Small Office/Home Network Howto, Part 2:

Setting Up a Gateway/Firewall

by James R. Williams Zavada, June 2003

The only way to completely secure a computer is to never turn it on.
- Anonymous Quote           

Table of Contents


Disclaimer:

This information is provided in the hopes that you will find it useful and instructive. However, it is provided with ABSOLUTELY NO WARRANTY OF ANY KIND.

Any and all trademarks mentioned in this text are property of their respective owners.

Introduction:

The goal of this presentation is to provide you with the info necessary to determine the hardware and software needed to set up a gateway/firewall that you can use to safely and effectively connect your LAN to the Internet. Specifically, I'll answer the following questions:

  1. What is a gateway/firewall, and why do I need one?
  2. What hardware do I need to set one up?
  3. What software do I need to set one up?
  4. Where do I go for further information?

Keep in mind that this presentation will not specifically tell you how to set up firewall rules or NAT (ip masquerading), nor how to install and configure any Linux distribution or any software, other than to point you to the appropriate information sources. Rather, we will be providing you the info you need in order to make sound decisions regarding the hardware and software needed for your particular gateway/firewall situation. In addition, you may have to contact your ISP (or Linux users whom you know have used Linux to connect to your ISP) for connection information.

It is also important to keep in mind that networking, although possible for mere mortals, can be fraught with frustration and problems. When all goes well, it can be quite easy to set up a small network, and life is grand. Bear in mind that there are many people who do network consulting or administration for a living. This is true precisely because installing, configuring and trouble-shooting a network can sometimes be an extremely difficult task. If you find yourself having significant problems setting up your own network, you may very well want to consider paying someone to do it for you.

What is a gateway/firewall, and why do I need one?:

A Gateway is a computer or dedicated hardware device that connects a LAN (Local Area Network) to another network, typically the Internet. A router is one example of a device that acts as a gateway. A Firewall is a computer or dedicated hardware device that protects a LAN or computer from potentially hostile network traffic. The functionality of gateways and firewalls is sometimes combined so that one device provides both, but it doesn't necessarily have to work that way.

With the proliferation of small office and home networks, it's pretty easy to see why you would want a gateway: Everyone wants to be on the Internet these days, don't they? And the way to connect your LAN to the Internet is via a gateway. It may not be quite so easy to see why anyone would want a firewall though, so let me enlighten you. The Internet is no longer the safe playground it once was. Viruses, worms, root kits, exploits, crackers and script kiddies abound, and the situation is not getting any better! The time it takes from the discovery of a vulnerability until it is exploited is constantly decreasing, and sometimes it takes less than a week before black hats start taking advantage of it. How can you run all sorts of potentially crackable services on LAN, yet still have the benefits of being connected to the big bad Internet? With a firewall, that's how.

As an example of the difference a gateway/firewall can make, let me recount a couple of anecdotes from my own experience: I've been using Linux to directly connect to the Internet since 1994. Since then, I've had machines cracked twice. The first time was back in 1998. I had a server that acted as my gateway, and it was doing NAT (Network Address Translation, commonly known in Linux circles as IP masquerading) and no firewall rules. After the intrusion, the system was wide open and the miscreant had full root shell access that he had been regularly using for at least a week before I even discovered it. And the only reason I discovered it was because he was trying to ping flood someone over my dial-up connection. One day I was trying to surf the web, and pages were taking forever to come up. I did the usual trouble-shooting to see what was causing the slowdown, but 'ps' and netstat didn't show anything at all. But when I took a look at my modem, the transmit and receive lights were solid red: The line was maxed out. And as soon as I disconnected and reconnected it was maxing out again! But I finally managed to figure out that I was cracked. I had to re-install my whole system, and I never did know how they got in.

More recently (just this last month as a matter of fact), my server was cracked again. Even before I did my post-mortem forensics (Yep, since '98 I'd learned quite a bit about security) I had my suspicions about how they got in. Because I keep abreast of security issues, a few months ago I became aware that my secure web server was exploit-able. But because I had recently built a newer machine to turn into a replacement for this server, and was still in the process of setting it up, I decided to take a chance on leaving the exploit-able one up until the new one was ready. After all, it would only be a few months, and I'm only a little dial-up corner on the Internet, right? Wrong! It doesn't matter who you are or how insignificant your little network is, sooner or later, someone will try to crack it. For that matter, you may already have been cracked and not even know it! But a firewall can make a difference, and it did this time. Since '98, I had put in a separate machine as a gateway/firewall, and it has the only public IP address on my network. The rest of the machines use private IP addresses behind the firewalls NAT, with the ports that provide public services (HTTP, SMTP, SSH) being forwarded to the the machine that acts as my web/mail/file server. Furthermore, it is not the same machine acts as my file/web/mail server. When I got cracked this time, the cracker's attempt to set up their own private little ssh access server failed, and thus he did not gain root shell access! And the reason is because of the firewall is a separate machine from the web server. When he exploited the web server, his rootkit set up a secure shell server on an odd port. However, that was on the web server, and of course, my gateway/firewall wasn't doing port forwarding for that odd port he used. And even if he did try to alter the firewall/port forwarding rules, it would have done no good, because he was on the wrong machine! So in all, the amount of damage done was much less than during the first incident, and all because of a gateway/firewall on a separate machine.

