Network Computingwww.networkcomputing.com

Employing a Linux-Based SOHO Firewall Solution

The time has come to show you how to build your own SOHO (small office, home office) firewall on Unix-clone systems like Linux by using its preinstalled software. Why are we focusing on Linux? Because it is a freely distributed open-source system, and you can use this system easily to build a secure software SOHO firewall on a shoestring budget.

Linux preinstalled firewall software: Let's start with the Linux operating system and its preinstalled software for building a SOHO firewall. You should use the NAT (Network Address Translation) technology for blocking access to an internal network DMZ (demilitarized zone). For this example, you should use a RedHat Linux distribution.

You need to build your kernel distribution with the IP Forwarding, IP Masquerading, IP Firewalling, IP Transparent Proxying and IP Routing functions. It's assumed here that you're somewhat experienced with the Linux system and its kernel structure. If, however, you have problems building and compiling your customized kernel, you can refer to a Linux manual. As far as the internal network is concerned (called the DMZ network), you'll have to change the network that's being used in this example (10.0.0.0/24, which is a part of private class network 10.0.0.0/8, according to RFC1918) to the one you're using. You can use a network block that you've obtained from your local ISP with public IP addresses. Once you've built and installed your new kernel with the firewall options enabled, you can set up a configuration script, which will start your SOHO firewall. Create (if it does not exist) and edit the file /etc/rc.d/init.d/firewall as shown:

# flushing out all rule sets

# this is meaningless on the startup, but a good idea when restarting the firewall services

ipfwadm -F -f

ipfwadm -I -f

ipfwadm -O -f

# denying all connections, using the default rule

ipfwadm -F -p deny

# allowing all connections from the DMZ network interface

ipfwadm -F -a accept -m -P all -S 10.0.0.0/24

# allowing all incoming connections

ipfwadm -I -p accept

Okay, now it's time to take care of the tcpwrappers package that's included in the RedHat Linux distribution. Start by enabling SSH (SecureShell) connections to your SOHO firewall from the DMZ network. This will allow you to configure it in case of an emergency. Edit the /etc/hosts.allow file as shown:

ALL: 10.0.0.

22: ALL

To close all other connections for your DMZ network, you need to edit the /etc/hosts.deny system file:

ALL: ALL

You've now finished a simple SOHO firewall setup on your Linux system. Of course, the subject of monitoring your SOHO firewall has not been covered yet (See "FireWall-1 Performance/Security Tuning").

Many monitoring tools are available, such as Big Brother and NetSaint. Some system administrators may want to write their own monitoring tools. This is not a question of SOHO firewall security. You now have reached your objective: You built a SOHO firewall that routes your internal network and denies others access to your network, which might contain classified information.

Finally, does your Linux-based SOHO firewall have a hole in it? New updates fix a potentially disastrous flaw.