Most people are familiar with the term firewall and realize that it is a device or system that keeps unwanted people and data out of computer systems or networks. However, the word means slightly different things to different people. This can lead to difficulty when discussing the concept.
If you ask home users whether they have a firewall, they will probably think first of a software program installed on their home computers, like BlackICE Defender or ZoneAlarm, referred to as personal firewalls. At most they might have a Linksys dedicated router/firewall. These utilities range in price from $50 to 100. Ask a small office network administrator about firewall, and the person will probably think of something like the NETGEAR or NetScreen router/firewall, or a stronger, dedicated router/firewall system running software like SmoothWall or Astaro Linux. These are often referred to as small office/home office (SOHO) firewalls and cost anywhere from $100 to a few hundred dollars. Meanwhile, if an enterprise security specialist is asked what firewall means, he or she will think more of the heavy-duty enterprise network firewall systems such as a Cisco PIX, Check Point, or SunScreen, costing hundreds to thousands of dollars.
The enterprise-level firewalls include heavy-duty network authentication, DMZ (demilitarized zone) functionality, and even intrusion prevention, antispam, and antivirus technology. As firewall technology improves, however, many of these features filter down to the smaller, cheaper firewall systems. For example, many SOHO and personal firewalls now offer Virtual Private Network support, Denial of Service protection, and stateful packet inspection (SPI). Now even Linux software firewall distros such as Astaro are including cutting-edge enterprise type functionality that only the big players had before.
Stateful packet inspection, or SPI, is the method used by most modern firewalls to determine whether incoming traffic is related to an existing protocol connection state, and thus if such incoming traffic is related and permitted through or new/unrelated and rejected by the firewall. The state is determined by the packet-level inspection of several protocol-centric variables as compared to previous incoming/related packet variables that are stored in a state table maintained by the firewall, which tracks said protocol-sensitive states (such as with FTP and NFS).
In this chapter, we explain the basic firewall functionality included with most Linux distributions, and really drill into some of the specifics of Red Hat and Fedora Core based systems. We'll show you how to set up a firewall and configure both a single stand-alone server type system and a network firewall, and describe the various security concerns you face with each. Most Linux distributions provide all the technology you'll need to set up an efficient and controllable firewall, but you might also want to install a third-party administrative firewall tool to make firewall rule set administration a bit easier. We introduce a few such packages later in the chapter.