Budget Firewall

OS breakdown

There is a variety of free, open-source, OS-level firewalls available, running on a variety of Unix platforms. Making the right choice depends on individual demand, platform, and preference. Netfilter, IPFilter, packet filter, and BPF (Berkeley Packet Filter) are the most popular tools available. Freeware and openly developed software applications use various licenses (e.g., GPL, FSF, Berkeley, etc.), and it is important to check each license to make sure the intended uses are in compliance with the applicable license.

For Linux, the OS-level firewall depends on the version of the Linux kernel you are running:

# Linux 2.0: ipfwadm (non-stateful)
# Linux 2.2: ipchains (non-stateful)
# Linux 2.4: netfilter (stateful)

If you are running Linux as a firewall or a firewalled host, use Linux 2.4 with its netfilter firewall code, because it is stateful. Earlier versions are not stateful, and their use increases the potential for being attacked as a result.

FreeBSD and NetBSD come with IPFilter as the firewall package, as well as BPF (Berkeley Packet Filter). OpenBSD used to incorporate IPFilter with its basic distribution, but beginning with version 3.0, it uses its own filter, simply called "packet filter." OpenBSD is widely regarded as a highly secure operating system, and it is ideal for use as a firewall.

IPFilter is also the most popular firewall freeware package for Solaris and is compatible for versions 2.6 through 8. With IPFilter, it is important to know if you are running Solaris 7 or 8 in 64-bit mode. If so, then the IPFilter binary needs to be compiled for 64-bit Solaris, because IPFilter is a kernel module. Versions of GCC (GNU's open-source C compiler) prior to 3.0 cannot compile 64-bit binaries for Solaris. To successfully compile IPFilter requires Sun's "cc" application or a specially compiled GCC 3.0. Sun's cc is quite expensive, and this can present a problem. Fortunately, on the IPFilter download site there is a pre-compiled 64-bit binary version available to address this issue.

The other Unix flavors, such as IBM's AIX, SGI's IRIX, and Hewlett-Packard's HP-UX all have OS-level firewalls available, including versions of IPFilter and the BPF.

Windows 2000 and Windows XP have a built-in network packet filter. It can be accessed by checking the network control panel, picking the interface, checking the TCP/IP properties, going into advanced, options, then properties of TCP/IP filtering. From there you can choose which services, protocols, and ports to be allowed. These options are not stateful, however.

Stateful Firewalls

Statefulness is a critical feature for firewalls to have, but not all of the OS-level firewalls have this functionality. It is important because it allows much greater flexibility and control over the type of traffic that is permitted. Without stateful capability, a firewall's rules for a Web server might look something like this:

Allow in TCP port 80
Allow in TCP ports >= 1023
Deny everything else

You'll note that the firewall is allowing all ports above 1023. This is necessary for outbound connections to work, because the TCP protocol uses a TCP port above 1022, locally, for an outbound connection to transfer data. Here is an example where an outbound SSH connection from one workstation (192.168.0.15) to another machine (192.168.0.25) is being made. A netstat (Unix and Windows command to show active TCP connections) shows the following TCP information:

Proto:
TCP

Local Address:
192.168.0.15:22

Foreign Address:
192.168.0.25:1029

State:
established

The destination port is 22, but the local TCP port of 1029 is also used for that connection. For any outbound TCP connection to work, all TCP ports 1023 and above must be allowed through. This leaves a significant portion of any machine vulnerable to attack or probing, and any number of illicit services can be setup by users or by Trojan horses or viruses.

In an actual setting, the remote machine makes a connection to the local machine on any port 1023 or higher. The outbound connection is on port 80 with the local connection on port 1029. Blocking anything on TCP port 1023 or higher would prevent that two-way connection from functioning, and all outbound connections would not work. Statefulness takes care of this by not only inspecting the source, destination, and connection ports, but also what TCP state the connections are in. For a stateful firewall, the rules for a Web server might look like this:

Allow in TCP port 80
Allow in TCP established
Deny everything else

The "TCP established" rule allows us to close ports 1023 and higher, because the stateful firewall can check the TCP state. The rule says that if the inbound connection is based on an already established outbound connection, then let it through. Such an inbound connection has an EST (established) flag, which only a stateful firewall can check for.

Most OS-level firewalls are now stateful inspection, although there are exceptions. Make sure you know the capabilities of the package you plan to purchase. For instance, Linux 2.0 and 2.2 use ipfwadm and ipchains respectively, neither of which are stateful. If Linux is to be used for the firewall, it is better to upgrade to the Linux 2.4 kernel and its netfilter package, which is stateful. The built-in Windows TCP/IP filtering is not stateful.