Linux Firewall

The computer firewalls is a barrier between computers on a network. A firewall can be a hardware or software solution that enforces the security policies. A firewall has built-in filters that can allow or disallow the dangerous material from accessing and entering the system. Firewall very handy tool for building secure networks, designed for use with all types of systems. It can protect your workstations, routers, servers and Internet Service Providers system.

1. About the smoothwall
   SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Linux is the ideal choice for security systems; it is well proven, secure, highly configurable and freely††† available as open source code. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. Our companion site SmoothWall.net is the home of SmoothWall Limited, who produce a range of commercial supported security products, designed for use in small to medium sized businesses, education and corporate offices.
                    
2. Linux Firewalls Using iptables
   Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure. Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables
                             
3. Coyote Linux
   Coyote is a personal firewall distribution of Linux designed for the purpose of protecting a home or educational network. This firewall product is licensed for personal and educational use and is available free of charge from the downloads section of this site. Wolverine is a commercial grade firewall and VPN solution, designed for use by any size organization. Offering stateful packet inspection, IPSEC and PPTP VPN services, complete web based administration, in a very small foot-print while requiring a minimal amount of hardware to operate, Wolverine offers very cost effective solution for network perimeter defense and VPN connectivity.
                             
4. The rcf Linux Firewall
   rcf (aka rc.firewall) is an ipchains-based firewall with support for over 50 network service modules (including vtun, dhcp, nfs, smb, napster, proxies, online games, etc.), masquerading, port forwarding, and ip accounting. All services are self-contained modules which can be prioritized in the ipchains stack. Protections include spoofing, stuffed routing/masquerading, DoS, smurf attacks, outgoing port scans, and many more. rcf also supports unlimited public, private (masqu'ed), dmz, and mz (non-masqu'ed) interface and their subnets. Access rules are defined per interface and dmz/mz server "clusters". rcf is compatible with Red Hat, Slackware, Debian, Linux Router Project (LRP), and many other distros.
                     
5. Linux Firewalls
   Linux ipchains implement a packet filtering firewall and can be considered medium security if implemented properly. A packet filtering firewall looks at each packet individually, it does not (can not) consider any previous packets which may be part of a multiple packet transaction. In other words, a packet filtering firewall is stateless.The intention of providing this rule-set is to allow you to get on-line quickly while providing you with basic security until you have had time to implement something better. No attempt has been made to optimize the rule-set. It is quite conceiveable that you can re-order the rules or even reduce the number of rules - feel free to do that if you want to. However, ipchains are quite efficient. Each rule only takes a few micro seconds to traverse, so there is not much to be gained unless you have lots of rules, e.g. hundreds. 
                    
6. Creating a Linux Firewall using the ITS Firewall Toolkit
   If you have a valuable or fragile network to protect, you may want to protect it with a very strong, well-proven firewall. In this article, Benjamin Ewy explains very thoroughly how to build your own 'bastion host' firewall with Linux. As more and more companies try to develop a presence on the Internet, establishing a secure network perimeter is becoming a very important topic. There are many varieties of what are loosely referred to as firewalls. The general principle behind a firewall is that it serves as a choke point between an internal network and the outside world. The choke point only allows traffic through that is deemed safe.
                              
7. Firewall Administration
   First of all, look at the manual page of ipfwadm, ipfwadm(8). If you need some more info about what the Linux firewalling and accounting code really does, you might also want to look at the ipfw(4) manual page. Note: don't confuse these with the ancient ipfw(8) manual page, that was distributed with the old ipfw utility, a predecessor of ipfwadm. Neither the manual pages nor the paper are trying to teach you about firewall theory in general. To design a proper firewall, you need to have some basic level of knowledge about firewalls, IP packet filtering, etc. To learn more about these topics, we recommend the book Building Internet Firewalls, 2nd Edition, written by Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman, and published by O'Reilly. 
                             
8. The Linux Firewall-related  and proc Entries
   Most people, when creating a Linux firewall, concentrate soley on manipulating kernel network filters: the rulesets you create using userspace tools such as iptables (2.4 kernels,) ipchains (2.2 kernels,) or even ipfwadm (2.0 kernels). Modern Linux kernels have many settings that can be changed. Providing or overloading a plethora of system calls becomes unwieldy, and forcing administrators to write C code to change them at run time is a pain. Instead, the /proc filesystem was created.[1] /proc is a virtual filesystem -- it does not reside on any physical or remotely mounted disk -- that provides a view of the system configuration and runtime state. The /proc filesystem can be navigated just like any filesystem. Entries all appear to be standard files, directories, and symlinks, but are actually views into the kernel information itself. Some of these can be modified by root, but most are read only. 
                         
