Creating a Debian Firewall - A step-by-step tutorial

Posted by CyberDog on Mon 3 Oct 2005 at 11:43

For quite some time now I've personally worked with building custom Linux firewall solutions. I wanted to share my knowledge with others interested in the networking and Linux fields, so I've begun work on a Linux Firewall tutorial series.

The format is designed to cater to beginners in Linux, but the topics encourage exploration and can be a good foundation for more experienced users looking to branch out as well. The tutorial utilizes the Debian distribution as its core system, and gives step by step instruction on installing and configuring a computer system for use as a firewall/router/network gateway in a SOHO or home network.

Now that I've finished the core tutorial and am proceeding to the extended topics, I feel the work is ready for public exposure, and I would greatly appreciate some peer review. I'd like to invite the members of the Debian community to review my work, and hopefully provide me with some great feedback!

Without further delay, on to the tutorial...
http://www.cyberdogtech.com/firewalls/

- Matt LaPlante
Linux+, A+, CCNP, CCDP

 

 


Posted by dreynolds (84.92.xx.xx) on Mon 3 Oct 2005 at 11:57
I know this is *technically* a Debian Firewall tutorial BUT surely it should be billed as a Shorewall Tutorial, just to avoid confusion?

Just my 2¢

Cheers

[ Parent | Reply to this comment ]

Posted by CyberDog (24.211.xx.xx) on Mon 3 Oct 2005 at 12:26
While it's true Shorewall is used for the firewall configuration in my tutorial, only 2 of the current 12 (and growing) steps in the guide actually relate to working with Shorewall (while every step uses Debian). It's intended to be modular, so even if you skipped Shorewall entirely, any of the network services topics should still be relevant.

[ Parent | Reply to this comment ]

Posted by dan (204.83.xx.xx) on Mon 3 Oct 2005 at 16:00
Followed your instructions this weekend, they work!

Great job! Thank you!

However One typo to fix,
Section:
Firewall:~# nano -w /etc/shorewall/interfaces
SNIP
Second is our internal interface (eth1):

locl eth1 detect dhcp
^^
But we named the zone "loc"
--
Dan Hunt, St. Brieux Saskatchewan Canada

[ Parent | Reply to this comment ]

Posted by CyberDog (64.102.xx.xx) on Tue 4 Oct 2005 at 14:01
Good to know it actually works!

Thanks again for pointing out the typo, those silly config files don't spellcheck as well as the rest of the document. :)

[ Parent | Reply to this comment ]

Posted by stoffell (81.164.xx.xx) on Mon 3 Oct 2005 at 18:28
Nice article, I'm also using Debian and shorewall since a few years now.. But I wonder why you didn't choose dnsmasq to be your dhcp server? It does that very well.. It's not the same as dhcpd, but for a firewall it's a pretty good choice..

Cheers!
---
stoffell

[ Parent | Reply to this comment ]

Posted by CyberDog (64.102.xx.xx) on Tue 4 Oct 2005 at 14:08
Well there are two (partially related) reasons. First, if you notice, I had already mentioned this fact briefly in the DHCP alternative alert. :) More importantly though:
1) The tutorial is intended to be modular, so ideally one part shouldn't influence another part, and parts can be skipped based on the reader's needs. And assuming one is running DHCP but skipping the DNSMasq chapter, installing DNSMasq soley for DHCP may or may not make much sense.
2) Furthermore, the tutorial is less about "this is how it should be done" and more about "this is how it can be done." In that sense, I feel I'm doing the reader more of a service by covering a broader range of popular, available software. There's no doubt the regular DHCPD package is basically the standard, so I felt it was important to cover it to some degree. Now that both packages have exposure in the tutorial, the reader can make a more informed decision about what they want based on their own experience.

Thanks for the feedback!

-
Matt

[ Parent | Reply to this comment ]

Posted by jonto (64.207.xx.xx) on Tue 4 Oct 2005 at 04:47
This article is very nice. I have a question however. If I am trying to use Shorewall on a client macine, which steps would I need to secure my box? I'm thinking that I would only need Steps 5 & 6, the firewall & the firewall rules.

