[LWN Logo]

LWN reviews two firewalling books

Linux systems have long had a powerful firewalling capability which could be used to create more secure networks. One would think that more attention would be paid to this ability, given the pressing need for more secure access to the Internet. One problem, as with many aspects of Linux, has been the lack of accessible documentation on how to use a Linux system to protect your network. So it is good to see book starting to be published in this area. Here we review two Linux firewalling offerings, neither of which is as good as it really could be, but one of which is not bad.
[Linux Firewalls]

Linux Firewalls

Robert L. Ziegler
New Riders, 2000

Links:

Linux Firewalls by Robert L. Ziegler showed up in my mailbox back in November, and promptly gathered dust until your reviewer found himself spending rather more time on Italian trains than he had ever wanted. This book, from New Riders, looks good at a first glance; a more detailed reading, however, turns up a number of problems. In the end, it is hard to recommend.

The intended audience for Linux Firewalls is administrators of home or small office systems; the author describes some techniques for larger networks, but intentionally avoids going too far in that direction. Since the targetted readers are likely to be somewhat, um, inexperienced, one would think that some effort would go into filling in background on TCP/IP basics, elemental security, and so on. All that is dealt with in fifteen pages, however; thereafter the reader plunges into an unending series of ipchains commands.

Mr. Ziegler's approach to firewalling is repetitive and detail-oriented to the extreme. The book (correctly) recommends a "deny by default" policy, but then goes to great lengths to deny many things explicitly as well. Any address range that was ever marked reserved, any port range that might not be normal, and so on is rejected - and we get to see the ipchains commands for each. The end result is that the suggested home firewall configuration contains 195 rules! For a home PPP link a bloated configuration like this may not matter, but for anything faster some optimization is likely to be needed.

This approach also makes things harder than they have to be. Rather than simply allowing incoming connections to port 22 (ssh), much effort goes into a detailed (and brittle) configuration which tries to anticipate which source ports the connection might come from. Many problems and little additional security lie down that road.

Perhaps most disturbing, however, is that this book is riddled with both typographical and technical errors. Examples of the latter include:

  • "Every TCP segment is acknowledged upon receipt. Every TCP segment is identified by a unique sequence number." (p. 12) Acknowledgements are often delayed and combined. The author states more than once that the sequence numbers count packets; instead they count bytes.

  • "A side effect of flushing all the rules [with ipchains -F] is that the system is returned to its default state, including the default accept-everything policy for each chain." (p. 68). Flushing the rules does not change the policy, as an easy experiment demonstrates.

  • "Because of the first-matching-rule-wins behavior, you could log all denied incoming packets with a single rule: ipchains -A input -i $EXTERNAL_INTERFACE -j DENY -l" (p. 119). That is true only if the given rule is the only rule which denies packets. It might also be worth mentioning that this rule denies all packets which hit it, and doesn't just do logging.

  • "If the packet is accepted by the input filter, the next chain is determined by the packet's destination. If the destination is the local machine, the packet is placed on the loopback interface output chain." (p. 143) Packets for local processes do not go through any output filters.

  • "Firewall machines, in particular, must have rhost authentication disabled by removing all .rhost [sic] files from the system, as well as by disabling access to the Berkeley r commands." (p. 275) Removing .rhosts files is a temporary fix at best, and you really should disable the rsh/rcp servers, not the commands. One could also disable .rhosts authentication with PAM.

I could go on, but the point should be clear. The above errors may not get in the way of the building of a working firewall, but the person writing the book should really get these things right. These mistakes, along with references to things like "FIDI rings," give the impression that the author has a lot of on-the-job experience, but has done little formal study in this area.

The book does try to cover the host security area as well: there are quick sections on sendmail, FTP, DNS, and so on. The hints are useful, and the adminitions that problematic features (like sendmail relaying) should be dealt with are good. But anybody configuring those systems (1) should not be running them on a firewall system, and (2) is going to need to study them in more depth.

Finally, not only is the book tremendously detail-oriented, but it is also highly repetitive. How many times do we need to see the ipchains commands to enable DNS service? This book is too thick, and yet contains too little information. One could certainly us it to learn about how to build a Linux-based firewall - the information you really need is there - but it should be possible to do this better.

Linux Firewalls has a companion web site; all that is to be found there as of this writing is the source for one of the suggested firewall scripts.

[Building...]

Building Linux and OpenBSD Firewalls

Wes Sonnenreich
Tom Yates
Wiley, 2000

Links:

Building Linux and OpenBSD Firewalls by Wes Sonnenreich and Tom Yates is a different sort of book. It takes a much more high-level approach, covers a wider range of topics, and gets most of its facts right.

The character of this book is strongly shaped by the decision to cover both Linux and OpenBSD. A person who knows they plan to use one system or the other may be tempted to shy away from this book, with the idea that it will contain too much irrelevant information. That would be a mistake - the authors have correctly figured out that almost everything you need to know is system-independant, and have written their book accordingly. The actual syntax needed to accomplish your firewall policy is a detail, not the main point.

One thing is worth bearing in mind here: both of these books will become obsolete as soon as distributions with the 2.4 kernel start shipping - before the end of this year. The 2.3 development process has torn out the existing firewall implementation by the roots and substituted the new NetFilter package. The ipchains tool will exist only as a backward-compatibility program. Readers who have a thorough understanding of how firewalling works will have an easier time with the new iptables scheme.