9. Understanding the Firewalls
   A firewall is a structure intended to keep a fire from spreading.Building have firewalls made of brick walls completely dividing sections of the building. In a car a firewall is the metal wall separating the engine and passenger compartments.The first computer firewall was a non-routing Unix host with connections to two different networks. One network card connected to the Internet and the other to the private LAN. To reach the Internet from the private network, you had to logon to the firewall (Unix) server. You then used the resources of the system to access the
   Internet. For example, you could use X-windows to run Netscape's browser on the firewall system and have the display on your work station. With the browser running on the firewall it has access to both networks.
      
10. A Modern Linux Firewall 
    Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators. We strongly believe that your job is to make the high level security policy decisions and ours is to take care of the underlying details. This is a departure from your typical Linux firewall, which has traditionally required arcane implementation specific knowledge.desktop or laptop. Our philosophy of simplicity has made Firestarter the most widely used Linux desktop firewall software available today. server. Firestarter can be installed onto individual servers and managed graphically over SSH or using the shell. gateway or dedicated firewall. Firestarter will set up Internet connection sharing for you with a minimum of fuss. Want DHCP for the clients? Sure you could configure it yourself, but we know you never get around to doing it, with Firestarter it only takes one click. 
                                                               
11. Linux Firewall
    The Projectfiles.com Linux Firewall is the swiss army knife of Linux firewall software. Based on the netfilter-iptables tools, the firewall is a single shell executable written in bash with configuration options and basic documentation included in the same file. It is a flexible tool for building secure networks, designed for use with all types of systems: workstations, routers, and servers, plus it includes optional features for advanced users and Internet Service Providers.
                                                 
12. Astaro Internet Security
    Reduce security threats from viruses, worms, spyware, hackers and denial of service attacks .Eliminate access to forbidden content  Limit exposure to liability issues and gain legal compliance to Children’s Internet Protection Act. Eliminate spam and access to non-learning related materials. Protect your investment by conserving bandwidth.Astaro is a complete internet security solution that protects against a wide range of threats to any learning environment. It consists of these nine critical security applications: Firewall, Intrusion Protection, VPN Gateway, Spyware Protection, Content Filtering, Virus Protection for the Web, Virus Protection for Email, Phishing Protection and Spam Protection. 
                                                   
13. Linux Firewall using iptables
    Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:
    > Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
    > Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
    > Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
                                                  
14. The Perfect Linux Firewall
    This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering web and email traffic. This is intended to be a quick and dirty overview on creating a IPCop firewall and comes without warranty of any kind. The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to the internet community. Its comprehensive web interface, well documented administration guides, and its involved and helpful user/administrative mailing lists make users of any technical capacity feel at home. It goes far beyond a simple ipchains / netfilter implementation available in most Linux distributions and even the firewall feature sets of commercial competitors. 
                                         
15. The rcf Linux Firewall
    rcf (aka rc.firewall) is an ipchains-based firewall with support for over 50 network service modules (including vtun, dhcp, nfs, smb, napster, proxies, online games, etc.), masquerading, port forwarding, and ip accounting. All services are self-contained modules which can be prioritized in the ipchains stack. Protections include spoofing, stuffed routing/masquerading, DoS, smurf attacks, outgoing port scans, and many more. rcf also supports unlimited public, private (masqu'ed), dmz, and mz (non-masqu'ed) interface and their subnets. Access rules are defined per interface and dmz/mz server "clusters". rcf is compatible with Red Hat, Slackware, Debian, Linux Router Project (LRP), and many other distros. rcf is distributed under the General Public License (GPL) terms. 
                                           
16. Wolverine Firewall FW-200
    The Wolverine FW-200 firewall is an ideal solution for remote/branch offices with 25-100 users. The FW-200 support IP filtering rates up to 40Mbps and encryption throughput of up to 10Mbps. This unit includes a Wolverine commercial use license in the price of the purchase.
    266Mhz Geode processor 
    3 x 10/100Mbps Ethernet interfaces 
    RS232 Serial console (9 pin null modem cable included) 
    1 USB port (Note: Wolverine will not currently make use of this port) 
    Front panel power, error, network, and disk LED indicators 
    128Mb system RAM 
    128Mb flash memory for firewall OS 
    5 - 20VDC 5W power requirements (comes with a 120VAC                                             
                                                        
