Build Your Own Linux Firewall SeriesIf you are on the internet, then you really need to protect your equipment (and your identity) from the hidden malicious things that are out there. The problem with nearly every consumer firewall is that they just dont offer much protection and are woefully underpowered.

This series of articles not only analyzes why you need a firewall, but shows you how to implement one step-by-step. We also show you how to configure your new appliance to rival professional enterprise appliances that can cost thousands of dollars.

Building a Linux Firewall Part 1: Why?Theres no doubt that the internet today is more powerfulthan ever and great power demands great responsibility. There are threats everywhere that you need to protect yourself, your family, and your hardware from. Not only do you have to worry about hackers, viruses,and spammers, but you need to worry about sexual predators andinappropriate content for your children (or spouses).

Kids today have more adult freedoms and privileges than any prior generation. Add to that all of the unwarrantedprivacy they receive, and youll see that any parent should be concerned about what their kids are doing online. Its in the news every week: some teenager who has committed suicide over Internet Bullying, kids being listed as sex offenders for broadcastingnaked photos of themselves. And dont even get me started on how anonymity emboldens angry teens to behave in aggressive, rude,and socially reprehensible ways especiallywhen many families today only have one parent in the house.Do you thinkkids would act this way if they knew someone waswatching?

It may be better if they DONT know someones watching. That way you can watch how your teen or tween is naturally behaving on the Internet. Some may see this as spying, but remember that parents areresponsible for their children until they are 18.If you take your kid to the zoo, you dont let them put their hands in the lion cage just because they want to pet the kitty. You know whats best for your children, and they are blissfully unaware of real-life dangers.

There are some software programs that offer some protection, but honestly they can be circumvented in many ways, and dont you think that the technology-savvy youth of today know about these programs.

Consumer-level Internet Routers dont do the job, either. At best, they offer network translation, which keeps passers-by from looking in the shop window, but nearly any mischievious person can take a deeper jab. Many users dont even bother to change the default passwords on their devices, or enable the advanced security features.

On the next page Ill tell you all of the advantages ofa custom-build firewall

Advantages of a custom firewallBuilding your own Firewall has many advantages over the off-the-shelfInternet Router, and it can literally cost you nothing to set one up. Todays free firewall distributions are actually very easy to install, and offer professionalprotection out-of-the-box, especially when compared toconsumer devices.

You can install a professional firewall using spare hardware that has gone unused for many years. As a matter of fact, the old 486 computer from 15 years ago could even do the trick. I would be more worried about the hardware lasting than it being able to perform, however. Most people have a spare computer laying around that is less than 5 years old and this is more than enough to enable all of the advanced features youll want on your network.Out of the box, many firewalls offer butt-loads of protection against hackers and other intruders.The advanced protection and traffic analysis services will require more horsepower, but as mentioned above, and nearly any computer from the past decadeis up to the task.

advantage

linux firewall

typical Internet Router

NAT

yes yes flexible configuration

yes noproxy server

yes noURL and content filtering

yes noDropbad traffic

yes noVPN

yes maybeAdvanced logs

yes no Intrusion Detection

yes noWeb-based GUI configuration

yes yesProfessional traffic and system graphs

yes no Real-time Traffic Information

yes noModem support

yes noBind multiple IP addresses

yes noDMZ support

yes no DHCP

yes yesDynamic DNS support

yes maybeTraffic shaping

yes noCan handle high traffic

yes* God, NOTraffic Analysis and action

yes noPort Forwarding

yes noVPN

yes maybeWireless support

yes maybe***Segmented network support

yes No

There are a few free Linux distributions that can handle all of these features. There are literally dozens of them, but the most popular are IPcop andSmoothwall Express. Smoothwall even makes a corporate and enterprise-level Firewall (with a corporate-level price), which supports many features that only advanced networks require: like reverse-proxy (intelligent forwarding based on packet content), IP Tunneling, VPN nodes, advanced bandwidth management, and more. Trust me, unless you are supporting hundreds of users anda geographically-dispersed network, then youdont need these features.For this project, I chose IPcop because of its extensive support from the OpenSource community. There are many third-party addons developed that add features for IPcop that extend the features to 90% of what a corporate firewall can do, like Content Filtering, IP Ban (a front-end GUI for IPTABLES), intrusion detection, and much more. Smoothwall Express is a good choice, too. It has a more polished interface, but doesnt come with as many out-of-the-box features meaning that they want you to upgrade totheir Corporate version.

