Setting up a powerful firewall

There are all sorts of firewalls out there, gui-based and web-based being the most popular for home systems.  Shorewall however, offers greater control then most, it does not require a desktop gui, and has been proven over many years. The advantage a non-gui is that secure remote administration is simple and very fast. My servers are located in another country, but a simpe ssh connection (not on port 22 of course!) allows secure encrypted manipulation of the firewall and its blacklist from anywhere with negligible bandwidth overhead. (Servers should never run gui's anyway, for obvious security and resource reasons.) Shorewall as a bidirectional firewall plus clamavd as a viruses scanner are hard to beat. And of course, they are free of charge, unlike the  bumpf available commercially.

Here's a quick and dirty guide for setting up shorewall on your system. Here I assume that you are running a stand-alone server using a real operating system (Unix, Solaris, BSD, BE, etc.) and that it offers https, smtps, and imaps to a user community:

 

1 Install it:
apt-get install shorewall
2 Modify it:
  1. Add this line to /etc/shorewall/hosts file to specify what (if any) local hosts are allowed access:
    loc eth0:10.0.0.1,10.0.0.23 tcpflags
  2. Add this line to /etc/shorewall/interfaces to specify that only eth0 is allowed to do anything, and that it gets its IP via external dhcp, that it should block and log certain critical events, and that it should reference the blacklist file set up below to control access:
    net eth0 detect dhcp,tcpflags,logmartians,nosmurfs,blacklist
  3. Add these lines to /etc/shorewall/zones to give names to the zones you will be working with. In this case I have set up three zones - fw (the firewall itself which in this case is the same machine that the http, smtp, and imap servers are running upon), loc (the local zone specified in point 1 supra), and net (the internet). I have set them all to be ipv4 aware but you could just as easily have written loc ipv4,ipv6 instead:
    fw firewall
    loc ipv4
    net ipv4
  4. Add these lines to your /etc/shorewall/policy file. Basically they state that the server can access anything on the net, but that absolutely nothing can come into the server unless allows by rules given in the next step.
    $FW net ACCEPT
    $FW loc DROP info
    loc $FW DROP info
    net $FW DROP info
    net all DROP info
    all all REJECT info
3 Here is the only "complex" part of setting things up. In /etc/shorewall/rules we place the holes in the firewall through which we will allow certain people to access the http, smtp, and imap ports on our server.
I like to divide rules up by incoming, outgoing, and local only rules. Note that for this example, only encrypted connections from users are allowed, in conformity with the UN Convention on Human Rights (that is, we ensure user privacy). The laws in your country may differ. Here we go:
SECTION NEW
## ------------------------------------------------------------------- OUTGOING RULES
# Rules for ICMP - note that I do not like pings - you may so change the Ping/Reject to Ping/Accept if your # # particular religion requires the Cosmic Muffin knowing all about you
Ping/REJECT net $FW
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
# Rules for outbound loc hosts
HTTPS/ACCEPT $FW loc
SMTPS/ACCEPT $FW loc
IMAPS/ACCEPT $FW loc
## -------------------------------------------------------------------- INCOMING RULES
# Note here that I have limited the number of connections per second and the maximum burst
# number of connections (20/sec: burst 30 for HTTPS) to prevent the gerbils spinning the hard drive to get too # tired.
# Rules for public services
HTTPS/ACCEPT net $FW - - - - 20/sec:30
SMTPS/ACCEPT net $FW - - - - 2/sec:5
IMAPS/ACCEPT net $FW - - - - 2/sec:5
# Rules for private services
IMAPS/ACCEPT loc $FW
HTTPS/ACCEPT loc $FW
SMTPS/ACCEPT loc $FW
4 And last but not least, always have a blacklist. Very handy for keeping out .cn attackers.
For example, in /etc/shorewall/blacklist you might wish to add the following lines:
# block useless ports from Micro$oft viruses such as Vista, XP, etc. (the hyphen (-) means 'all ips')
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
# block some idiot
61.37.235.120
# block a group of idiots
216.239.53.0/24

 

That's all - easy! You now have the basis of an amazingly powerful and easy to use firewall.