Firewall
A Firewall is an extension to an Operating System that allows one to create policies for Internet protocols in order to deny content that is deemed illegal or harmful. Firewalls are most common to work on OSI layers 3 and 4. Commercial firewalls often inspect higher layers than 3 and 4, for example SMTP content (RFC 2821 and 2822). Firewalls cannot inspect encrypted protocols (see cryptography) unless they have been given the secret key.
Our recommended process for installing a firewall is to "block all in" and block all out" by default. Once that has been established, then only allow rules as required.
For example, if you have blocked all by default, first you will want to try to resolve DNS I'm sure. So you will need to start a packet sniffer (tcpdump, ethereal, snoop) and watch the packets trying to leave and come in. In another window, type "host yashy.com" to try and resolve my DNS. As you should see, you need to allow port 53.. but was that TCP or UDP? You not only want to only allow that port, you may as well include the protocol as well. Once you have modified your firewall ruleset so that "host yashy.com" actually resolves and returns an IP address, try to use your browser to get there. As you will see, now you need to create a TCP rule for outbound port 80. Eventually you'll have a very decent firewall.
A common mistake we see it an implicit allow all outbound, this is a mistake, and very beneficial to anyone who has just compromised your machine. Allow only the required ports and protocols outbound, most commonly ports 80 (web) and 25 (smtp), and block and log everything else outbound. If you find something isn't working, check the logs and allow a rule for that application, if you approve of its usage. It will be a short bell curve until you will very rarely have to modify your outbound ruleset, as outbound traffic rarely changes.
Firewalls for UNIX
- pf
- A stateful firewall written by Daniel Hartmeier for OpenBSD. Has been ported to all BSD's. pf has a nice logging mechanism that one can view with tcpdump. This firewall can share states between other firewalls meaning communication can continue if the path of communication changes through another firewall. This firewall has built-in NAT.
- ipfw
- IP Firewall available in FreeBSD and Apple Mac OS X. Much work done from Luigi Rizzo. States were introduced with the second version of ipfw. NAT can be achieved with IPDIVERT sockets with programs such as natd.
- ipf
- IP Filter available in a number of UNIX OS's. Written by Darren Reed. Stateful, has built-in NAT.
- netfilter / iptables
- The standard firewall software that comes with the Linux Operating System. Stateful has built-in NAT.
- Checkpoint
- Expensive commercial firewall runs on Solaris. Written in Israel. Could have been the first stateful firewall, patented. Has NAT.
Firewalls for Windows
A common free firewall for Windows that blocks all of your ports is zone alarm. Checkpoint Firewall also works on Windows.