Once you've gone through the Quick Start, what now? Now we learn how to use this to match your security policy.
The first lesson to learn about packet filtering rules is that they are only useful if you have a mix of accept and deny (equivalent to reject in this discussion) rules. Think about it. If all of your rules are allow rules and your default policy is also allow, this setup is no different from having no rules at all; the system is completely open.
At the other end of the spectrum, if all of your rules are deny and the default policy is also deny, well, it's going to be pretty hard to use TCP/IP at all. :-)
This means that putting a firewall together involves deciding what should be allowed _and_ what should not be allowed.
The first thing for you to decide is what your default policy should be. In the next few minutes we'll be looking at what you specifically want to allow and what you specifically want to disallow. What should the firewall do with the rest of the packets? That depends on how you view your firewall.
If you primarily want your firewall to block a relatively small amount of malicious things, but want users on both sides of the firewall to have relatively unencumbered access to the opposite side, you'd probably want to use a default policy of accept. This tends to be a good choice in the case where there are a large number of types of TCP/IP traffic that should be allowed to pass through the firewall.
If, on the other hand, you tend more toward the paranoid and want very fine grained control over _exactly_ what passes through your firewall, you'll probably want to use a default policy of deny. This tends to work well when there are a relatively small number of protocols that should be allowed.
Choosing a policy becomes difficult when you want fine grained control but there are a large number of protocols used by your users. You'll still choose a default policy of deny, but you'll have to create a large number of rules to accomodate them. Good thing you've got Mason to give you a hand!
Now that you've chosen a policy, what goes next? Here's where you can become an artist.
With the help of Mason, your job is to decide what should be allowed and what should not be allowed.
[More to be added as time allows...]
Here are a couple of guidelines about how to order your rules. I refer to policy below; for this discussion, there are 6 possible policies: accept, deny, reject, accept and log, deny and log, and reject and log.
As there is no way that input rules and output rules could ever overlap, the rulesets for those can be considered seperately. The same logic holds true for input and forwarding and output and forwarding. Effectvely, even though you might have them all mixed together in your firewall creation shell script, you can work with the input rules according to the principles below, then come back and work with the forwarding rules, and then come back one last time for the output rules.
I've referred to discarding rules above. One reason why you might _not_ want to discard a particular rule rule is when you're using your firewall to do accounting as well as blocking. You might want to be able to have seperate accounting for the packet traffic in the rule that would have been discarded.
The following are tools and techniques I use. They may not be appropriate for you. Please consider whether they are appropriate for you before using them.
( ipfwadm -lenI ; ipfwadm -lenF ; ipfwadm -lenO ) | grep -v '^ *0 *0 ' | less -S
ipchains -L -n -x -v | grep -v '^ *0 *0 ' | less -S
iptables -L -n -x -v | grep -v '^ *0 *0 ' | less -S
( ipfwadm -lenI ; ipfwadm -lenF ; ipfwadm -lenO ) | grep -v '^ *0 *0 ' | less -S
ipchains -L -n -x -v | grep -v '^ *0 *0 ' | egrep '(Chain|target|DENY|REJECT)' | less -S
tail --lines=1000 /var/log/messages | grep 'kernel.*I=' | DOCOMMAND="none" mason >afewrules
if [ -f /proc/net/ip_fwchains ]; then
#Convert your ipfwadm rules to ipchains rules and place the converted rules here.
/sbin/ipchains...
elif [ -f /proc/net/ip_input ]; then
#Place your ipfwadm rules here:
/sbin/ipfwadm....
fi
cat ipfwadmfile | ipfwadm2ipchains >ipchainsfile
ps axf | grep "^ *`fuser port_number/proto | awk '{print $2}'` "