17. Coyote Linux personal firewall
    This personal firewall distribution of Linux designed for the purpose of protecting a personal or educational network. In addition to being designed to have very low hardware requirements, Coyote Linux is able to provide the performance and uptime that is expected from any Linux based system. This release is available free of charge and can be downloaded from the "Downloads" link in the left hand menu. NOTE: This product is licensed for personal and educational use only. If you would like to use our products for commercial or government use, please see the "Wolverine Firewall and VPN Server". 
    Linux 2.6 based system kernel 
    Iptables based stateful firewalling 
    Support for Ethernet (static and DHCP) and PPPoE Internet connections. 
    Excellent uptime and operating system reliability 
                                    
18. Creating A Linux Firewall Using the TIS
    If you have a valuable or fragile network to protect, you may want to protect it with a very strong, well-proven firewall. In this article, Benjamin Ewy explains very thoroughly how to build your own 'bastion host' firewall with Linux. As more and more companies try to develop a presence on the Internet, establishing a secure network perimeter is becoming a very important topic. There are many varieties of what are loosely referred to as firewalls. The general principle behind a firewall is that it serves as a choke point between an internal network and the outside world. The choke point only allows traffic through that is deemed safe.
                                                
19. Firewall Administration
    X/OS Experts in Open Systems BV, a relatively unknown Dutch company but active in the international Linux and Open Source community for over 10 years, has announced the availability of X/OS Linux 4. X/OS Linux is composed of Free software selected for the needs of the professional user. The new release offers, in terms of security, scalability and performance, a range of possibilities that was previously only available on expensive UNIX systems. This release represents a milestone in the development of Linux and Open Source software for professional use. Besides offering a reliable platform for the most demanding applications, X/OS Linux 4 includes numerous innovations for server and desktop deployments.”said Jeroen van Holst, Business Development Manager at X/OS.
                                                 
20. The Perfect Linux Firewall Part II
    Marco Peereboom explains a little about the OpenBSD financial needs, in terms of what is needed and how it is used. CD sales are down and FTP installs are up which prints a pretty bleak picture. For there to be a hackathon next year there must either be a sponsor or a significant rise in donations. For the full text please read this article on undeadly.org. Keep in mind the other ancillary (but not less important) projects of OpenSSH, OpenNTPD, OpenBGPD all rely on these donations to keep providing this high quality and completely unencumbered software. Software development is not cheap and quality reliable software is even less so. Hackathons bring a lot of change, direction and innovation to the community and are therefore worth every penny so please help keep them an annual event.
                                                     
21. Firewall and Proxy Server
    David Rudder wrote this original version of this Firewall-HOWTO,these many moons ago, and I'd still like to thank him for allowing me
    to update his work. I'd also like to thank Ian Gough for kindly assisting a this dislexic writer. Firewalls have gained great popularity as the ultimate in Internet Security. Like most hot subject they are also often misunderstood. This HOWTO will go over the basics of what a firewall is and how to set one up. I am using kernel 2.2.13 and RedHat 6.1 to develop this howto so the examples here are based on this distribution. If you find differences in your distribution, please email me and I'll update this howto.
                                              
22. InJoy Firewall Linux
    With InJoy Firewall™ 3.0 you can say good-bye to old-generation Firewall solutions that were difficult to implement, manage and measure InJoy Firewall™ is different. This multi-purpose Firewall readies you for the future through Deep Packet Inspection, unique  MULTI-
    PLATFORM support, and market-leading IPSec VPN support. Its unparalleled network monitoring turns you into an SECURITY PROFESSIONAL with unique real-time insight into any network activity. The InJoy Firewall™ is a flexible firewall security solution for organizations of all sizes. It offers enterprise-class next-generation security, preconfigured policy templates - including full customization options, seamless IPSec VPN integration, superior gateway capability, intuitive management, access control, a wealth of documented deployment examples, unmatched control, and comprehensive documentation. 
                                   
23. Linux Firewall - Stable branch
    Projectfiles.com Linux Firewall is a powerful firewall based on netfilter-iptables. It supports features such as access control and port forwarding, and is flexible enough to be used on workstations, servers, and routers. The configuration options, basic documentation, and firewall script are contained in a single file. There are built-in syntax and configuration safeguards with verbose success and failure messages. Free and commercial support is available, including an online knowledge base of over 700 related articles. 
                                          
24. The Perfect Linux Firewall --IPCop
    This tutorial deals with setting up a Linux firewall based on IPCop. It consists out of two parts: The first part describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second part we will be creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering your application layer ingress and egress network traffic.
                                           