Now you know why you want one, but just what is a firewall, anyway? What exactly does it do? To explain it in layman's terms, let me use an analogy: Remember when we were kids, how fascinating it was to watch little insects and animals do their thing? And to get a closer look, we'd often go find a jar so we could keep the little critters from going anywhere. But what happens when you put the lid on without first poking tiny holes in it, do you remember? Right, the critters died! So the tiny holes let the air in and out, but not the critters. And that's similar to how a firewall works: it puts a firewall lid on the jar that is the Internet, and through tiny little holes (the firewall rules) it lets only the air (that is, the network traffic that we deem safe) in or out.

By now it should be obvious to you why you not only need a gateway to connect to the Internet, but a firewall as well. And being that most often one device performs the work of both (although it doesn't have to be that way if you prefer not), I'm going to talk about them as one device for the rest of this presentation. henceforth, I'll usually refer to this single device as a gateway or a firewall, depending upon when the details pertain to one or the other, and occasionally I may refer to it as a gateway/firewall as need be.

What hardware do I need to set one up?:

By far, the easiest way to implement a gateway/firewall is to go out and buy a dedicated hardware device. If you're one of those who prefer NOT to do-it-yourself, or you'd rather not spend the significant time and energy that it takes to set up a Linux box to be your gateway/firewall, then this is the best way for you. These over-the-counter devices are usually called DSL/cable-modem routers, and are available at most computer equipment retailers (CompUSA, BestBuy, etc.). The prices are very affordable, costing from $50 to $100, so there's no reason why you'd need to set up a Linux box to do this, unless you really prefer to do the requisite hacking it will take to create one from scratch. And the only software you'll need will be included with your purchase. However, there are folks who would rather set up a Linux box, so here's a list of reasons why you'd want to do so:

With the last reason, you'll want to keep in mind that older hardware, especially pre-Pentium hardware, often presents compatibility issues that have to be resolved. I highly recommend using Pentium class equipment or better to set up a Linux box, unless you're willing to do some very serious hacking. So you say you still want to use a Linux box? OK, here is a list of minimum hardware requirements that you'll need to meet in order to do so:

As far as memory goes, you can never have too much, but I recommend at least 8 Megs above the minimum required by the Linux distribution you choose to install. Keep in mind though, that the more services you want your gateway/firewall to perform (such as a DHCP server, or a caching name server), the more memory you'll need.

The amount of storage needed, and the type of device you use for storage will vary, depending on the Linux distribution and any additional software you choose to install. Some distributions that are specifically aimed at providing gateway/firewall services are meant to work right from a floppy, or you may want to customize a CDROM-based distribution, so you might not even need a hard drive. We'll talk more about that in our next section.

The number and type of ethernet adapters you will need depends on your particular circumstances, but as a general rule, two 10/100 adapters will be ideal. Even if you are using a dial-up connection, having two dual speed interfaces will be more versatile, in the likely event that your needs change down the road. The basic idea is that you have one interface for the Internet side of the gateway/firewall, and one interface for the LAN side. Otherwise, if you connect your LAN to the same network segment (read hub or switch) as your Internet connection, it defeats the purpose of having a firewall, and your DSL/cable-modem then becomes the gateway.

What software do I need to set one up?:

Obviously, to set up a Linux gateway/firewall, you'll need Linux. However, what is not so obvious is which Linux distribution to choose. Although you could probably use any one of the well-known distros, you'll want to do a bare-minimum installation in order to make your gateway/firewall more secure, and this can be rather difficult with some of them. An alternative is to use one of the specialty distros that are either designed to be used as a gateway/firewall, or that allow you to "roll your own".

In my personal experience, Slackware and Debian are two of the standard distributions that allow you to install a very bare minimum system. Of the two, I find Slackware to be the easiest to configure, because its BSD-style init scripts are much easier to customize than Debian's SYSV-style init scripts. However, Debian's package management and wide range of available packages make it much less likely that you'll to have to compile a software package from source. Regardless of which distro you choose, make sure your kernel is configured to do firewalling, IP filtering, and IP masquerading, or that the appropriate modules are available. Although most distros pre-configure their kernels for firewalling and masquerading, if yours doesn't, you'll need to recompile the kernel with those options enabled.

