Strict firewalling does not need any software except the Linux kernel and the base networking packages (inetd, telnetd and telnet, ftpd and ftp). But, a firewall like this is extremely restrictive and not very useful.
So, software packages have been made to make a firewall more useful. The
one that I would like to examine in most detail is a package called
"socks" which is a proxy server
. But, there are two
other programs that you might want to keep in mind. I would like to give
you a short review of them now.
TIS has put out a collection of programs designed to facilitate
firewalling. The programs do basically the same thing as the
Socks package, but with a different design strategy. Where
Socks
has one program that covers all Internet transactions,
TIS
has provided one program for each utility that wishes to use
the firewall.
To better contrast the two, lets take the example of World Wide
Web and Telnet access. With Socks
, you set up one
configuration file and one daemon. Through this file and daemon, both
Telnet
and WWW
are enabled, as well as any other
service that you have not disabled.
With the TIS toolkit
, you set up one daemon for each
WWW
and Telnet
, as well as configuration files for
each. After you have done this, other Internet access is still
prohibited until explicitly set up. If a daemon for a specific utility
has not been provided (like talk), there is a "plug-in" daemon,
but it is neither as flexible, nor as easy to set up, as the other tools.
This might seem a minor difference, but it makes a major difference.
Socks
allows you to be sloppy. With a poorly set up
Socks
server, someone from the inside could gain more access to the
Internet than was originally intended. With the TIS toolkit
,
the people on the inside have only the access the system administrator
wants them to have.
Socks
is easier to set up, easier to compile and allows for
greater flexibility. The TIS toolkit
is more secure if you want
to regulate the users inside the protected network. Both
provide absolute protection from the outside.
TCP wrapper is not a firewalling utility, but it allows for many of the same effects. Using TCP wrapper, you can control who has access to your machine and to what services as well as keep logs of the connections. It does basic forgery detection also.
TCP wrapper is not covered more extensively here because of a couple of reasons.
Next Chapter, Previous Chapter
Table of contents of this chapter, General table of contents
Top of the document, Beginning of this Chapter