25. A Simple Linux Firewall
    This tutorial describes how to set up a very simple firewall for Linux, to greatly increase the security of your box against outside attacks. I assume that you are firewalling a Linux machine in the CS department at UC Berkeley. Otherwise, you will need to adjust the hostnames and configuration details to taste. Here are the steps to improving the security of your machine: 
    Get root on the machine in question. (Legally.) All of the following require root privileges. 
    Re-compile your kernel with all the IP firewalling options enabled. More specifically, enable network firewalls, IP firewalling, IP firewall packet logging, IP always defragment, IP drop source routed frames, IP SYN cookies, and IP accounting. While you're at it, get the latest (2.0.37?) kernel, which has a number of security fixes. (If you like, you can also turn on other goodies like IP multicast, IP masquerading, network aliasing, etc., but these are not required for the firewalling configuration.) Note that these instructions will only work for the 2.0.x series kernels. 
                                                           
26. Linux Firewall Tutotial
    Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel version 1.2.1 in 1995. Ipfwadm enabled standard TCP/IP packet filtering features such as filtering by source/target addresses and port numbers. Then, in early 1999, when the first stable 2.2.0 kernel was released, firewalling code was replaced with new ipchains-controlled code. New features included support for chains of rules, fragmentation handling, better network address translation (NAT) support and several usability improvements. Readers should be reminded that Linux firewalling includes kernel-level code (usually in form of loadable module or kernel source patch) and user-level code (a control utility such as /usr/bin/ipchains, that is used to insert packet rules into kernel-space). Thus whenever new Linux firewalling code was introduced it involved both kernel and userspace code rewrite. 
                                        
27. Linux Embedded Appliance Firewall
    A secure, feature-rich, customizable embedded Linux network appliance for use in a variety of network topologies. Although it can be used in other ways; it's primarily used as a Internet gateway, router, firewall, and wireless access point. Project Goals: Create an inclusive environment where LEAF project members and the extended community are free to release content to the public. Support continued development of current LEAF releases/branches. Create new LEAF releases/branches with current Linux kernels and libraries, while retaining the option to install the target environment on various devices attached to the target. Maintain as small a footprint as possible for release/branch target installations. Promote creation of packages usable by all LEAF releases/branches.
                                          
28. Linux-Sec.net
    Security is "Can you still continue to work productively/safely, without compounding the security breach" 
    Security is only as good as your "weakest link" 
    Security is "risk management of your corporate resources(computers) and people" 
    Security is "Can somebody physically walk out with your computers, disks, tapes, " 
    Security is a Process, Methodology, Policies and People 
    Security is 24x7x365 constantly ongoing .. never ending 
    Security is "learn all you can as fast as you can, without negatively affecting the network, productivity and budget" 
                                               
29. Shoreline Firewall
    The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
                                         
30. Automatic Firewall Script
    If you are a broadband or dial-up user who doesn't have a firewall script, you need to get one to protect yourself. AutoFW is intended to help you do that with no hassles. Many people when connecting to the internet need a firewall script made for them so they can surf the net without being susceptible to various attacks. Most, if not all (until now :-), of the existing scripts are written for a large range of requirements and require some tweaking to make them work for a specific user. However many users do not know which parameters to fill in the script config file. AutoFW intends to provide a simple firewall script that you just need to fire and forget. You make sure to run it on computer start-up or just before connecting to the net, and it will detect network condition and setup appropriate firewall rules for you. 
                                       
31. Turning the SEGA Dreamcast into a Linux firewall/router
    This highly detailed 101-page how-to article provides the necessary background and procedures to turn a SEGA Dreamcast gaming console into a Linux-based software router with firewalling and virtual private networking capabilities. The article explains how to create the necessary toolchain for compiling both programs and the Linux kernel, and shows how, starting from scratch, you can build a Linux operating system that runs entirely in memory. Today, the total costs of ownership (TCO) of a personal computer are so low, that you might wonder: "Why bother to build a software router based on a gaming console, Actually, a number of technical challenges made the project particularly interesting, including .First, the hardware architecture is a non-x86 computer system, so there is the challenge of learning to work with a "foreign" platform. Next, there is the challenge of learning to setup and use cross compilers. Cross compiling raises a number of issues you don't run into when you are simply recompiling your favorite program to run on your (x86) PC, assuming the program was already designed to run on an x86 platform.
                                             
32. Building a Linux Firewall
    The growth of the Internet has prompted many organizations to become security-conscious. Documented and undocumented incidents of security violations, expanded research about security issues, and even media hype have brought about the potential for at least partial solutions for securing a networked environment---without completely isolating the network from the outside world. Leading the pack of solutions is the firewall. Just about everyone has defined what a firewall is, so I won't be any different. A firewall is a device or collection of devices that restricts the access of ``outside'' networks to ``inside'' networks. Not surprisingly, Linux can play a part in this arena. There are currently three models used to classify firewalls. Fundamentally, the current industry classifications are application proxy gateway, circuit level relay, and packet filter.
                                          