In the next segment, well discuss hardware considerations, and the basic network setup based on your needs.Linux Firewall Part 2: Determine Your Network SetupMany firewalls make certain assumptions and use several standard conventions. Understand the standard terminologies and youll have an easier time when setting up your firewall.Nearly every firewalls first level of protection is NAT, or Network Address Translation. This means that an external address is translated from external tointernal addresses, so the public never has direct access to your internal network or computers. Say if you have an external address of 62.53.128.4. You really dont want your internal machines to use the same network as the Internet, to you? So you set up your internal computers with an address range of 192.168.20.x. Any time someone on the Internet wants to get a file from your internal server, the address is translated by the firewall.

You can also think of each network as secret departments in a covert government organization. Each department only has security clearance to talk with one another. Say the Bioweapons department needs resources from Engineering but they dont have security clearance. The only person who has clearance for each department is the 4-star general, and each department must go through him. Its not exactly like that, but its a decent analogy of how different segmented networks are seperated from each other.

Firewalls use standard conventions when referencing areas of the network. There are four basic network types, all of which can be managed by the firewall at the same time. These networks are called:

Red (external Internet) Orange (DMZ or DeMilitarized Zone) Green (internal network) Blue (wireless network) You can have a wireless access point on your green (internal) network in a home situation. A seperate Blue network is helpful if you have a public access point, but only want those people to access the Internet, and thats it. Internet cafs and other public access points would use a Blue network to allow customers access to the outside world, but not let you snoop their internal network.

The Orange Network (DMZ) is where you put your web servers, VOIP router, and other appliances that the outside world should be able to see. There are several assumptions made about the computers on this network, referred to as the Orange Mantra:

Orange must be on a separate physical wire from Green (not on same hub/switch)

Orange must be on a separate logical subnet.

Orange cannot send nor respond to ICMP. (ie., PING).

Orange must always use ISP DNS for name resolution.

Orange must always point to the IPCop Orange interface as its gateway.

Orange can be accessed from Green ONLY by its internal IP address unless /etc/hosts on IPCop is editted.

Orange cannot access Green unless pinholes are opened.

Orange can be port-forwarded to in exactly the same manner as Green.

Segmenting your network like this adds more security. If someone comes into your house and uses one of your local computers (on the green network), then they dont automatically have full controlof your web servers. Your Orange servers will be on a completely seperate network, with a completely different IP range, and completely different set of network cables. If you have only one server in the DMZ, then you can get away with a cross-over network cable between the firewall and the Orange Server. If you have more than one server in the DMZ, then you must use a seperate network switch (not the same one your green network is on).Now that you know the caveats of each network, you can determine which type of firewall setup you need. If all you need is a firewall that is more configurable than the cheap Netgear box you have, then all you need is a Red + Green setup. Here is a table with the different network setups and their intended purposes:firewall setup

intended purpose

number of network cards needed

red + green

Basic firewall. Same as a Router appliance, but with greater flexibility. One internet connection and one internal network. You can have wireless access if you connect a Wireless Access Point to the switch on the Green network. Any wireless access pointattached to green network has the same access as wired computers.2

red + green + orange

Use if you have a web server, game server, VoIP, or some other public computer. Two seperate networks: internal and DMZ3

red + green + blue

Use if you want public wireless access. Two seperate networks: internal and wireless. Wireless cannot access green unless you set up more rules (pinholes)3(one with Wireless Access Point)

red + green + orange + blue

Three seperate networks with different network addresses. Internal network, web servers, and public wireless access. None of the internal networks can access each other directlywithout going through pinholes (or back out through the Internet).4(one with Wireless Access Point)

Next well discuss hardware considerations based on the type of network you want to set up.Linux Firewall Part 3: Selecting Your HardwareAs mentioned in the previous segment, you can create a professional-level firewall using old hardware that you would otherwise throw away. Some people may choose to purchase new dedicated hardware, which can have several advantages. Either way, you can create a hardware firewall costs significantly less than the $1000-$3000 that professional hardware devices can cost.

Network cardsFor a basic firewall, youll need at least 2 network cards (one for the Red network, and another for the Green network). If you want to add a DMZ, then youll need an additional network card.

For the wired network cards, you dont need anything more than 100Mbit on the Red and Orange networks, since eventhe fastest of Internet connections is 20Mbit.These are minimum recommendations for building a firewall out of spare parts and have these items laying around. If youre buying new hardware, go ahead and do all Gigabit.

This Jetway board has expansions for three more network portsIf you want to add a Blue network into the mix, then youll need a regular wired network card with a wireless access point attached to it. It is not recommended to use a wireless card directly, because your particular card might not be supported, and upgradability is limited. Connecta wireless access point with theminimum wireless technology you want to support, like 802.11g or 802.11n. That way you can always upgrade to the next wireless technology without ever opening your firewall.

