When it comes to firewall implementation there are a host of factors to consider. For commercial offerings there is the up front cost in addition to ongoing maintenance costs, which in some cases can be considerable. Some commercial offerings run their own base system. The underlying Linux system has been so heavily modified it is now considered proprietary. In the case of a Linux firewall, you also have the option of installing the firewall software on a CD-ROM or pen drive. These steps are discussed in more detail in the following sections, along with specific configuration examples for setting up a free firewall on both Linux and Windows.
Firewall Implementation: Hardware-Based Firewalls vs. Software-Based Firewalls
Another consideration in firewall implementation is whether the firewall decision-making logic is run as software that sites on top of another functional system, or if the firewall is a dedicated piece of hardware. In the case of a Cisco PIX firewall, the smallest models are the size of a small cigar box and there is no OS other than the PIX software. This is a dedicated hardware device used to perform the firewall function, also called a firewall appliance. The other alternative is that the firewall is not a dedicated box, but a software component. Many popular firewalls take this approach as well, such as a checkpoint firewall that can be installed on top of a Windows system. Of these two approaches, if you want a free solution the choice is made for you: since there is no free hardware-based firewall, you will be using a software-based firewall.
Firewall Implementation: netfilter
When it comes to Linux-based firewall, there is only one choice, which is netfilter. This is partially because it was the best option available for the longest time. Since version 2.4, however, netfilter has been built into the Linux kernel. Even many commercial firewalls are running a modified Linux OS with netfilter inside their own custom case. netfilter is the underlying software that makes up the built-in firewall on Linux systems. It is the netfilter component that reads the contents of the network packet and permits or denies network traffic. Often people incorrectly refer to the firewall as iptables or ipchains. In fact, iptables is the software command that is used to configure the rules that netfilter uses to make decisions to permit or deny traffic and ipchains is the previous version of iptables. Even after you have settled on using Linux as your base OS for your firewall, there are some additional choices to make before you start any configuring.
Firewall Implementation: Choosing a Linux Distro
While all versions of Linux share some characteristics, there will be differences. Depending on the specific Linux distribution, the differences could be significant and each distribution will likely offer some different sets of software packages. Because there are so many free versions of Linux available, it doesn’t cost anything but the time to download and install several different versions and see which one you like. I tend to use Fedora, because it is the community version of Red Hat, one of the oldest and most well-established Linux distributions. However, Fedora has fallen out of favor with many Linux users over the years, and your mileage may vary. Ubuntu is also very popular, although power users may find it annoying. Most likely you will want to try out the Live CD version of a distribution (if one is available) before you make up your mind. When it comes to choosing the specific version of Linux you want to use, this decision must be made in parallel with choosing an installation media, because not all versions are supported on all media.
In the next article, we will continue our look at firewall implementation, including the choice of distribution media.
Distrowatch – a good site for information and links to various Linux distributions