News and Alerts
Help Desk Request
Documentation/ITWiki
Enterprise Information Services
Get Connected
Report a Problem
Safe-Computing
Policies
About Us & Contact
Employment
ResNet Home
Enterprise System Services
Instruction & Research Technology
Organizational Chart
Information Technology Policies
UNIX FIREWALL
Overview
Generally most Unix/Linux systems use firewalls built into the operating system kernel. Normally they are configured from startup scripts; often basic scripts are included by your distributions vendor. Check your documentation for more information or take a look around your rc directory.
Often it is easiest simply to modify the existing scripts to your preferences. You can also create your own startup script, which is called either from a rc.local script or through inetd.
Linux Distributions
The Linux kernel includes netfilter, which handles filters all traffic coming into and leaving the operating system kernel. There are a number of features of netfilter, but for firewall-type configuration, you'll use iptables. Netfilter/iptables is included in kernels 2.4 and later; version 2.2 of the kernel included a similar system called ipchains, version 2.0 and earlier used a ported version of the BSD ipfw system (below) relying on the ipfwadm interface.
Netfilter/iptables is backwards compatible with the syntax of both the ipchains and ipfwadm allowing scripts written using those commands to be used with minimal adjustments.
For more information on netfilter and the iptables firewall, see:
- Netfilter Homepage - website (with docs) for netfilter and its usage.
Learning Curve
Unlike most Windows and Mac firewalls, which emphasize using a GUI front end as well as interactive popups to configure your firewall, most Unix firewalls are designed for those who already know precisely what their firewall should do. Correspondingly, configuring the firewalls usually follow a very terse command syntax.
For example, the following command tells the Linux iptables firewall to block pings from outside the University campus (the backslash simply tells the shell not to interpret the newline and is not necessary for a script):
| iptables -A INPUT -p icmp |
| --icmp-type echo-request / |
| -i eth0 -s !128.135.0.0/16 -j DROP |
Script to ease the learning curve
This script creates the long iptables -A INPUT -p icmp --icmp-type echo-request commands for you. So all you have to do is tell it what ports you would like open. Visit the link below for more information about the firewall script.
- Shorewall firewall script - website (with docs)
OpenBSD
OpenBSD systems rely on pf, a packet filter built into the operating system kernel. Like netfilter, pf is a general purpose packet filter that can be configured for network address translation, packet redirection, and firewall rules.
- OpenBSD PF FAQ - a general introduction to pf on OpenBSD systems.
Other BSD Based Unix
Other BSD based systems (such as FreeBSD and Mac OS X) use ipfw and dummynet to control network traffic and filtering. This system allows for many of the same systems as Linux's netfilter/iptables and is configured either through the command line or by startup scripts.
For more information on ipfw, try the man pages (by typing man ipfw) or visit the FreeBSD project's tutorial on the subject:
- FreeBSD Handbook: Security and Firewalls - an introduction to ipfw from the FreeBSD administrators handbook.
Other Unix
Most other Unix systems do not come with firewalls already compiled into the kernel. You can easily install a full-featured firewall, however, and we recommend you do. Check with your distributions vendor for their recommended solutions; generically we recommend IP Filter (ipf).
- IPF How-To - the how-to guide for ipf
Please note: A firewall is just one part of a layered approach to system security. It is totally meaningless if, for example, you don't update the software that is allowed network access.
William Paterson University
300 Pompton Road
Wayne, New Jersey 07470
973-720-2000
Website Comments: Contact Web Team