Team LiB
Previous Section Next Section

Hack 81. Build a Custom Firewall Computer

Turn an old, underpowered computer into a lean, mean, firewall machine.

As more and more computers are getting plugged into the Internet, the risk factor associated with an online presence has also risen. The increase in hours online combined with the propagation of always-on broadband and high-speed cable/DSL Internet access has resulted in the need to secure even simple, one-computer home networks. As a result, the humble firewall has become a must-have item as opposed to a could-have item in a network.

The basic aim of a firewall is to keep unwanted people off of your network. The virtual wall of fire is essential in keeping out crackers who want to invade your security, as well as blocking the growing armies of worms, viruses, and other Internet nasties that crawl the Web looking for computers to exploit. The situation is very bad; an unprotected Windows machine can become infected in as little as four minutes after it is put on the Internet. If you are considering a firewall but are uncertain you want to put the effort into it, ask a friend who has one for a list of attempted intrusions on his network. You will probably be surprised by the frequency of attacks. My own firewall logged more than 100 attempted intrusions in the first few hours after I put it up.

Both software and hardware firewalls are available. Software firewalls are installed on each desktop on the network, and they protect that single machine. The hardware approach is to use a dedicated machine to protect the entire network from malicious traffic. This hack explores a dedicated firewall Linux distribution called SmoothWall, which you can install on an aging computer to provide a dedicated firewall appliance to protect your entire network. After the initial setup, you will find your SmoothWall box to be invaluable.

9.13.1. Gather the Ingredients

To create a SmoothWall firewall appliance, you need a computer to use. Anything from a `486 with 16MB of RAM on up is fine, but if you want to keep several days' worth of log files, I recommend you use at least a 4GB disk. You also need at least two Linux-supported network cards in the computer. Here is how you will use your network cards:

  • If you have a cable/DSL modem that plugs into a network card, you need a card for this. This card is referred to as the RED interface.

  • You need a network card to connect to the internal network. If you have more than one computer on your internal network, this interface is usually plugged into a hub, switch, or wireless access point. This card is referred to as the GREEN interface.

  • If you have any computers that need to be accessed publicly, you need another network card for these. This card is referred to as the ORANGE interface and also is known as the snazzily titled De-Militarized Zone (DMZ), because it exists in a sort of no man's land between the public Internet and your private network.

You should install the cards you need in the computer, download the SmoothWall ISO from http://www.smoothwall.org, and then burn the ISO to CD.

The next step is to boot from the CD and install the SmoothWall software. If you cannot boot from the CD, try using the Smart Boot Manager discussed in [Hack #1]. If this does not work, you can create a series of boot floppies from the files found in the images directory on the SmoothWall CD. There you'll find two boot floppy images called bootdiskone-x.x.img and bootdisktwo-x.x.img. Use dd to create the floppies (unmounting and changing the floppy between images, of course):

foo@bar:~$ dd if=bootdiskone-x.x.img of=/dev/fd0 bs=1024 conv=sync ; sync
foo@bar:~$ dd if=bootdisktwo-x.x.img of=/dev/fd0 bs=1024 conv=sync ; sync

If you need to create the floppies on a Windows system, you can use the rawrite program (http://uranus.it.swin.edu.au/~jn/linux/rawwrite.htm) to create the disks.

Installing SmoothWall is a fairly simple process, but you need to know how you want your network to be set up in terms of IP addresses. Within the setup routine are a Networking section and an Addresses subsection. You set the IP addresses for each interface here. For example, a common setting for the GREEN interface is the IP address 192.168.0.1 and the network mask 255.255.255.0. The RED interface is typically set to DHCP to grab your Internet IP address from the cable modem, but you should check with your ISP to see how the cable modem gets its IP address. The other setting to configure is in the "DNS and Gateway settings" section. Set this to 192.168.0.1. Now you have your firewall set up as your Internet gateway that other machines can refer to when requiring Internet access.

9.13.2. Configure the Firewall

Once the SmoothWall firewall is installed, you can access it in two main ways. The most common and popular way is to access its special web-based interface, which is available on port 81. So, if your firewall's IP address is 192.168.0.1, you can access the web interface at http://192.168.0.1:81. SmoothWall's default configuration does not allow access from outside your internal network, so you cannot make changes to it from work or while traveling.

When you access the web interface, you are asked for the administrator password for the machine (which you created when you installed SmoothWall) and then you can configure it. Within the web panel is a huge range of options and features that you can configure. These options are grouped into categories which are visible at the top of the page.

If you need to do something that is not accessible in the web interface, you can use the included Java SSH applet to log in to the machine and type in commands to an SSH shell.

9.13.3. Enable Port Forwarding

A common requirement when running a network of machines is the need to have a connection from outside the firewall serviced by a machine inside the firewall (usually in the DMZ). This is the scenario for those who run a web or email server and need to have the relevant ports accessible to the outside world. When a computer connects to your IP address/domain, the first computer that receives the connection is the firewall. Because it is unlikely you are running a web or email server on the firewall itself (if you are, you really shouldn't be because bugs in these programs can compromise the security of the firewall) you need a method to get that request to the computer that can handle it. This is where port forwarding comes in. Its purpose is to take the request for a service and forward it to the specific machine on the network that can service the request.

To do this with SmoothWall, access the web interface and select NetworkingPort Forwarding. You can leave the external source IP box blank if you want to accept all connection requests for the port in question (this is commonly the case for a public service such as web serving). In the Source Port box, specify the port you want to forward (such as port 80 for a web server). Finally, you can enter the destination computer IP address and its port number in the other two boxes. This is quite useful if you want to forward a normal port 80 connection to a machine with a different port number, such as port 8080; a common request with Apache virtual hosts. Once you have forwarded your ports, you need to select the External Services Access page and add the ports you have forwarded to that page. This enables access to the ports from outside the network.

SmoothWall is proven to be an incredibly capable and flexible firewall. Because of this a lot of organizations and homes use it to protect their networks. Although the GPL version of the firewall is very capable, the commercial version and its included support can be really useful for commercial organizations. Both versions give you the flexibility of a powerful and supported firewall that can protect a network of Linux, Windows, or Mac OS X machines.

    Team LiB
    Previous Section Next Section