Linux Administrators FAQ List: Firewalling

9. Firewalling

9.1 How do I set firewalls with Linux?

Start by reading the HOWTO avaliable at http://metalab.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO available, which covers this subject.

There's also nice guide regarding firewalling for FreeBSD which should help you at http://www.metronet.com/~pgilley/freebsd/ipfw/ and http://www.freebsd.org/~jkb/howto.html.

9.2 How can I disable ping reply?

Basically all you need to do here, is to block ICMP packets to that network interface, via which you do not want to respond ICMP echo-request packets.

Here's one of suggestions how to implement this:


ipfwadm -Ip deny   -P icmp -D YOUR.IP                -W INET_INTERFACE  
ipfwadm -Ia accept -P icmp -D YOUR.IP   0 3 4 11 12  -W INET_INTERFACE

and for blocking spoofing:


ipfwadm -Ia deny -P all -S LOCALNET/LOCALMASK -D LOCALNET/LOCALMASK -W INET_INTERFACE
ipfwadm -Ia deny -P all -S 127.0.0.0/8 -D LOCALNET/LOCALMASK -W INET_INTERFACE
ipfwadm -Ia deny -P all -S 10.0.0.0/8 -D LOCALNET/LOCALMASK -W INET_INTERFACE
ipfwadm -Ia deny -P all -S 172.16.0.0/12 -D LOCALNET/LOCALMASK -W INET_INTERFACE
ipfwadm -Ia deny -P all -S 192.168.0.0/16 -D LOCALNET/LOCALMASK -W INET_INTERFACE

9.3 How do I set ftp working via firewalling/masquerading?

FTP is a problematic protocol when setting up a secure firewall, as it uses two separate connections: a control connection, and a data connection. Furthermore, there are two distinct modes:

Active mode.
For each data transfer (ls, get, put etc), the client sends a PORT command to the server, which specifies an IP address and port number. The client creates a listening (server) socket on this address/port, and the server connects to it to establish the data channel.
This requires that the client's firewall permits inbound TCP connections to all ephemeral ports (which amounts to a rather large hole in the firewall).
Passive mode
The client sends a PASV command to the server, which tells the server that the client wishes to use passive mode. For each data transfer, the server creates a listening (server) socket, and sends the IP address and port number back to the client. The client connects to the specified address and port to establish the data channel.
This requires that the server's firewall permits inbound TCP connections to all ephemeral ports (which also amounts to a fairly large hole in the firewall, but it's only the server that has to do this, and not every client which wishes to connect to it, as is the case with active mode).

In either case the control connection is to be established by client connecting to the server's 21 port first. The problem usually arises when you fire up an unix ftp client which usually works in active mode by default. To establish data connection it requires connections from server to client's 1024< port being allowed.

To avoid this you need to use passive (PASV) mode for FTP from behind a firewall:

For the command-line `ftp' utility, use the `passive' command.
For wget, add `passive_ftp = on' to the wgetrc file.
For Lynx, make the changes to HTFTP.c which are described in the INSTALLATION file.
Netscape/MIE uses passive mode by default.

Next Previous Contents