33. Feather Linux for Firewall
    The firewall infrastructure of GNU/Linux consists of two parts, the kernel (netfilter) and the configuration structure (iptables). In order to build a firewall structure in GNU/Linux, you first need the proper netfilter support, which almost every Linux distribution includes by default. The second part is the set of rules that govern the packets (traffic) to be let in and the packets to deny. These rule sets are called chains. To set your rules, you must set up a chain of them to manipulate packets appropriately. Apart from the basic functionality of the netfilter/iptables structure, there is another function called masquerading. Masquerading allows one GNU/Linux computer to serve as an internet provider--a gateway--for other computers. When a computer from the LAN (inside the firewall) sends a packet to the internet (outside), the gateway marks the packets and sends them from the IP address of the firewall, not the computer within the LAN. When a response comes in, the firewall changes the packet's destination address and resends the packet to the original computer. This is masquerading, or NAT (Network Address Translation), and is a very popular technique to share the internet among many computers.
                                             
34. The SINUS Firewall
    One of the goals in the SINUS project is to assess the potential of security without obscurity. The SINUS Firewall is a TCP/IP packet filter for the Linux operating system. It is distributed under the GNU General Public Licence and comes with complete source code, as the Linux operating system does. The SINUS firewall is a free and easy way to protect your network from the daily threats of the Internet. It does not guarantee perfect security, however it comes. To install the software, you need a Linux 2.0.x based system. We suggest you install a bare-bone system without X or any of the other nifty features which tend to have security holes. You should not install user accounts on the firewall system. Log-ins other than from the console should be forbidden (if you absolutely have to log in remotely, we strongly suggest you install a copy of ssh).
                                                  
35. EPIA CL Linux Firewall
    The EPIA CL has 2 Network Interfaces on board, making it ideal for use as a basic Two-Interface Firewall, in combination with an ADSL or Cable Modem. The idea is that all internet traffic is piped through one NIC and into the EPIA CL, and allowed through the other NIC onto the local network only if the firewall allows it. We'll also be allocating IP addresses with a DHCP server, sharing our internet connection with other machines and running a local DNS server to resolve domain names. The OS chosen will of course be Linux - all of these features are available out of the box. We chose Shorewall to configure the firewall built into the Linux kernel.This guide will also apply to any EPIA with an additional NIC on a PCI card. The advantage of using the EPIA CL is the PCI slot is kept free, and a smaller enclosure can be chosen - our fanless EPIA CL 6000 fits into a wee Cubid 3688 case and runs in near silence.
                                       
36. Linux and Firewalls
    Linux is secure enough to be used on the internet without a firewall, provided that you're using it just as a client, and don't have any remote services running. Most distros have all remote services turned off by default. If you have any windows machines, or are running a server, you should have a firewall. Linux machines are often used as firewalls, and some soho broadband routers are actually embedded devices running Linux. When looking for a firewall package, it is important to remember that the firewall is only one step in a well managed security policy. Please do not rely on a firewall as the sole means of protection. 
                     
37. The Linux Firewall Administration Progra
    This chapter covers the iptables firewall administration program used to build a Netfilter firewall. For those of you who are familiar with or accustomed to the older ipfwadm and ipchains programs used with the IPFW technology, iptables will look very similar to those programs. However, it is much more feature-rich and flexible, and it is very different on subtle levels.Packet-Filtering Concepts," covers the background ideas and concepts behind a packet-filtering firewall. Each built-in rule chain has its own default policy. Each rule can apply not only to an individual chain, but also to a specific network interface, message protocol type (such as TCP, UDP, or ICMP), and service port or ICMP message type number. Individual acceptance, denial, and rejection rules are defined for the INPUT chain and the OUTPUT chain, as well as for the FORWARD chain, which you'll learn about at the end of this chapter and in Chapter 6, "Packet Forwarding." The next chapter pulls those ideas together to demonstrate how to build a simple, single-system, custom-designed .
                                                      
38. Linux Distributions
    When Linus Torvalds first developed Linux back in August of 1991, the operating system basically consisted of his kernel and some GNU tools. With the help of others Linus added more and more tools and applications. With time, individuals, university students and companies began distributing Linux with their own choice of packages bound around Linus' kernel. This is where the concept of the "distribution" was born. Today, creating and selling Linux distributions is a multi-million dollar business. You can buy a boxed version of Linux from companies such as Red Hat, SuSE, MandrakeSoft and others. You can also download Linux from any number of companies and individuals. There are distributions of all types and for practically any kind of computing endeavor. There are versions of Linux that will give you a firewall, will boot the entire operating system from a floppy disk or CD-ROM or can be used to power TV "set-top" boxes. 
                                           
