A firewall is a hardened and trusted host that acts as a choke point among a group of networks (usually a single private network and a single public network).[1] All network traffic among the affected networks is routed through the firewall. The firewall host is configured with a set of rules that determine which network traffic will be allowed to pass and which will be blocked (dropped without response) or refused (rejected with a response). In some large organizations, you may even find a firewall located inside their corporate network to segregate sensitive areas of the organization from employees in other areas. Many cases of computer crime originate within an organization, rather than from outside.
[1] The term firewall comes from a device used to protect people from fire. The firewall is a shield of material resistant to fire that is placed between a potential fire and the people it is protecting.
Firewalls can be constructed in a variety of ways. The most sophisticated arrangement involves a number of separate hosts and is known as a perimeter network or demilitarized zone (DMZ) network. Two hosts act as "filters" (sometimes called chokes) to allow only certain types of network traffic to pass, and between these chokes reside network servers such as an email (SMTP) server or a World Wide Web (HTTP) proxy server. This configuration can be very safe and allows a great range of control over who can connect both from the inside to the outside and from the outside to the inside. This sort of configuration might be used by large organizations.
In many cases, though, people build firewalls that also provide other services (such as SMTP or HTTP). These are less secure because if someone exploits a weakness in one of the extra services running on the firewall, the entire network's security has been breached. The attacker could modify the firewall rules to allow more access and turn off accounting that might have otherwise alerted the network administrator that there was unusual network activity. Nevertheless, these types of firewalls are cheaper and easier to manage than the more sophisticated arrangement just described. Figure 7-1 illustrates the two most common firewall configurations.
The Linux kernel provides a range of built-in features that allow it to function as an IP firewall. The network implementation includes code (the netfilter subsystem) to do IP packet processing in a number of different ways, and provides a user-space mechanism (the iptables command) to configure what sort of rules you'd like to put in place. A Linux firewall is flexible enough to make it very useful in either of the configurations illustrated in Figure 7-1. Linux firewall software provides two other useful features that we'll discuss in separate chapters: IP Accounting (Chapter 8) and IP Masquerade and Network Address Translation (Chapter 9).
The three main classes of packet processing are filtering, mangling, and Network Address Translation (NAT). Filtering is simply deciding, at various points in the packet flow, whether or not to allow the packets through to the next stage. Packet mangling is a generic term for modifying packets as they move through the packet flow. NAT is a special application of mangling whereby source or destination IP addresses and/or ports are modified to transparently redirect traffic.