Necessarily, the authors wander into the minefield of telling their readers how to choose between the two systems. It would be hard to write that chapter in a way that would please everybody - and I take exception to some of the things they say about Linux - but they have done a pretty good job overall. The tone seems to be something along the lines of "OpenBSD is more secure, and we'll tell you why we think so, but you're going to go with Linux anyway."

While the more comprehensive approach of this book is good, the authors may have stretched a little too far at times. The chapters on installing the two systems are better covered elsewhere - at least for Linux. The authors recommend building a firewall system from basic parts, and tell you how. There is even a vi tutorial in there.

On the other hand, the coverage of how TCP/IP works, and how a number of attacks work, is well done. Mr. Ziegler never gets into topics like buffer overruns, smurfing, etc.; Sonnenreich and Yates, instead, put a lot of effort there. Security policy and dealing with specific protocols and services, are covered before getting into any details of how to implement them. Linux Firewalls starts tossing out ipchains commands before the reader's seat is even warm; Building Linux and OpenBSD Firewalls insists that you spend time thinking about what you want to accomplish first.

When the authors do get into the nitty-gritty, they take a tutorial approach that encourages experimentation with the rules before trying to build the real firewall. By showing the reader how to do specific things (and see the results), they promote a better understanding of what is going on. They finish with a compact example firewall ruleset which the reader can use as a beginning point.

At the end is a chapter on intrusion detection and response which is not quite what it could be. The suggestions are mostly good, but are brief, and expect the system administrator to mostly figure things out by themselves; Linux Firewalls does this topic better. Your reviewer, in particular, takes exception to the claim that trying to track down the source of the intrusion is not worthwhile. If somebody else's system is being used to attack mine, I want to know exactly which system (so they can be blocked out), and I think it's important to be sure the administrators of that system are aware of what is going on.

This book is not entirely free of mistakes either - especially of the typographical variety. In particular, something in somebody's processing system seems to be fond of deleting white space in front of command line options. The correct interpretation is usually not too hard to find. One major omission is any talk of setting up firewall rules to prevent packets with spoofed source addresses from leaving your network. Good network citizenship requires such filtering, and this book should have mentioned it.

Finally, it's worth pointing out that the book is written in a conversational and humorous style which may put off some readers, but which your reviewer enjoyed. Examples:

  • "Thank you for buying the sequel to the greatest tragedy of all time: Hamlet." (p. xii)

  • "If you credit your employees with sufficient immorality to steal from you, then credit them with enough sense to do it the easiest way." (p. 14)

  • "Once a desynchronized state has been achieved, the attacker is ready to open a can of whoop-ass on the TCP connection." (p. 36)

  • "Consider yourself fortunate. You are embarking on an exciting journey of discovery. You will be facing challenges that have brought highly skilled system administrators to their knees, with tears flowing into their pocket protectors. You will tread forward, over the backs of those whom fear has crushed." (p. 211) OpenBSD installation sounds like fun...

  • "You're not fighting Klingons or the Borg. That's the good news. The bad news is that you're probably up against a bunch of pimply teenagers that dress up as Klingons or the Borg on a regular basis." (p. 318)

Readers using Linux may be tempted to skip over the OpenBSD sections, but a quick read is an interesting view into how another free operating system does things.

The book promises a companion web site, but, as of this writing, it has not yet been made available.

In summary...

A couple of gripes can be aimed against both books. Both, for example, use the term "hacker" to describe the bad guys. The success of free software over the last few years has done a lot to restore the original meaning of "hacker," and the authors of these books should have known better than to set things back.

Both books are also Red Hat specific. Linux Firewalls is bad enough, with no mention of any other distributions at all. It could have at least pointed out the security update sites for the other major distributions, it would have cost very little. Building Linux and OpenBSD Firewalls is even worse, in that it is strongly tied to Red Hat's 6.0 distribution. The URL for the errata page points to the 6.0 version. The authors recommend the removal of the C compiler from the firewall system by typing:

rpm -ev egcs-1.1.2-12

Simply typing "rpm -ev egcs" will have the same effect without being version-specific, and has the added bonus of requiring less typing. Given that Red Hat 6.0 was virtually guaranteed to be superseded by the time the book hit the shelves, it's hard to see why the authors were so specific about it.

The treatment of security tools in both books is somewhat superficial. And neither talks about the tcpdump tool at all. People who set up firewalls are, by definition, in the business of debugging network problems. Doing that without tcpdump is a hard life.

In the end, though, these books also point out a gaping hole in Linux system administration tools. Both are full of information on how to tweak firewall rules, deal with strange protocols, and so on. Your typical administrator of a home or small office system has no interest in dealing with all that stuff. They will insist on something easier. Tools like IsinGlass and Mason are a step in the right direction (and are not mentioned in either book), but more needs to be done.

Meanwhile, somebody struggling through the process of setting up and configuring a firewall is going to need some help. These books are a start. Most readers will be much better served by Building Linux and OpenBSD Firewalls due to its wider view, more comprehensive coverage, and relative lack of silly mistakes.

--jc

Eklektix, Inc. Linux powered! Copyright 2000 Eklektix, Inc. all rights reserved.
Linux ® is a registered trademark of Linus Torvalds