9.1. ipfwadm

ipfwadm is a packet filtering utility for Linux. ipfwadm works only with kernels prior to 2.1.102. It has been superceded by ipchains and iptables.

9.2. ipchains

IPChains is Linux a command-line utility, for 2.2 kernels, that lets you create packet filtering rule-sets called "chains". These chains are applied to all IP packets which arrive at the system. For example, here is a chain of four rules:

$IPCHAINS -A input -p tcp -s 130.88.100.77/18 -d 130.88.100.77/24 -j ACCEPT $IPCHAINS -A input -p icmp -s 130.88.100.77/18 -d 130.88.100.77/24 -j ACCEPT # -- default policy : $IPCHAINS -A input -j DENY $IPCHAINS -A output -j ACCEPT

The rules are applied in turn till one matches the packet. The first says, accept packets destined for port 23 (tcp) but from the same subnet only; the second stops any ICMP packet (ping) from anywhere outside the subnet. The last two rules implement default policy: if no rule above matches a packet, apply these: packets inward-bound are denied and packets outward-bound are accepted.

It's best run via a script or fronted via a GUI utility. Its been succeeded by IP-Tables for 2.4 kernels, though the latter is not substantially different. IP-Filter is the Solaris equivalent.

Resources

1. A good introductory article appeared in the October 2000 issue of the Linux Journal (in the Cooking with Linux column).
   
   
2. The Ipchains HOWTO
   
   
3. I recommend trying the ipchains-firewall script as a starting point (and more recently iptables-firewall) from Ian Hall-Beyer. The home site for this is firewall.langistix.com. A web search (google) will find alternative sites.

Example

ipchains is a command-line utility and is best run via a script.

9.3. Netfilter and iptables

The latest and best packet-filtering software for Linux (2.4 Kernels) is broken into two parts: Netfilter is the kernel portion and iptables is the userlevel tool (cf. ipchains).

State and Connection-Tracking

Unlike ipchains, Netfilter is stateful, for example, one can treat packets from a particular source in one manner if they relate to an established (known) connection and another, different manner, if they are "new".

Netfilter/iptables makes connection tracking easy, even for messy protocols like FTP (contrast IPFilter).

Example

iptables is a command-line utility and is best started via a script. The initialisation script on RedHat machines expects a list of rules in /etc/sysconfig/iptables, so you put a script of this nature in its place you will need to hack /etc/init.d/iptables.

Resources/More

• To get an overview (getting, installing and configuring) Netfilter/iptables see the article Taming the Wild Netfilter, Linux Journal, September 2001.
  
  
• For information on using Netfilter/iptables to detect advanced TCP and UDP portscans see the article Detecting Suspect Traffic, Linux Journal, Novermber 2001.
  
  
• Linux Journal articles..................................
  
  
• http://iptables-tutorial.haringstad.com/....................
  
  
• Netfilter has three homes:
  • Filewatcher
  • The Samba Team and SGI
  • Jim Pick
  Further documentation can be found including Paul "Rusty" Russell's HOWTO in various formats (HTML, postscript, PDF...). This gives an introduction to packet-filtering and iptables in particular, including recipes to customise and use; it also mentions the older ipchains and ipfwadm, and the differences between them.

9.4. IP Filter

IP Filter is perhaps the most widely available (ported) packet filter. It comes as part of FreeBSD, NetBSD and OpenBSD, and has been tested and run on Solaris/Solaris-x86 2.3 -- 8, SunOS 4.1.1 -- 4.1.4, NetBSD 1.0 -- 1.4, FreeBSD 2.0.0 -- 2.2.8, BSD/OS-1.1 -- 4, IRIX 6.2, OpenBSD 2.0 -- 2.9, HP-UX 11.00 (IP Filter 4.0alpha*) and QNX Port.

Assuming IP Filter is compiled on your system if will be started something like this:

ipf -Fa -f /etc/ipf.rules -E

where -Fa flushes previously stored rules, -f /etc/ipf.rules loads the rules and -E enables IP Filter.

State and Connection-Tracking

IPFilter connection-tracks like Netfilter/iptables, but handles complex protocols, like FTP, less transparently.

Configuration --- Rules

The following simple examples are based on those from the OpenBSD FAQ. Here is a simple example of a rules file:

pass out from any to any pass in from any to any block in on fxp0 from any to any port = 3306

There are three rules: allow all packets out; allow all packets in; block all incoming packets on the network-interface fxp0 from anywhere to anywhere on port 3306. Order is important: the last matching rule "wins". So in the above, a packet destined for port 3306 will pass the first two rules and be dropped by the last. This example:

pass out from any to any block in on fxp0 from any to any port = 3306 pass in from any to any

would not work as a packet destined for port 3306 would pass the last rule. However, one can use the quick option to change this:

pass out from any to any block in quick on fxp0 from any to any port = 3306 pass in from any to any

Here a packet is dropped at the first rule that matches. Our final example is very simple, but useful:

pass in quick on fxp0 from 1.1.1.0/24 to any port = 22 pass in quick on fxp0 from any to any port = 80 block in quick on fxp0 from any to any pass out on fxp0 from any to any

This could be used for a web-server --- the first rule allows machines on the local sub-net to access the server using ssh (port 22) for administration purposes, the second allows access for all on the standard http port (80); all other traffic is blocked.

Example

IPFilter is non-trivial to configure, requiring /etc/ipf.rules, /etc/ipnat.rules if complex (messy) protocols such as FTP are to be correctly handled, and /etc/init.d/ipfboot.

More

• A quick introduction to IP Filter is given in Section 6 (networking) of the OpenBSD FAQ.
  
  
• Darren Reed's IP Filter site seems to be the offical home. It has links to just about everything to do with IP Filter.
  
  
• The HOWTO is excellent and describes in detail how to deploy/configure IP filter.
  
  
• The IP Filter FAQ Phil Dibowitz contains masses of information too.