When looking for an effective, inexpensive firewall solution, Linux firewalls do not often enter into the picture unless someone involved in the security planning process is a Linux guru. With the ability to easily run on that old system in the corner – the one that can’t even load the latest version of Windows (mine runs on a Pentium 133) – Linux firewalls can provide many of the basic features and functionality of their commercial counterparts, such as NAT (network address translation) and stateful packet filtering, at a fraction of the cost.
Linux firewalls may not be the best solution in all situations – such as the main corporate gateway firewall for large organizations – but they work great as internal firewalls separating network subnets and gateway firewalls for small and medium businesses and home networks with broadband Internet access.
Current Linux firewalls (2.4 kernel) run netfilter/iptables. Netfilter provides the kernel hooks that allow the firewall to inspect network traffic; iptables provides the table structure to define rule sets that govern traffic flow. Many Linux distributions include netfilter/iptables support by default; find more at http://www.netfilter.org.
The hardest part about using Linux firewalls is properly configuring them. The first step is to ensure that the system acting as the firewall is as secure and hardened as possible. During initial installation, install only the minimum required packages to provide basic system functionality, IP forwarding, and iptables support. Your mantra is: “If the firewall does not need it, do not install it.”
For some distributions, this may mean removing additional packages after installation, even when selecting the most basic installation. For example, with Red Hat Inc. systems there are several programs you can only remove after installation (such as sendmail) if they are not needed. Linux hardening scripts can also help you through this process – the best tool I have found is Bastille Linux, available at http://www.bastille-linux.org.
Once the system is properly configured, it is time to create the iptables firewall script that will add the proper rule set to apply to inbound and outbound packets. A great resource is New Riders’ Linux Firewalls (Second Edition) by Bob Ziegler. Firewall Builder, included in Mandrake and Debian distributions or available at http://fwbuilder.sourceforge.net, is a graphical front end that can ease this process. For newbies, Red Hat provides Lokkit, a basic GUI configuration tool ideal for beginners and networks that only require a very simple firewall configuration.
Deciding how to access the firewall system is an important step that is often overlooked. In the systems I build, I only allow access through SSH using key authentication. Many documents on the Internet can help: http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html and http://www.iptables.organd are excellent introductions, as are the how-to guides at the aforementioned netfilter site.
Linux firewalls can be a robust, cost-effective solution for almost any organization, as long as the system is properly configured.