Set up a CD-based Firewall

Attacks on the networks are increasing at an alarming rate; and you get them in all forms like spyware, Trojans, worms, DOS attacks and mass mailing worms. These attacks paralyze both your network and business. So the thumb rule for every network—small or large—is to have firewall in place to minimize such attacks. The cost and management of firewalls is an important issue to take care of. To address the management issues, there are plenty of firewalls, both commercial and free that do not require much of management. In commercial firewalls, you have two choices—either buy a hardware-firewall appliance or buy software such as Checkpoint or Watchguard. Not only that, but you can also build your own firewall using tools like IPcop, monowall and smoothwall.

While buying a hardware or a software firewall will always be heavy on your pocket, building a firewall out of a standard OS (may be a Linux distro) does not require much of technical expertise. An easy way out is to implement a CD-based firewall, which doesn’t need any extra customization and gives a similar functionality as a Hardware firewall at no cost.

That is what we explore in this article—building a firewall for your network using an ordinary PC having 10 GB HDD, 128 MB RAM, two NICs and of course a CD drive.

We will use redWall, a free Linux-based firewall live CD distro. redWall protects your network from external attacks like DOS attacks, port scanning, IP spoofing and spam. Plus, it does not require much configuration and management. The default settings are sufficient for small organizations. It also offers features like proxy and IDS. You can set it up according to the diagram shown below.

Setting up redWall



Connect your DSL connection to the redWall PC, and tag the cable with the name(eth0: External). Then connect the other interface of this PC to your LAN switch and tag the connected cable with the name(eth1: Internal). With this, your hardware setup is ready. Next download the ISO image of the redWall from www.redwall-firewall. com. We have also given the ISO image on this month’s DVD. Burn this image on a CD at 4xburning speed. Boot the machine with the CD. On booting, it will take same time as it searches for all the hardware and storage on that machine. On booting, you will get a text-based prompt to change the root password (Root is an admin account in Linux). Give the new password and press OK. 

Besides the default set of rules, you can also add your own easily from the redWall's Web interface

To set the keyboard type, select the first choice by pressing spacebar and then OK. Next set the time zone. For instance, if you have two interfaces it will show you eth0 and eth1. Select eth0 first, (as described above, eth0 is connected to your ISP router) and give the IP address, subnet mask, gateway and DNS given by your ISP. Now select the eth1 interface (which is connected to your LAN) and type in the IP address and subnet mask according to your LAN subnet. For instance, if your LAN subnet is 192.168.6.0, set any free IP of this subnet, say, 192.168.6.10. Give subnet mask as 255.255.255.0 and then set gateway to 192.168.6.10 (the same IP which is dedicated to firewall’s eth1 interface) and then press OK. Finally, you will get the list of packages that you want on this firewall. In order to set up a basic pre-configured firewall, select the following packages from the list— Apache2, IP tables, webmin, squid and Mysql. redWall will automatically check all the selected services, add them to the config file and also start the services. With this, your firewall setup is ready.

Saving the config on HDD



As this is a Live CD, you need to save the entire network configuration on a local disk. To do this, login to the firewall console as root. Now, run the redWall configuration tool ‘redwall-setup’, and from the interface select System>Installation.

It warns you to erase your existing data residing on HDD, and you will be shown the device name of your HDD(/dev/had). Select this to see the type of file system that you want on the hard drive. Select ext3. Next it will dry run the configuration to check if everything is working fine. Reboot the firewall and check whether the configuration you did is taken automatically from the HDD.

Configuring IP forwarding



If you want all users to access the Internet without any proxy, you have to set IP forwarding and masquerading on the firewall. To do this, go to the firewall console and login as root. Execute the following commands:

#echo 1> /proc/sys/net/ipv4/ip_forward



# iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE

Note: In order to use the firewall from all clients, you need to replace the gateway address of your client machines with the IP address of the firewall.

Managing firewall remotely



Redwall provides a user-friendly Web
user interface for managing the entire firewall. To use its Web interface, open

a Web browser from a local machine

and type in https://. This will open a Web page where you will be asked for a username and password. Type in admin for both the username and the password. This shows all the options on the interface such as system info, firewall, IDS, Mail Antivirus, Bandwidth Management and Webmin.

Creating firewall rules



By default, your basic firewall is up and ready by now. To add new rules, from the Web interface select the webmin, and give username as root and password as what you set at the time if installation. Then select Networking>Linux firewall and you will see three sections—Incoming, forward and outgoing. If you want to block specific traffic from outside
(Internet) to inside (LAN), select Incoming and block the source IP or its subnet. You have to set the rule as ‘Drop’, set source address, destination address, type of protocol and port. Scroll down and click on Create and ‘Apply changes’ to create and apply the new rule. In the same way, you can block traffic going out from your LAN.

Bandwidth management



redWall can also control bandwidth on your network. From its Web interface,
select ‘Traffic shaping’ under Firewall

option. Here you can create bandwidth pipe and queue for your LAN segment. It is very easy to use. It helps you set

lowest traffic priority to P2P applications like Kaza, and higher priority

for POP3 mail traffic. You can even limit downstream and upstream speed of you WAN link.