UNIX System Administration Handbook - Evi Nemeth [400]
Given the growing availability of systems such as SSH, there is less and less need for OPIE. If you don’t really need it, don’t use it—it’s troublesome to install and maintain, and the procedures that users must follow are somewhat confusing.
21.9 FIREWALLS
In addition to protecting individual machines, you can also implement security precautions at the network level. The basic tool of network security is the “firewall.” There are three main categories of firewalls: packet-filtering, service proxy, and stateful inspection.
Packet-filtering firewalls
A packet-filtering firewall limits the types of traffic that can pass through your Internet gateway (or through an internal gateway that separates domains within your organization) based on information in the packet header. It’s much like driving your car through a customs checkpoint at an international border crossing. You specify which destination addresses, port numbers, and protocol types are acceptable, and the gateway simply discards (and in some cases, logs) packets that don’t meet the profile.
Packet filtering is supported by dedicated routers such as those made by Cisco. It may also be available in software, depending on the machine you’re using as a gateway and its configuration. In general, packet-filtering firewalls offer a significant increase in security with little cost in performance or complexity.
Both Red Hat and FreeBSD include packet filtering software (see pages 326 and 333 for more information). It’s also possible to buy commercial software to perform this function. These packages all have entertainment value, and they can provide a reasonably secure firewall for a home or small office. However, you should refer to the comments at the beginning of this chapter before you consider a UNIX system as a production-grade corporate firewall.13
This is one case in which you should really spend the money for a dedicated network appliance, such as Cisco’s PIX firewall.
How services are filtered
Most well-known services are associated with a network port in the /etc/services file or its vendor-specific equivalent. The daemons that provide these services bind to the appropriate ports and wait for connections from remote sites.14
Most of the well-known service ports are “privileged,” meaning that their port numbers are in the range 1 to 1,023. These ports can only be used by a process running as root. Port numbers 1,024 and higher are referred to as nonprivileged ports.
Service-specific filtering is based on the assumption that the client (the machine that initiates a TCP or UDP conversation) will use a nonprivileged port to contact a privileged port on the server. For example, if you wanted to allow only inbound SMTP connections to a machine with the address 192.108.21.200, you would install a filter that allowed TCP packets destined for that address at port 25 and permitted outbound TCP packets from that address to anywhere.15
The exact way that such a filter would be installed depends on the kind of router you are using.
Some services, such as FTP, add a twist to the puzzle. The FTP protocol actually uses two TCP connections when transferring a file: one for commands and the other for data. The client initiates the command connection, and the server initiates the data connection. Ergo, if you want to use FTP to retrieve files from the Internet, you must permit inbound access to all nonprivileged TCP ports, since you have no idea what port might be used to form an incoming data connection.
See page 696 for more information about setting up an ftp server.
This tweak largely defeats the purpose of packet filtering, since some notoriously insecure services (for example, X11 at port 6000) naturally bind to nonprivileged ports. This configuration also creates an opportunity for curious users within your organization to start their own services (such as a telnet server at a nonstandard and nonprivileged