Thanks,

Jonto

[ Parent | Reply to this comment ]

Posted by CyberDog (64.102.xx.xx) on Tue 4 Oct 2005 at 14:11
That is correct. Furthermore, you don't need to apply the entire firewall configuration there... You basically only need to name your interfaces and set the policy, the parts relating to NAT/PAT are unnecessary and should be skipped on a host machine. The Shorewall website has some great documentation, I recommend further reading there.

-
Matt

[ Parent | Reply to this comment ]

Posted by Anonymous (200.201.xx.xx) on Wed 5 Oct 2005 at 15:20
Hmm, another typo on stage 7 (dns):
the very last line says:
Firewall:~# nano -w /etc/init.d/dnsmasq restart

it should say
Firewall:~# /etc/init.d/dnsmasq restart

[ Parent | Reply to this comment ]

Posted by nosklo (200.201.xx.xx) on Wed 5 Oct 2005 at 15:28
And that was me. Forgot to log in. :-/

[ Parent | Reply to this comment ]

Posted by CyberDog (24.211.xx.xx) on Wed 5 Oct 2005 at 15:50
Good catch, it's fixed. :)

-
Matt

[ Parent | Reply to this comment ]

Posted by Anonymous (24.18.xx.xx) on Fri 7 Oct 2005 at 12:09
I'm interested in some clarification on best practices for what services it is appropriate to include on a firewall and the arguments for and against them. Some have suggested that a firewall should be a firewall and nothing else because each new service presents potential security vulnerabilities. I would think SSH, perhaps accessible only from the LAN side, was a requirement, unless the firewall is kept attached to a keyboard and monitor or accessed through the serial port. But DHCP also seems reasonable. What else? I'd be interested in a variety of views on this.

[ Parent | Reply to this comment ]

Posted by CyberDog (24.211.xx.xx) on Fri 7 Oct 2005 at 12:35
It's true that any server anywhere can be a liability if not properly configured and maintained. With firewalls it's mostly a matter of exposure. For example in my tutorial (as I recall, somebody catch me if I'm wrong), I haven't encouraged a single service to be made available on the internet side of the firewall. If access is only allowed from the LAN, and you trust people on the LAN completely (yourself or mom and pop per se), then there's as little risk as you're ever going to see no matter what services are running. The key is blocking the incoming traffic from risky zones like the internet, and the firewall handles that.

On the other hand, if you're working in a business environment, you can't necessarily trust the people on the LAN either. The fact remains you will probably have to run some of these services, but to minimize risk you can choose to run them on separate machines with totally separate authentication. For example separate machines for DHCP and DNS. If one service were compromised, hopefully the others would be unaffected.

Keep in mind, however, that there's no such thing as perfect security without proper maintenance. A firewall with no services can be compromised if an operating system flaw is found and not patched by the administrator, and this is true of any operating system. By the same token, any system with exposed services (a server) can be perfectly safe if diligently maintained. So while there are best practices, such as dividing tasks amoung separate physical machines, it usually comes down to proper planning, configuration, and maintenance to make the difference between a safe network and a compromised network.

-
Matt

[ Parent | Reply to this comment ]

Posted by Anonymous (24.18.xx.xx) on Fri 7 Oct 2005 at 22:54
Thank you for the prompt clarification. That's the view I had been gravitating toward: other LAN services for home but not business, but no WAN services. But I hadn't seen such a distinction explicitly stated. it was more what I'd deduced from various tutorials and from my (extremely limited but growing) knowledge of security and networking.

I'd welcome any other views on the topic, as I can see this is a very well-informed group, but I'm pleased to see that the views I'd been forming aren't completely off-base.

[ Parent | Reply to this comment ]

Posted by Anonymous (70.166.xx.xx) on Sat 8 Sep 2007 at 02:26
sysadmins are the front line of security...

