239 lines
5.0 KiB
HTML
239 lines
5.0 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>What Is a Firewall?</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="TCP/IP Firewall"
|
|
HREF="x-087-2-firewall.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Methods of Attack"
|
|
HREF="x-082-2-firewall.attacks.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="What Is IP Filtering?"
|
|
HREF="x-087-2-firewall.filtering.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-082-2-firewall.attacks.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 9. TCP/IP Firewall</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-firewall.filtering.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-FIREWALL.INTRODUCTION"
|
|
>9.2. What Is a Firewall?</A
|
|
></H1
|
|
><P
|
|
> A firewall is a secure and trusted machine that sits between a private
|
|
network and a public network.<A
|
|
NAME="X-087-2-FW-FN01"
|
|
HREF="#FTN.X-087-2-FW-FN01"
|
|
>[1]</A
|
|
>
|
|
The firewall machine is configured with a set of rules that determine
|
|
which network traffic will be allowed to pass and which will be blocked
|
|
or refused. In some large organizations, you may even find a firewall
|
|
located inside their corporate network to segregate sensitive areas
|
|
of the organization from other employees. Many cases of computer
|
|
crime occur from within an organization, not just from outside.</P
|
|
><P
|
|
>Firewalls can be constructed in quite a variety of ways. The most
|
|
sophisticated arrangement involves a number of separate machines and
|
|
is known as a <I
|
|
CLASS="EMPHASIS"
|
|
>perimeter network</I
|
|
>. Two machines act
|
|
as "filters" called chokes to allow only certain types of network
|
|
traffic to pass, and between these chokes reside network servers such as a
|
|
mail gateway or a World Wide Web proxy server. This configuration can
|
|
be very safe and easily allows quite a great range of control over who
|
|
can connect both from the inside to the outside, and from the outside
|
|
to the inside. This sort of configuration might be used by large
|
|
organizations.</P
|
|
><P
|
|
>Typically though, firewalls are single machines that serve all of these
|
|
functions. These are a little less secure, because if there is some
|
|
weakness in the firewall machine itself that allows people to gain access
|
|
to it, the whole network security has been breached. Nevertheless,
|
|
these types of firewalls are cheaper and easier to manage than the more
|
|
sophisticated arrangement just described.
|
|
<A
|
|
HREF="x-087-2-firewall.introduction.html#X-087-2-FIREWALL.DESIGN.GRAPHIC"
|
|
>Figure 9-1</A
|
|
> illustrates the two most
|
|
common firewall configurations.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="X-087-2-FIREWALL.DESIGN.GRAPHIC"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-1. The two major classes of firewall design</B
|
|
></P
|
|
><P
|
|
><IMG
|
|
SRC="lag2_0901.jpg"></P
|
|
></DIV
|
|
><P
|
|
>The Linux kernel provides a range of built-in features that allow it
|
|
to function quite nicely as an IP firewall. The network implementation
|
|
includes code to do IP filtering in a number of different ways, and
|
|
provides a mechanism to quite accurately configure what sort of rules
|
|
you'd like to put in place. The Linux firewall is flexible enough to
|
|
make it very useful in either of the configurations illustrated in
|
|
<A
|
|
HREF="x-087-2-firewall.introduction.html#X-087-2-FIREWALL.DESIGN.GRAPHIC"
|
|
>Figure 9-1</A
|
|
>. Linux firewall
|
|
software provides two other useful features that we'll discuss in
|
|
separate chapters: IP Accounting (<A
|
|
HREF="x-087-2-accounting.html"
|
|
>Chapter 10</A
|
|
>) and IP masquerade (<A
|
|
HREF="x-087-2-ipmasq.html"
|
|
>Chapter 11</A
|
|
>).</P
|
|
></DIV
|
|
><H3
|
|
CLASS="FOOTNOTES"
|
|
>Notes</H3
|
|
><TABLE
|
|
BORDER="0"
|
|
CLASS="FOOTNOTES"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.X-087-2-FW-FN01"
|
|
HREF="x-087-2-firewall.introduction.html#X-087-2-FW-FN01"
|
|
>[1]</A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
> The
|
|
term <I
|
|
CLASS="EMPHASIS"
|
|
>firewall</I
|
|
> comes from a device used to protect
|
|
people from fire. The firewall is a shield of material resistant to
|
|
fire that is placed between a potential fire and the people it is
|
|
protecting.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-082-2-firewall.attacks.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.filtering.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Methods of Attack</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>What Is IP Filtering?</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |