If you are connecting yourself to the Internet at all, then you need to consider protecting your internal network. If you set up an Internet server that has only one network interface, that being to the Internet, then your internal network is safe from intruders. This solution provides the ultimate in security (short of not connecting at all), but requires more work on your part to transfer data to and from that machine.
The alternative is to implement a system by which someone from the outside has the least chance of getting into your network, but you have the ability to get to and through that gateway machine. This is the concept of a firewall.
Like a firewall in a building, a network firewall functions more or less as “damage control”. Should a fire break out, the firewall prevents it from spreading further. With a network firewall, should an intruder break into the gateway machine, the potential for further damage is limited.
In the following section, we will be talking about the basic issues involved with implementing a firewall on your machine. Keep in mind that these are the basics. There is more to it if your want to make your system as safe as possible. In comparison to car security, this is analogous to telling you about locking your door or installing an anti-theft device like “The Club”, but we won’t go into details like electronic devices that cut the gas flow if the car is “hot-wired”.
First let’s briefly, talk about the firewall itself. Your firewall is a machine that has routing
capabilities. Technically, it does not need to be a computer, but can be something as simple as a router. As it’s name implies, a router is a machine that routes
If you use a computer as your router, it needs to have routing capabilites such as a Linux machine. Because of the features such as FTP and HTTP services, a Linux machine is well suited to the task. This explains why approximately 10% of all Internet servers are running Linux.
A good way of making the firewall safe is to prevent all external
Note that this does not mean that you can only send
This has a slight danger in that acknowledgment packets can be intercepted and manipulated. This requests detailed knowledge of both the TCP/IP protocols and the application involved, so it is not something that the casual hacker is going to try. However, it is possible.
To increase the security
of your system, you turn off packet
This means that an intruder cannot reach your internal network, he must first reach the firewall and use it as a “springboard” to get inside. Unfortunately, this also means that people on the inside cannot reach the Internet without first getting to the gateway machine. If this is your choice, then the security is more important than the slight inconvenience that the users encounter.
The alternative is what is called a proxy server. In essence, this functions like a translator. When packets reach the proxy server, they are redirected to another connection on the other side of the firewall. For example, httpd (your web server daemon) normally listens on port 80. However, this has been disabled. Instead, I connect to port 1080 (or something greater than 1024). The services that is listening on that port makes a connection to port 80 on the destination machine to complete the HTTP connection. This middleman, or proxy, does the translation for my application. Other than knowing that I need to connect to the proxy server first, the functionality is the same as if there were no firewall.
There are a couple of ways of implementing the proxy under Linux, which we will get to later.