39. Linux: Firewall Implementation
    A poorly implemented firewall not only allows viruses to slip past your defenses-it could lock you out of your host, according to James Turnbull, author of Hardening Linux. In this Q&A, he explains how Linux firewalls differ from those used in Windows, and then points out how to avoid common pitfalls that can plague firewall configuration.In their core function, Linux and Windows firewalls do not really differ. The major difference is how firewalls are deployed in Linux and Windows environments. In the Windows world, host firewalling (which entails putting a firewall on your hosts -- not just adding a firewall or firewalls into the network to protect all your hosts) is generally limited to desktop systems using tools like Zone Alarm or the in-built Windows XP firewall. Most companies do not firewall their individual Windows server hosts but rely on a network-based firewall to restrict the traffic flows to the host to only those that are acceptable. 
                                             
40. Adaptive Linux Firewall
    Automatic firewall hardening is a technique used by many commercial firewalls to prevent invalid packets from reaching protected networks. The objective of this document is to demonstrate how to harden iptables in real-time.By default, iptables can log messages via the Linux syslogd daemon. Logs by themselves are fine for basic security but do not address advanced security issues. For advanced security a system needs to run custom scripts as soon as illegal operations are logged by the firewall. Depending on the severity of the violations, you can program these scripts to perform various actions such as blocking offending IP addresses. The techniques outlined in this document are not limited to iptables, and can also be modified to process output from any application which logs via syslog e.g. intrusion detection scanners such as SNORT.
                              
41. Iptables Tutorial
    The aim of the iptables-tutorial is to explain iptables in a complete and simple way. The iptables-tutorial is currently rather stable, and contains information on all the currently available matches and targets (in kernel), as well as a couple of complete example scripts and explanations. It contains a complete section on iptables syntax, as well as other interesting commands such as iptables-save and iptables-restore.  For the moment, this tutorial is hopefully at a stand-still. If anyone finds a problem or incomplete explanation, I will fix it. However, most of my time goes to getting the ipsysctl-tutorial finished for now. 
                                  
42. Linux stuff-and install notes
    I've been testing distributions one at a time. I bought the libranet installer for debian - and it went with out a hitch.So far I'm really liking what I see. Libranet earned their money by added a few time saving tools. I like it much better than Redhat. An example helps - I needed to install e3 (a tiny text editor I've grown used to) and all I did to make this happen was to open the Admin-libranet - click on add package from internet - it asks for the package name - and it is finished. I've also noticed that for some reason debian includes exim, slypheed and other gpl packages that I would have to go get with redhat/mandrake/Suse.The biggest reason I like Debian is that it seems to be the heart of the linux community -my hunch is that most gpl developers are using debian and reading between the lines the other distributions get their updates from debian anyway.
                                    
43. TCP/IP Firewall
    Security is increasingly important for companies and individuals alike. The Internet has provided them with a powerful tool to distribute information about themselves and obtain information from others, but it has also exposed them to dangers that they have previously been exempt from. Computer crime, information theft, and malicious damage are all potential dangers. An unauthorized and unscrupulous person who gains access to a computer system may guess system passwords or exploit the bugs and idiosyncratic behavior of certain programs to obtain a working account on that machine. Once they are able to log in to the machine, they may have access to information that may be damaging, such as commercially sensitive information like marketing plans, new project details, or customer information databases. Damaging or modifying this type of data can cause severe setbacks to the company.
                                           
44. A Linux Firewall for Debian, SuSE, and other Linux Distributions
    Pico FIREWALL is a small (as the prefix 'pico' implies) firewall based on netfilter (the part in the Linux-Kernel) and iptables (the user-interface).It is setup to be a stateful firewall, meaning that it keeps track of its connections and thereby distinguishes packets associated with an established connection from packets, which are not associated with a connection from your PC. Pico FIREWALL was especially designed to serve three purposes: Protect the machine very well, easy or no configuration, and find a good balance of logging packets and keep the log file small. A useful feature is rule-based logging: the entries in the log-file allow to find the corresponding rule in picofirewall.conf, which caused the entry. These rule-based comments also appear in the log file analysis program picoFIRESCAN.The principle followed was a 'drop all packets philosophy', then allow needed packets on a step-by-step basis; this concept seemed more safe to me than the other way round (first allow everything, then make restrictions). 
                                            