ChassisThe selection of your PC case is really all about how satisfied you want to be with this project. If you are going full-blown mini-ITX, then you can choose from some really cute tiny boxes and an external power brick. There are also some 1U rack-mountable cases that are perfect for mini-ITX motherboards, but I wouldnt recommend this unless you are hosting several webservers and are protecting a small server farm.These cases are just fine if you want to build a basic firewall and dont need many extras like CD-ROM drives or full-sized hard drives.

I-Star 2U Rack-mountablable CaseI did try a very cheap 1U case, but believe it or not the ITX motherboard didnt fit right in it so make sure that if you do 1U that you make sure it is compatible with the motherboard you choose.

Another consideration for a special ITX case is this: what if the power supply breaks? Your firewall is the biggest single point of failure for your network. These small cases require special power supplies, and unless you have a spare on hand then youre going to be down until you find a replacement.

I chose an i-Star 2U case primarially because they are good and inexpensive.I also want plenty of airflow,an attached DVD drive, full-size internal power supply and two full-sized 80GB hard drives in RAID 1. Since all of this equipment will only draw about 50 watts of power, any regularpower supply should be around 90% efficient, so it wont produce the heat you might expect.

On the next page we select an appropritate motherboard, video card, memory and storage

Linux Firewall Part 4: InstallationCore software installationFor the purposes of this turotial, I am making several assumptions. I am assuming that your green network is 192.168.1.x and your orange network is 192.168.15.x. If you want a different network config, then modify as necessary.

If you already have an Internet Router that youre intending to replace,I recommend some prep-work to make things easier. Most routers are set as the gateway to their network (i.e. 192.168.1.1), and this is probably the address that you want your firewall to use. Otherwise, youll have to set the firewall to 192.168.1.2 or some other address, which can get real confusing really fast. Go ahead and log into your existing firewall, and change its address to 192.168.1.2, or some other number, so that it will not conflict with your new firewall. And turn off DHCP, since your new firewall should be the new DHCP server you dont want two servers trying to dole out dynamic IP addresses and wreaking all sorts of havok.

Once your hardware is prepared, IPcop is very easy to install. First you must download the latest distribution and burn the image to a CD.Then, go into your motherboards BIOS and make sure that your CD-ROM is your first boot device. Then just plop in the CD and let it boot. You are presented with a prompt which allows you to set any parameters you like before boot. I actually ran into an issue where Linux could not find the hard drives because it wanted to install on theattached USB card reader. In this case, I typed vmlinuz nousb, which disabled USB support. If you do this, then you wont be able to use USB keyboards, even after installation. I would just temporarially unplug any USB storage devices during installation.

After setting any parameters (or just press Enter to continue), you are presented with an ANSI-based installation wizard.

The first few screens are rather self-explanatory.You areasked to enterwhat type of keyboard youre using, your time zone, and what you want to name your firewall. By default, the name is ipcop but you can change it to anything else you would like. When it comes to the Domain screen, just leave it at default (localdomain).

ISDN screenFor some reason, the first major configuration screen is the ISDN configuraiton menu. Ive only known one person who ever used ISDN, and that was eight years ago. It would benefit the firewall community to remove this screen, or only show this screen if you choose a particular parameter. For most people, tab over to Disable ISDN and press Enter. If you really need help configuring ISDN, then consult the IPcop installation manual.Choose Network TypeThe next step is to configure your network type. For the purposes of this tutorial, we are selecing a GREEN + ORANGE + RED configuration. You must have three seperate network cards to use this configuration. If you only want a basic firewall, then select the GREEN + RED configuration. Remember that the red network is the Internet connection, Orange is your DMZ, and Green is your internal network. All of these networks will have a completely different IP range.

Enter IP addressesYou are then asked to enter the IP information of your Red (Internet) interface. Your choices are Static, DHCP, PPPOE, and PPTP. The type totally depends on your network configuration. Business-class Internet access typically has a Static IP address, so enter that IP in the IP address field. If you have cable or DSL then you could be using DHCP or PPPOE. Some notes to remember are:

Your RED network must have a static address if you wish to use IPCops aliasing feature.

DHCP is used when your ISP has indicated you are to use automatic addressing.

Some ISPs, require you to provide a hostname to their DHCP server. This probably is not IPCops hostname. If its needed, you can probably use the first part of the fully qualified domain name you noted while gathering the network parameters.

If your connection is via PPPOE, your ISP will supply all necessary information during the initial connection, so you wont have to do anything, after selecting it.

If your connection is via PPTP, you will have to supply your RED network IP address and Network mask, just like the static addressing case. This address is almost always 10.0.0.150 with a network mask of 255.255.255.0.

You can then choose the interfaces for your Orange and Green Networks. You may need to select Probe for IPcop to find the interfaces, and then you can select each interface and assign IP addresses for them. Remember that each interface must have its own IP address range. To keep things simple, many people use 192.168.0.x for their Green Network, and 192.168.10.x for their Orange network. Each of these networks DNS servers are probably the same as the Red interface (which you previously entered).