Once you've installed the bare-minimum Linux, the software you install thereafter will be determined by your needs. Remember, if you want to do any custom programming, or compile packages from source, you'll need to install the programming tools that come with your Linux distribution (such as gcc, ldd, ar, perl, etc.) And although you can create an extremely sophisticated gateway/firewall setup, remember that the more complex the machine, the higher the security risk. So the first thing you'll want to do is turn off all unnecessary services that could potentially allow the gateway to be compromised (and remember to firewall any service you have to leave running). For the highest security, I recommend no daemons/services other than needed to establish your connection to your ISP, not even secure shell access, and use a monitor and keyboard if you need access to the machine. However, this is not very practical for a "headless" gateway/firewall machine, so you'll probably want to at least run sshd so you have remote access to the machine. Regardless, DO NOT ENABLE TELNET ACCESS, as it transmits passwords in clear text. To enhance the security of the secure shell daemon, run it on some arbitrary high port (but don't forget which one, eh? ;^). Make sure you do not install or run any NFS client/server software, and that you remove "-bd" from sendmail's start-up command-line so that it doesn't accept connections on port 25, yet still processes the queue. I recommend turning off inetd/xinetd altogether, as there is nothing there that a gateway/firewall is likely to need. You should also make sure to disable the start-up of the LPD (printer) services, and make sure that if you installed a web server that you disable it too. Although you do want syslogd running, make sure that it doesn't accept connections from remote hosts, and you really should configure it so that it logs to a server running on your network for easier monitoring. There may be other services running, so the idea is to turn off everything except what is needed to successfully run the gateway. Finally, make sure you only add one non-root user whose username is unique to the gateway/firewall box. Moreover make sure both the root and non-root passwords are likewise unique to this machine.

Now that you've turned everything off, let's take a look at some of the software you might want to install and actually turn on as a part of your gateway/firewall. Aside from the IP filtering/masquerading tools, which most likely are a part of your Linux distribution, you will need a way to get your gateway/firewall to connect to your ISP. I use a dial-up connection, so for me the software that does the trick is pppd (the Point-to-Point Protocol daemon), which came with Slackware. Because pppd takes care of the IP address assignment, and can be configured to set up the appropriate routing, I don't need software that deals with IP address assignment. Folks who use a DSL/cable-modem may not be so lucky, and may have to install a DHCP (Dynamic Host Control Protocol) client to handle IP address assignment, and some of them may be even worse off and have to install PPPoe, which handles Point-to-Point connections over ethernet.

We've covered the software that is absolutely necessary for a gateway/firewall machine, so let's take a quick look at some perks that you might want to add. If you're like me, and want to allow visitors with a laptop to connect to your network, you might want to have your gateway act as a DHCP server and dynamically hand out IP addresses as needed, so a DHCP daemon (dhcpd) is in order. As well, I like all my machines to keep accurate time, so my gateway also acts as an NTP (Network Time Protocol) server running ntpd. If you have a gutsy machine with lots of memory (64 Megs or better), you might even want to run a caching-only nameserver, but that would overwhelm my little 486/66 with its mere 16 Megs. Remember though, the more you run, the greater the security risk, and the whole idea of using a firewall is to enhance security, not decrease it.

If you're setting up a Linux firewall, doing the rules by hand can be painstaking, and although you learn a whole lot more about the underlying protocols, you may want to avail yourself of one of the various firewall configuration tools available. There is even a website that provides one online http://www.linux-firewall-tools.com/linux/firewall/index.html Although it might be fun to plunk around with, I don't know how much trust I'd put in it to create my actual firewall rules. ;^) There are GUI tools too, but if you choose to use one, find one that allows you to create a rule set that you can export, because you really shouldn't be running a GUI environment on your firewall, eh?

Where do I go for more information:

So now that you've an idea about what to install, let's take a look at where to get some of this software and information about using it. First, there are two very good books that I highly recommend:

  1. Practical Unix & Internet Security, 3rd Edition ISBN: 0-596-00323-4

    For a long time this was the only book regarding Unix and Internet security, but it didn't matter because it was an all-encompassing definitive reference. And even now, with the proliferation of Unix/Linux/Internet security books, it still the one book to get if you can only buy one.

  2. Building Internet Firewalls, 2nd Edition

    ISBN: 1-56592-871-7

    This book not only gives you the big picture about firewall necessity, design, and use, it also gives very specific examples. A good book to read before you design and set up your own firewall.

Both books are well worth even their list price, but if you can most likeley get them cheaper. As to the software you may want to install, remember to check that your Linux distribution includes a pre-packaged version first. If not and you need to "roll your own" from source, or if you need more info about the software, here's a list of links:

If you want to use Linux to set up a full-fledged router (but be ready for some very serious hacking) you'll want to take a look at Zebra:

The SYRLUG website also has a complete and fairly recent collection of HOWTOS. Here is a list of titles you may want to take a look at:

Some Specialty Linux Distributions:

Now, although I don't have any experience with any of the specialty Linux distributions, you may very well want to check them out to see if they are what you want. Some of them are floppy-based, some CD-based, and some of them allow you to create your own CD-based distribution. Here is a list, in no particular order:

Some Firewall Tools:

Here are some links to various firewall tools and websites, again in no particular order:

What next?:

By now you should have the information you need to decide whether or not you want to buy a commercial gateway/firewall device, or use a Linux box and build your own. If you want to build your own, you should have a rough idea what kind of hardware and software you will need, and some basic configuration tips. As well, you should now be aware that there are several informational resources available in print and on the web. To sum up what we've covered: