Do it in stages:
Refering to the previous Generic Network Configuration:
=============Internet BackBone(s)==========
^
|
___v____
WAN | |
| ISP |
| Router |
|________|
^
|
.............................|......................................
|
|
_____v_____ .... ___________________
| | | |
| Fire Wall | | Network Server(s) |
Network |___________|....|___________________|
Services ^ ^
| .
| .
.............................|.....................................
| .
v v
--------------------+-----------------------
^ ^
| |
LAN | |
192.168.0.0 ____v___ ____v___
| | | |
| User 1 | o o o | User n |
|________| |________|
...................................................................
Most services on the firewall machine are controlled by daemon programs. These programs are either started at the time the system boots or are started as necessary via the internet daemon inetd. The first (and simplest) way to increase the security of your firewall and the LAN it serves is to disable all unnecessary services. If they are not running they can hardly present a security problem.
Generally these services are not needed for firewalls:
| bootp | Provides boot services for diskless clients. If your network needs bootp it should be provided on another server. |
| tftp | The trivial file transfer protocol, most often used with bootp (and DHCP) to deliver the boot files to diskless clients. |
| fingerd | finger provides information about your users. This may be useful and might optionally be used (some folks use finger as a means of publishing PGP public key). |
Services are turned off by one or more mechanism, based on how they are turned on. Boot daemons that normally run all the time are started (and stopped) via scripts under /etc/init.d. To stop these services, you run the script with an argument of 'stop':
# /etc/init.d/script-name stop
During startup these scripts are run via symbolic links from the /etc/rc* subdirectories. These files begin with either 'S' for 'start' or 'K' for 'kill'. You should move these files to another name like turned-off-S*. You can find the symbolic links with this command:
# find /etc/ -type l -print | grep script-name
Other services are started as requested by the inetd. Those services that are not required at all (like tftpd) should be commented out in /etc/inetd.conf. After changing this file, the inetd daemon should be forced to re-read its configuration via this command:
# kill -HUP `cat /var/run/inetd.pid`
Services started by inetd can be further restricted to only specified clients. This is controlled by entries in /etc/hosts.allow and /etc/hosts.deny. The full specification of these files is in the hosts_access man page. For a firewall system it is best to implement a mostly closed system where the default is to deny service unless the client is specifically allowed the service. The /etc/hosts.deny file is trivial, containing only:
ALL: ALL
The /etc/hosts.allow specifies those hosts and networks allowed access to specific services. For example:
in.ftpd: 192.168.1.,192.168.20.,192.168.22.,208.166.96.98,206.67.252.66 in.telnetd: 192.168.1.,192.168.20.,192.168.22.,208.166.96.98,206.67.252.66 in.qpopper: 192.168.1.
allows ftp and telnet from the
192.168.1.0,
192.168.20.0 and
192.168.22.0 private networks, and specific access across the WAN
from
208.166.96.98 and
206.67.252.66.
Local email clients are supported via qpopper on the local net only.
Symbolic names can be used but IP addresses are more secure.
Setting up the Firewall
See Also: ipfwadm, hosts_access, hosts_options.