Linux Knowledge Base and Tutorial

Welcome to Linux Knowledge Base and Tutorial

"The place where you learn linux"

Linux Magazine: The source for advanced Linux know-how

Create an Account

Home | Submit News | Your Account

Tutorial Menu

Linux Tutorial Home
Table of Contents
Up to --> Networking

· Firewalls
· Securing the Server
· Securing the Internal Network

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu

Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication

Feedback
Forums
Private Messages
Surveys

Features

HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google

Who's Online

There are currently, 67 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

Linux Tutorial - Networking - Firewalls

Accesing the Web

----

Securing the Server

Firewalls

If you are connecting yourself to the Internet at all, then you need to consider protecting your internal network. If you set up an Internet server that has only one network interface, that being to the Internet, then your internal network is safe from intruders. This solution provides the ultimate in security (short of not connecting at all), but requires more work on your part to transfer data to and from that machine.

The alternative is to implement a system by which someone from the outside has the least chance of getting into your network, but you have the ability to get to and through that gateway machine. This is the concept of a firewall.

Like a firewall in a building, a network firewall functions more or less as "damage control". Should a fire break out, the firewall prevents it from spreading further. With a network firewall, should an intruder break into the gateway machine, the potential for further damage is limited.

In the following section, we will be talking about the basic issues involved with implementing a firewall on your machine. Keep in mind that these are the basics. There is more to it if your want to make your system as safe as possible. In comparison to car security, this is analogous to telling you about locking your door or installing an anti-theft device like "The Club", but we won't go into details like electronic devices that cut the gas flow if the car is "hot-wired".

First let's briefly, talk about the firewall itself. Your firewall is a machine that has routing capabilities. Technically, it does not need to be a computer, but can be something as simple as a router. As it's name implies, a router is a machine that routes packets. Most routers allow you to not only configure where packets are allowed to go to, but also from where they are allowed to come. In addition, many can be even more finely tune it, such as limiting the type of packets and to/from what ports.

If you use a computer as your router, it needs to have routing capabilites such as Linux machine. Because of the features such as FTP and HTTP services, a Linux machine is well suited to the task. This explains why approximately 10% of all Internet servers are running Linux.

One way of making the firewall safe is to prevent all packets from going through it. This means that packets are not forwarded. Certain routers will allow you to configure them in such a way that incoming packets are blocked, but outgoing packets are let through.

Note that this does not mean that you can only send packets to the outside, but never hear their answer. Instead that means that packets that originate on the outside are blocked. When you send a request from an internal machine, the packet that you receive is a response or acknowledgment. Such packets are allowed through, but those that are sending the initial request are not.

This has a slight danger in that acknowledgment packets can be intercepted and manipulated. This requests detailed knowledge of both the TCP/IP protocols and the application involved, so it is not something that the casual hacker is going to try. However, it is possible.

To increase the security of your system, you turn off packet routing altogether. This means that no packet is let through. In such as system, you need to connect first to the firewall machine and then to the Internet. At this point, you now have two distinct networks. Although the firewall can see both of them, neither can see the other. Since nothing gets through, not even email, your internal network is (fairly) safe.

This means that an intruder cannot reach your internal network, he must first reach the firewall and use it as a "springboard" to get inside. Unfortunately, this also means that people on the inside cannot reach the Internet without first getting to the gateway machine. If this is your choice, then the security is more important than the slight inconvenience that the users encounter.

The alternative is what is called a proxy server. In essence, this functions like a translator. When packets reach the proxy server, they are redirected to another connection on the other side of the firewall. For example, httpd (your web server daemon) normally listens on port 80. However, this has been disabled. Instead, I connect to port 1080 (or something greater than 1024). The services that is listening on that port makes a connection to port 80 on the destination machine to complete the HTTP connection. This middleman, or proxy, does the translation for my application. Other than knowing that I need to connect to the proxy server first, the functionality is the same as if there were no firewall.

There are a couple of ways of implementing the proxy under Linux, which we will get to later.

Previous Page
Accesing the Web

Back to Top
Table of Contents

Securing the Server

Test Your Knowledge

User Comments:

You can only add comments if you are logged in.

Copyright 2002-2009 by James Mohr. Licensed under modified GNU Free Documentation License (Portions of this material originally published by Prentice Hall, Pearson Education, Inc). See here for details. All rights reserved.

Login

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Support us by giving us a gift!

Did You Know?

The Linux Tutorial can use your help.

Friends

Tell a Friend About Us

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.11 Seconds