Tips on managing firewalls |
|
A firewall is a way to restrict access between two networks. Typically, the two networks are the Internet and your own private network, but your network can also be just one computer you're using to connect to the Internet. A firewall can greatly reduce the chances that an outside attacker will penetrate and compromise your internal networks and systems. A firewall can also be configured to keep your own users from compromising your network by sending sensitive data to the outside world. A firewall can be a physical device (like a router or switch), or it can be software (like ZoneAlarm or iptables).
|
|
|
The Internet is like a chainsaw. It's a wonderful and useful tool, and you can use it to accomplish great things, but you must respect the sharp end when it's running or you'll cut yourself in half. When the information superhighway runs right past your front door, sometimes unsavory characters will show up and try to let themselves in. By nature, most operating systems are like having a front door that's closed, but not locked. Those passing by can't come in simply because they're not allowed, not because you own a shotgun or a doberman. A firewall provides a way to lock the front door and disguise it so others won't even see your house when they're passing by.
There are more than 65,000 ports on a typical computer's network interface (ethernet or a modem) that can be connected to. A firewall provides a way to close all but only the essential ports and allow just the computers you permit to connect and do stuff. In today's world, if you're connected to the Internet, you need a firewall.
|
|
|
So how do we know which ports need to be open to allow a particular computer to provide all its necessary services? The Internet Assigned Numbers Authority, or IANA, maintains a list of ports and the processes or programs that have been approved for use. In short, all available ports are divided into three categories:
Well Known Ports - ports 0 through 1023, these are assigned by the IANA and on most systems can be used only by system (or root) processes or programs that are executed by priviledged users. Registered Ports - ports 1024 through 49151, these are listed by the IANA and on most systems can be used by ordinary user processes executed by ordinary users. Dynamic and/or Private Ports - ports 49152 through 65535, these are not assigned or listed by IANA. They can pretty much be used by and for anything.
|
|
Some common ports and the processes that use them are:
|
| Port # |
Application |
Description |
| 21 |
FTP |
FTP stands for 'File Transfer Protocol' and is a way to transfer files between two computers over a network connection.
|
| 22 |
SSH |
SSH stands for 'Secure Shell' and is a way to remotely 'log in' to a computer through an encrypted connection.
|
| 23 |
Telnet |
Telnet is similar to SSH, except the connection is not encrypted (and therefore less secure).
|
| 25 |
SMTP |
SMTP stands for 'Simple Mail Transfer Protocol' and is the common program used to send and receive email.
|
| 80 |
HTTP |
HTTP stands for 'Hypertext Transfer Protocol', a way to serve Web pages on request.
|
| 110 |
POP |
POP stands for 'Post Office Protocol', which is a way to 'pop' email off a server and to an email client.
|
| 137-139 |
NETBIOS |
NETBIOS is the protocol used by Microsoft Windows to share files and printers.
|
| 443 |
HTTPS |
HTTPS is the secure way for a server to provide Web pages.
|
| 631 |
CUPS, IPP |
CUPS and IPP are two printing daemons used to share printers with Linux and Windows.
|
|
|
So if you're just surfing the Internet and nothing else, you really don't need to have any ports open at all. If your computer is also a file or fax server that needs to communicate with Windows clients, you'll need to open ports 137-139. If you're serving Web pages, open port 80 and possibly port 443. A mail server would need ports 25 and 110 opened. A print server needs to have port 631 open. If you need to log in to your computer from remote locations, you'll probably want to open port 22 and use SSH.
|
|
|
There's a free online tool called ShieldsUP! that will scan the first 1023 ports of your computer and tell you if any are open (and therefore vulnerable). The ShieldsUP! page can be found on the Gibson Research Corporation Website. Simply click the 'ShieldsUP!' link and follow the instructions to have your ports scanned. The program will let you know if it finds any vulnerabilities.
|
|
|
iptables is a free firewall that comes with Linux. Every pre-built server sold by IGO comes with iptables installed and configured to allow access to only the necessary services.
Before attempting to open or close a port in iptables, IGO recommends you familiarize yourself with the commands and switches that make up a firewall configuration. Configuring a firewall with iptables is not for the faint of heart. One typo can compromise your firewall or prevent it from loading. Please read the man page for iptables:
|
|
$ man iptables
|
|
Or visit the iptables Website. If you're not comfortable with editing your iptables configuration, there are a few online tools that you can use to generate an iptables config file. We recommend the LinWiz Server/Firewall iptables configuration wizard.
|
|
IGO recommends that inexperienced users DO NOT directly edit the iptables configuration file. If you're an inexperienced user, you should download and install a GUI program for controlling your firewall. There are several free ones available, and IGO recommends Firestarter.
|
|
|
If your system is denying access to other client computers for services that you need to provide, you may need to open some ports or change your configuration to allow access. For example, say you purchased an IGO pre-built Workstation, but you also want to share some files with another computer. Workstations are shipped with a tight firewall with only port 22 being open to allow remote administration. To troubleshoot a connection problem, first look at the last few lines of the messages log (you need to be root to do this):
|
|
$ tail -25 /var/log/messages
|
|
This will display the last 25 lines of the messages log. When iptables blocks a packet, a line summarizing what was done is written to the messages log. A typical blocked alert for a 'map drive' attempt from a Windows computer will look something like this:
|
|
[DATE] [TIME] [HOSTNAME] kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:47:c4:6e:e2:08:00 SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23906 PROTO=UDP SPT=137 DPT=137 LEN=58
|
|
The important parts of a message like this are IN, SRC, DST, SPT and DPT. IN indicates which network interface the request was rejected on (eth0 for ethernet, ppp0 for a modem, etc). SRC corresponds to the IP address of the source computer where the request came from. DST is the destination IP address of the request, which is usually the IP address of the computer itself (well, the IP address of the network interface specified in IN). SPT is the port on the source computer where the request came from. DPT indicates which port the attempted connection was made on.
So in our example, we can see that the computer with IP address 192.168.0.5 tried to connect to port 137 on the server machine over the ethernet network interface and was rejected. From this information, it looks like we'll need to open up port 137 on the ethernet interface to allow the connection.
|
|
If you use the LogWatch utility for analyzing and reporting on system logs (including the messages log), it will pick up blocked packet kernel messages as well. A typical LogWatch summary for the example given above will look like:
|
Logged 112 packets on interface eth0
From 192.168.0.5 - 112 packets to udp(137,138)
|
|
Once again, it's pretty clear which ports need to be opened and which machine needs to be given access.
|
|