45. A Linux Firewall Primer
    If you’ve been considering using a Linux firewall solution to protect your network, be sure to check out Mark Stone’s Linux firewall primer on Linux.com. Rather than getting into the actual nuts and bolts of building a firewall or firewall script, he discusses the administrative and decision-making process behind using a Linux firewall.He starts with a firewall primer, telling us exactly what a firewall is and why you need one (not to mention reminding us that a firewall is not the be-all, end-all solution to protecting your network). He also provides a good definition of stateless and stateful filtering, and also discusses the solutions available for firewall management and dedicated firewall packages/distributions. 
                                            
46. Statistics SuSE Linux Firewall
    Statistics based on released Secunia advisories since 2003. Choose below to see statistics based on different criteria. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.
                                     
47. Setting Up a Linux Firewall on Your Network
    Go outside and pop the hood of your car. You should see a thick metal barrier at the back of the engine compartment. This is called the firewall. To see how it works, poke a small hole in the fuel line so that a tiny amount of gasoline starts dripping on the engine block. Now close the hood, start the car, and head out on the highway. If you have positioned the puncture correctly, within a few minutes the escaped gasoline should ignite and cause a small engine fire. At this point you may see smoke emerge from the engine compartment. Continue driving. You should be able to proceed a considerable distance before the heat becomes uncomfortable and toxic fumes and flames start to enter the passenger compartment. The reason you can drive so far with a flaming engine is because the firewall is a highly effective barrier between the engine compartment and the passenger compartment. If your car had no firewall, the engine fire would have already melted the dashboard electronics and plastic, destroyed the upholstery, and toasted you to a crisp. 
                                                
48. Astaro All-in-One Security: Firewall
    The Astaro firewall manages inbound and outbound communications traffic, as well as traffic between internal networks. Administrators can block or allow access, for each protocol, to each internal network, server, service, and user group.Astaro’s firewall provides both stateful packet inspection and application-level deep packet filtering. Packet headers are inspected, and ongoing connections are monitored, to make sure that they conform to the appropriate policies. Application-level proxies scan content (payloads) to ensure conformance with rules specific to web traffic, email, DNS, and other broad application types.With the easy-to-use WebAdmin graphical interface, administrators can quickly set rules to block or allow traffic, by protocol and by port, between pairs of source and destination addresses. 
                                             
49. Symantec preps Linux firewall for IBM iSeries
    Symantec will announce this week that it is working with IBM to deliver a hardened firewall which will run within an iSeries Linux partition and provide protection for the iSeries or other connected servers on corporate networks, Timothy Prickett Morgan writes. The firewall is a tweaked version of Symantec's Enterprise Firewall for Windows and Solaris servers, and it is expected to be available in the second half of 2002.OS/400 V5R2 is expected to start shipping at around the same time--notwithstanding recent rumors about IBM's moving up the next-generation iSeries announcements (an announcement is not the same thing as a delivery date, remember). Sources at Symantec say that they are keen on moving into the OS/400 server space, but that there are some significant issues involved with support the open-source Linux operating system.
                                                                  
50. Building Linux and OpenBSD Firewalls
    This is one of those rare books that makes me think, "Gee, someone out there is on the same wavelength as I am". While all the information in this book can be found in man pages or on the internet, it packages it all conveniently in one chunk. What we are given is a book that serves as the best introduction to firewall design and implementation that I have yet seen. Experts will probably not find anything new in this book but it will still serve as excellent reference material. It even contains a brief vi tutorial :) The book is written with a great sense of humour, so people that are expecting a dry technical volume may be put off by this, as well as the authors' proclivity to extoll the virtues of the open source philosophy at every possible opportunity. Mind you, these are some of the same reasons that I enjoyed the book as much as I did. If someone were to slap a picture of an animal on the cover, this book would be right at home in the O'Reilly nutshell series. 
                                       
51. Two-Faced: Setting up a Simple Linux Firewall
    This is an overview of the things I think you need to know if you're going to try and set up a simple firewall using linux on an old PC (really it's
    an excuse for me to whine about the hassles I went through doing this, but I've got to get something out of it). First of all, ask yourself why you're doing this. You can buy a simple off-the-shelf firewall/router gadget pretty cheap these days, and I hear at least some of them have fairly easy-to-use administration features (e.g. via a web browser). Saving money by using that old PC you've got kicking around is unlikely. Acceptable answers include "learning experience" and "insanity". 
                                       