You are then prompted for DNS information, which should have been provided to you by your ISP. Enter that information in the DNS and Gateway settings.

We finish the installation on the next page

DHCP server configurationThis screen lets you specify if you want to enable DHCP. DHCP lets your firewall automatically assign dynamic IP addresses to comptuers on your Green network (each computer on the Orange network must have a static IP address). Be sure that if you enable DHCP, that you disable it on any existing router appliances I use an old router as my wireless access point, so I turned off DHCP on that device so that its not fighting with my firewall.

To enable, press the Space bar in the [ ] Enabled check box. You can then specify which address range you want to use. If you ever have any devices like an NAS or VOIP modem, then youll probably want these on a static IP address on your green network, so give yourself some breathing room. Have the Start Address as 192.168.1.50 and end address as 192.168.1.200. That way you have 150 available dynamic IP addresses, which is more than enough for even a huge LAN party. You now have 47static IP addresses available (remember that the firewall is using one of them). You can now assign any static devices to use 192.168.1.2 to 192.168.1.49. Just remember to keep track of the IP addresses you use and write them down so there isnt a network conflict.

Most people will never need a static device on their Green network, however, so if this confuses you, just dont worry about it.

Password screensYou are now asked for a password on several different accounts. For security purposes, you should use a different password for each of these screens, but honestly most people use the same password for all of them. Each password should be very strong meaning that it is at least 8 characters long, contains several numbers and at least one special character. Do NOT use a word that can be looked up in a dictionary. A password phrase might even be a good idea, such as OC-ModShop1sT3hB3st or something like that.

Enter your password in the Password and Again screen for the root, IPcop admin andbackup accounts.

Now we need to determine which physical network jacks ports have been assigned each address range. They should be configured in order, but you cant truly be sure until you do some testing.Once you login to the admin console, you can actually see which MAC address has been assigned to which network, and then you can difinitively mark each network card but we have to be able to login to the admin console first.Connect up ONE network plug to the first network jack on the router, and try to ping 192.168.1.1, and you should get a response. If not, then try each consecutive port until you get a reply. Once you get a reply, mark this as the GREEN interface. I use white paper labels, and just stick them over the network port, although if you have color-coded stickers, you can do that, too.

Do this for each seperate network, and use a computer on that seperate segment. In our example, we have a Red + Green + orange network, and weve already determined which one is green (internal). Now go to one of your web servers, and see if you can ping 192.168.15.1. If you can, then mark this as the orange network. The only network port thats left is the Red (internet), so mark that and plug in your internet connection.

You should then instantly be able to get online. Try pointing your browser to http://www.ocmodshop.com for the latest technology news, or try http://www.ocmodshop.com for the latest ramblings, discoveries, and general nerdiness that is the OCMS staff. I guess you could try one of those lesser sites, like msn.com or google or something.

If you cant get online, well, then youll have to login to the firewall to determine what the problem is, anyway, which is where were going next.

Now its time to configure your firewall, which is done through a browser on the GREEN network. You will not be able to configure your firewall from the orange or red network (not at this point at least). Point your browser to http://192.168.1.1:81 (by default IPcops admin console is on port 81).

Now well look at the IPcop web interface and explain what everything does.Linux Firewall Part 5: The GUI InterfaceSystem PagesNow that you have IPcop installed, you need to configure it. IPcop provies you with a web interface in which you can configure nearly all of the settings of your new firewall. To connect, just open up any web browser, and connect to the IP address you set up when you installed the software. The web interface requires an secure web connection (SSL), so type this into your browser:

https://192.168.1.1:443 (or whatever IP address you assigned to your firewall.

You will then be asked to login. By default the username is admin and use the password you set up when you installed your firewall. You are now presented with a Home screen and can configure nearly every aspect of your new firewall.

HomeThis is the same welcome screen youre presented with when you first log on to the web browser interface. It tells you the Firewalls IP information as well as uptime statistics

Home and SSH Access ScreensUpdatesJust like other open-source projects, IPcop periodically connects to the internet and gathers information about updates. This screen shows you any available updates to the software and provides a link to download. You can also upload an update file which will automatically update the system to a newer version. There is also information about your used storage space.

Updates and Passwords screensPasswordsThis simple screen lets you change the admin and dial password. If you want to update root then youll need to change it from the Linux command prompt (either physically at the console or terminaling in).

SSH AccessThis screen toggles SSH Access and other features. I would leave this off unless you frequently need low-level access to your firewall. If you dont know the Linux command prompt backwards and forward then you should definately leave this alone. Even though IPcop uses port 222 instead of the standard 22, this will be the first thing hackers will try to use.