Linux Firewall management
Regardless of your firewall type (proxy, packetfiltering, etc), it is not a good idea to have a firewall performing any more services than absolutely necessary. The services are best limited to the minimum services required to run the machine. I recommend that you do not provide NFS, TFTP, BOOTP, DHCP, web services, mail services, samba services, FTP, or telnet on your firewall unless absolutely necessary. If you must provide these services, be careful with wild cards in their configuration files that may allow blocks of systems or users to have access to your machine. Also if you are running these services, you should monitor security postings on these services so you are aware of any security holes associated with that particular service. If you must provide telnet or FTP, be sure you configure your tcp wrapper in the inetd.conf file for these services, and set the hosts.all and hosts.deny files as restrictive as possible.
Policies for a firewall:
1. Disable IP forwarding
2. Limit services
3. Monitor log files carefully including logfiles on any services running.
4. Limit write access to files and directories on the firewall.
5. Implement policies to prevent denial of services attacks along with IP spoofing and IP fragmentation attacks. Enabling user quotas can help prevent denial of service attacks.
6. Limit access to services with the hosts.allow and hosts.deny files.
7. Set parameters in your TCP wrapper and any other services to protect against anyone pretending to have another host's name or address. See the section on inetd.
8. Be sure your /etc/securetty file will not allow root logins from unsecured locations.
System monitoring
Check your system log files often. They are in the /var/log directory. Check the log files /var/log/secure and var/log/messages daily. Also carefully monitor log files on any extra services you are running on your firewall.
General network policies
* Configure the identd protocol to allow for user name lookups from client to server machines. This will make it easier to track down any user who abuses the system.
* Use network monitoring tool software to detect abnormal activity on your system or an intrusion.
The Chroot environment
A chroot environment is an isolated environment which is separate from the real operating system. It has its own root environment complete with necessary programs, libraries, and modules required to run independently of the real operating system. In this way it can become more difficult to break into the real operating system and damage it. A program that has root privileges, can, however still get into the real operating system but it becomes more work for an intruder. Some network services that can be configured to run in a chroot environment include bind and Apache. This chroot system is designed to prevent someone who has exploited a security problem in a service from getting access to the real system.