52. The perfect Linux firewall part II– IPCop & Copfilter
    This document is the second segment in a series on installing IPCop firewall. We will be creating a “DMZ” for hosting your own web server or mail server and the Copfilter proxy for filtering your application layer ingress and egress network traffic. This is intended to be a rough overview on creating a IPCop firewall with Copfilter and comes without warranty of any kind. Given the instructions from the previous article, you should have a full installation of IPCop running. The current focus remains two-fold: to get your server in the Orange (DMZ) segment of your IPCop Network and opening up the ports on your firewall to allow web traffic to it.
                                                            
53. Linux Firewall Tips
    Firewalls are an useful way of adding some security to your system, but they are not a panacea. A properly configured firewall can make it much harder to break into your system, and in some cases can even protect you from mistakes or misconfigurations elsewhere in the system, but should not be viewed as the sole, or even the main, defense against hacking, but merely one of a system of defenses. Regular and frequent patching and updates are still essential. Campus and the department currently have only minimal firewall enabled at the network level. Individual machines can have personal firewalls as well, which are not as effective as network level firewalling but still useful. Linux boxes can use the iptables firewall/packet filter to provide some added security. 
                                                
54. Firewall Basics
    A firewall is just a combination of two other network server functions: a gateway and a proxy. A gateway machine is a facilitator: before a computer on your local area network (LAN) can "talk" to another computer on the Internet at large, it must know how to find that computer and be able to establish a connection to it. A gateway machine facilitates making this connection. All Internet-bound traffic on your LAN passes through the gateway. A proxy server is a mediator: it does not allow direct communication between two computers, but rather acts as a go-between. Neither end computer talks directly to the other, but instead they talk to each other through the proxy. A consequence of this arrangement is that a proxy server can filter the kinds of communication are allowed between two computers. A firewall, then, is both a facilitator and a mediator. It facilitates by providing the gateway functions that all computers on the LAN need to communicate outside. It mediates, in that computers on the LAN have their communications proxied by, and potentially filtered by the firewall. 
                                             
55. Linux Pipeline: A using Linux Firewall
    In the Wild West atmosphere of the Internet, firewalls are a popular topic. That's a good thing: Whether you're responsible for hundreds of corporate servers or a single home workstation, anyone who manages a computer needs to know how firewalls work and how to deploy them properly. A firewall controls access to a local network, locking out intruders while keeping your systems--and your data--safe on the inside. The firewall capabilities built into Linux can also restrict outgoing network access, ensuring that your corporate secrets remain secret, even against an attack from inside a local network I'll go into further detail about this later; for now, it's enough to know that you can use a Linux firewall to identify and control access to any computer with an IP address .The world of Linux firewall access depends on the interactions between three main players: netfilter, a subsystem in the Linux kernel that analyzes and filters IP data packets; iptables, a tool for managing and applying the rulesets that apply these packet filters; and hardware such as the eth0 device or an attached modem-*. The firewall software itself is defined as the interaction between input and output queues, transformation queues (there may be many other queues), and a rule base that further defines such interaction between queues. 
                                                       
56. Advancing Firewall Protection
    With more than one million users, U.K.-based SmoothWall’s Firewall may just be the most popular software firewall that has yet to become a household name. Test Center engineers recently took at look at products from Smooth Wall to see what all the buzz is about and to see exactly why one million users have chosen the product. The first thing to understand about SmoothWall’s Firewall is that there are two versions available: an open-source version that is free to anyone and a commercial version, named Smooth Wall Advanced Firewall, that offers significant feature enhancements over the open-source version. The Advanced Firewall product supports add-on security technologies such as bandwidth management, antivirus and content filtering. 
                                      
57. Linux VPN Masquerade
    IP Masquerade is a feature of the Linux kernel that permits you to share secure access to the Internet. If you only have one connection to the Internet, whether it is a dial-up phone line, ISDN, DSL, a Cable modem, or something else, a Linux-based IP Masquerade firewall will allow you to share that access, permitting as many computers as you wish on your local network to communicate with the Internet simultaneously. 
    Your whole office (or family) can surf the World Wide Web, chat, do file transfers, play games and telecommute at the same time. VPN Masquerade is the part of IP Masquerade which enables you to use IPsec-based and PPTP-based Virtual Private Network clients from behind a shared-access firewall. 
     
58. Linux Software
    Port Scan Attack Detector (psad) is a collection of three lightweight system daemons written in Perl and C that are designed to work with Linux iptables firewalling code to detect port scans and other suspect traffic. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, email alerting, DShield reporting, and automatic blocking of offending IP addresses via dynamic configuration of iptables firewall rulesets. In addition, psad incorporates many of the TCP, UDP, and ICMP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap. Psad also uses packet TTL, IP id, TOS, and TCP window sizes to passively fingerprint the remote operating system from which scans originate.