[ Parent | Reply to this comment ]

Posted by Anonymous (83.250.xx.xx) on Sat 8 Oct 2005 at 12:16
Great tutorial, thanks a million!

I have no account, hence the 'Anonymous'-user.

Small typo/fix:
(Assuming eth0 is net and eth1 is local, as it is in the tutorial)

Step 5, and specifically masq.
eth1 and eth0 should be swapped?

-------------

Firewall:~# nano -w /etc/shorewall/masq

We have to tell shorewall that we want all traffic coming from inside the network (on eth1) to be translated out through the interface on eth0). We do this simply by specifying the interfaces:

eth1 eth0

-------------


Cheers
/Erik

[ Parent | Reply to this comment ]

Posted by Anonymous (169.244.xx.xx) on Tue 11 Oct 2005 at 16:10
Matt, thanks for this

I am running static IP to the net, and static IP on 25 internal boxes.

How should I alter these directions to make this work?

I have eth0 eth1 defined already for the router, but do I replace the dhcp enables entries with the static IP addresses?

I followed your directions and when I try to start shorewall it errors out saying /etc/init.d/shorewall line 121 $SRWL start >> INITLOG 2>&1 not done.

not sure if this is an error from static IP confusion or whether I need to add them etc. I checked shorewall home and it mentions static IPs assignment as "rare" and offers few other hints for me.

thanks

[ Parent | Reply to this comment ]

Posted by CyberDog (64.102.xx.xx) on Tue 11 Oct 2005 at 16:23
Well static IPs are really no problem for the tutorial configuration. It should only require the following modifications, give or take some tweaks:

In the Debian interfaces config, configure both interfaces with their static IP addresses, rather than using DHCP to configure the ISP side.

You can skip the step for a DHCP server entirely if you're using static IP addresses on all your internal hosts. Granted this method isn't usually recommended if for no other reason than configuring 25+ boxes individually would be a major pain...but there's no technical reason you can't do it. Just set your firewall's internal interface as the default gateway on all the internal machines, and make sure none of their IPs conflict, and that is all that's required to make them compatible.

The shorewall error sounds like something that would happen where there's a typo in one of the configs. Did you run "shorewall check" to see if it finds an error? If so, do this from the command line first. If that passes, run "shorewall start" (or "restart") from the command line, rather than using the init script. This should start shorewall in the foreground and allow you to see which config is causing a problem. You can also check /var/log/syslog for the shorewall errors. If you find it was caused by an problem in the tutorial, please let me know.

-
Matt

[ Parent | Reply to this comment ]

Posted by Anonymous (169.244.xx.xx) on Tue 11 Oct 2005 at 17:12
Thanks for the reply matt

yeah, I am not sure why the previous sysadmin used internal static IPs, they are already set and pointed to eth1 gateway.

When I run shorewall check the only error I see is cannot set route filtering on eth0....but then it validates.

When I run start shorewall I see the above error as well as
masquerades network and hosts error unknown interface eth0

ifconfig shows eth0 static IP info is correct, and NIC mac is recognized.

maybe I should just remove shorewall reconfig from the beginning?

[ Parent | Reply to this comment ]

Posted by CyberDog (64.102.xx.xx) on Tue 11 Oct 2005 at 17:43
According to http://www.shorewall.net/ErrorMessages.html:

"ERROR: Unknown interface
The interface appears in a configuration file but is not defined in /etc/shorewall/interfaces."

I would agree that it sounds like eth0 is not properly defined in the shorewall interfaces file (/etc/shorewall/interfaces). I would check that before you go starting from scratch.

Since the config is not terribly complicated, you may wish to try starting over. Just rename the /etc/shorewall directory as apt will probably not remove the config files by default.

I also recommend the shorewall mailing list for shorewall support...it's fairly active and you can usually find somebody there who can help you debug program errors.

