firewall, n. -- a computing construct (software or hardware) that controls traffic flow between a protected network and an unprotected one (often the public Internet), which prevents the spread of viruses, hacker mischief, and a host of ills that have arisen as Internet use has spread to serve not only the principled and focused, but also the malicious and amoral.

Diagram of firewall between local network and Internet connection

The simplest way to protect your computers from external interference is to disconnect them from the public Internet. Unfortunately, the side effect is that you cannot take advantage of the vast quantity of information and entertainment that is available through that medium. The simplest useful way to protect your computers is with a filtering firewall, shown at left. This type of firewall is not perfect, but it will thwart most sorts of attacks, while permitting you essentially unrestricted access to sites on the Internet.

The other major category of firewall is called a stateful or stateful-inspection firewall. Such a device offers more protection than a simple filtering firewall, since it is designed to keep track of an entire TCP session rather than just to accept or reject single packets of data, but is considerably more complex (this makes it slow or costly, or both). To keep things simple, we will only discuss filtering firewalls here. [Ed: since the Linux 2.4 kernel, stateful inspection has become the norm. The rest of the discussion regarding iptables is still correct, and uses this state tracking capacity.]

The arrangement shown in this figure works for both dial-up modems and for DSL and cable modems. The latter are often permanently connected; the former always require some extra work to handle the job of dialing the Internet Service Provider when access to the Internet is demanded by some machine behind the firewall.

The firewall capability is available on most recent distributions of Linux. In the table below, you can decide which program should be used to specify the firewall configuration rules, depending on the kernel version running on your system. The last two are covered here; ipfwadm is not in use very much any more.

Kernel VersionConfiguration Program
2.0.xipfwadm
2.2.xipchains
2.4.xipchains or iptables
2.6.xiptables

To work out what the rules ought to be for a particular firewall, we need to know some things about how traffic is supposed to flow through the firewall, in order to reach the various services that are offered at a protection boundary, and in order to reach various machines behind the firewall who have initiated transactions with systems elsewhere. In addition, we may need to consider whether the firewall is also providing Private Networking services, since this has an impact on how the firewall rules are set up.

Configuring a firewall (ipfwadm) Private Networking
Configuring a firewall (ipchains) Boundary Services
Configuring a firewall (iptables)

Last updated January 29, 2007 Webmaster