-
Matt

[ Parent | Reply to this comment ]

Posted by Anonymous (70.16.xx.xx) on Tue 11 Oct 2005 at 19:55
I went through it again, added the static eth0,eth1 entries, removed dhcp refs and shorewall started right up.

much thanks for the tutorial/replies

[ Parent | Reply to this comment ]

Posted by Anonymous (70.32.xx.xx) on Sun 16 Oct 2005 at 15:44

I have been using Iptables for a while and trying to configure something new. I followed the tutorial and everything makes sence... but I can't get PAT to work via this configuration. I can figure out how to configure it, but I want to pass this tutorial to a friend that know little about linux... and since I know little about what shorewall is donign can someone explain how it is passing packets from one interface to another and what packages debian needs to have PAT working?

[ Parent | Reply to this comment ]

Posted by pablosanchez (200.40.xx.xx) on Mon 6 Feb 2006 at 18:11
[ View Weblogs ]
Well, i use ppp0 instead of eth0, as i use pppoe to connecto to internet .
I'll try to use eth0, it seems more clean.

Pablo Sánchez.

[ Parent | Reply to this comment ]

Posted by SaintSamuel (209.23.xx.xx) on Mon 28 Nov 2005 at 18:41
[ View SaintSamuel's Scratchpad ]
Thank you for your hard work Sincerely, Saint Samuel Simply the best web hosts on the planet

[ Parent | Reply to this comment ]

Posted by Anonymous (207.70.xx.xx) on Tue 6 Feb 2007 at 04:07
Great tutorial. Thanks for sharing.

[ Parent | Reply to this comment ]

Posted by Anonymous (74.132.xx.xx) on Sat 14 Apr 2007 at 19:38
Is the website still up? I realize the tutorial is nearing two years old, but the most recent comment was about two months ago.

[ Parent | Reply to this comment ]

Posted by CyberDog (68.45.xx.xx) on Mon 16 Apr 2007 at 00:14
It is indeed... keep in mind it was written for Debian Sarge and has not yet been updated for Etch.

[ Parent | Reply to this comment ]

Posted by Anonymous (69.141.xx.xx) on Tue 9 Dec 2008 at 07:20
I am about to build a new firewall/gateway box, and this tutorial seems to be EXACTLY what I have been looking for - Thanks for all you efforts!

So I am concerned if you have any take/opinion on whether this will work without adaptation/error on a newly built [as of December 2008 4.0r5] 'etch' system?

[ Parent | Reply to this comment ]

Posted by Anonymous (148.243.xx.xx) on Wed 7 Nov 2007 at 23:52
Well, I only say one thing: Thank You!! this guide is excelent for the begginers in create Firewalls.

Thank's for your time.

[ Parent | Reply to this comment ]

Posted by Anonymous (94.139.xx.xx) on Fri 12 Feb 2010 at 18:54
Is there a virtual ipsec0 adapter or similar with Racoon? I have been using openswan with debian for a while, but i have to create a custom kernel with the PF_KEY Sockets disabled and recompile (wich takes forever on an applice box). I would like to try another ipsec software but i cant live without the ipsec0 (or whatever) adapter. In a simple 2 site scenario there isnt much problem, but most of my firewalls connect multiple sites.

I thought about openvpn but it has to be configured as client or server, i think it is possible to have two openvpn processes running (ie on different ports) but that is a bit to messy for my taste.

K

[ Parent | Reply to this comment ]

Posted by Anonymous (65.87.xx.xx) on Fri 16 Dec 2011 at 15:23
The tutorial link 404's

[ Parent | Reply to this comment ]

Posted by Dr_Bob (65.87.xx.xx) on Fri 16 Dec 2011 at 15:27
Link does not work.

[ Parent | Reply to this comment ]

Posted by andyr (89.105.xx.xx) on Mon 20 Feb 2012 at 10:23
And this is the reason that content should be on-site and not just links to somewhere else that can disappear at a whim.

[ Parent | Reply to this comment ]

Posted by Anonymous (78.0.xx.xx) on Sat 10 Nov 2012 at 08:49
http-://-wiki-debian-org-/DebianFirewall

I'm not allowed to post links.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 676 votes ~ 10 comments )

 

 

Related Links