Building a Linux firewall

Learn about the three types of firewalls—application proxy gateway, circuit level relay, and packet filter—and how they are used to protect your network from unauthorized access.
Checking Your Work

Even with generic tables to work with, you may not always get the rules the way you want them. It's nice to be able to check your work. The ipfwadm utility offers the -c option to check packets against your rules. For example, to check if a packet from some host can send mail to an internal host other than warbird, we can run:

# ipfwadm -F -c -P tcp -S > 1024 \
  -D 25 -I

This would yield the response packet denied. When using -c to check a rule, you need to be very specific and supply a source address and port, destination address and port, and an interface address.

The other way to test your environment is with live traffic. If you suspect traffic is not being forwarded because of your ruleset, you can use tcpdump to monitor the traffic coming into and going out of the firewall. It becomes fairly obvious if the firewall is not allowing legitimate traffic to go through. For example, when I set up the rules to allow mail through, I noticed it took an exceptionally long time to send a message. tcpdump revealed that the receiver, mccoy in this case, was sending IDENT messages back to the source but they were being blocked by the firewall. By adding a rule to allow IDENT messages, mail went much faster. Creating this rule is left as an exercise for the reader.

For rudimentary logging, a rule may be set with the -k option, which will cause the kernel to print out a message via syslog for all matching packets. However, setting up the kernel to understand the -k option is not straightforward. The kernel needs to be compiled with CONFIG_IP_FIREWALL_VERBOSE defined. To do this, just add the definition to the Makefile in the net/inet directory in the kernel source directory. Unfortunately, the code defined in the CONFIG_IP_FIREWALL_VERBOSE section of ip_fw.c does not compile cleanly in 1.2.x distributions. The fix is simple and implemented in the latest 1.3.x versions of the kernel.

If you set up the kernel to support the -k option you will receive output in the /var/adm/messages file similar to that shown in Figure 9.

Concluding Comments

The firewall we just built can be replaced by almost any router you can purchase from a vendor. However, turning a Linux machine into a packet filtering router is a cheap and very effective alternative.

There are several limitations to the firewall code. Its inadequate logging capabilities are a big miss; documentation is lacking; and the inability to filter on IP options do not allow the filtering router to be as flexible as it might be.

For many environments, the firewall facilities of the Linux kernel can be more than sufficient, but for those who need commercial-grade firewall software for Linux, or software that can run under Linux, there are solutions. The shareware ipfirewall code from Daniel Boulet, mentioned earlier in this article, addresses several of the problems just stated. Also, the commercial Mazama Packet Filter from Mazama Software Labs is a real “bells and whistles” product. It comes complete with nice documentation, a filter “language” for defining the rulesets (this is a winner), a GUI for very simple administration, and fixes for the technical problems (such as IP options and TCP SYN/ACK filtering).

One last concept not mentioned in this article is that of IP Masquerading. Very perceptive readers will notice the network warbird is on ( is a private IP address. That is, it not one assigned by the InterNIC, but can be used for local or private IP-based networks not connected to the Internet. I can get away with using this addressing scheme because the machine called relay is a commercial firewall that performs masquerading (otherwise known as address hiding). All connections going out of the 20.2.51 or 192.168.1 networks have a source address of relay from the perspective of the remote machine. As you might be able to guess from its name, relay is also an application proxy gateway. Linux also has the ability to hide addresses, but that is a topic for another article.

Chris Kostick ( is a Senior Computer Scientist at Computer Sciences Corporation's Network Security Department. He enjoys working with Linux but considers himself a latecomer because he started out at kernel version 1.1.18. As far as computers go, he's not sure if he has more fun debugging TCP/IP problems or playing Doom.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


prat's picture

i m working on firewall on linux platform....could you please send me ypur code for assistance..on

linux firewall code needed.. urgent!

Anonymous's picture

has anyone out there got a complete working code on linux based firewall?? plz help!!

complete firewall code for linux...

Anonymous's picture

Hi... v r dng a project on firewall for linux... can u please give d code of a simple packet filter firewall for linux... my mail id is

linux firewall

anonymous's picture

hey ,
we r doing project on a network security.. we r going to build a DMZ for a private network. In which we r supposed to build our own firewall on linux. so could u plz guide us regarding how to start with the project.. we would be very thankful to u if u provide us with the complete soursecode id is

firewall code needed

thomas's picture

hey friends am planning to do a project on linux firewall.but dont hav any idea on how to do pls if any1 has any info about the logic and got the complete code ,pls do mail it to me at pls HELP ME..i want it early

Re: Building a Linux firewall

Anonymous's picture

i'm building a linux firewall in bash en a configuration file can somebody help me with a complete code so i can have an idea how i can began,my e-mail is

Re: Building a Linux firewall

Anonymous's picture

Can you provide a complete source code

My Mail ID :

Re: Building a Linux firewall

Anonymous's picture

# cat set_policy.c

#include <stdio.h>

#include <string.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <linux/ip.h>

#include <linux/tcp.h>

#include <linux/udp.h>

#include <linux/ip_fw.h>

main(int argc, char **argv)


int p, sfd;

struct ip_fw fw;

fw.fw_flg = 0;

if (strcmp(argv[1], "accept") == 0) {



else if (strcmp(argv[1], "reject") == 0) {



else if (strcmp(argv[1], "deny") == 0) {

p = 0;



setsockopt(sfd, IPPROTO_IP, IP_FW_POLICY_FWD,

&p, sizeof(int));


Need a bit help

Shobhit Kumar's picture

This is Shobhit here....i m trying to build a kind of firewall in C...actually i m looking for specific URL blocking for a bandwidth manager box....i mean to say a program that can recognize the packet information from the network....and that sort them and then block the required packets.....if u ould help me with this....more over if u could send me the full ode than atleast i will get some idea...thanx


Anonymous's picture

Can anyone help me to code a firewall using netfilter which will support multiple rules

can you provide me a complete code?

Anonymous's picture


i am developing a firewall for my system and i would like to look at you code for that purpose.

i would appreciate if u would email me the same at folowing id:



need help

Anonymous's picture

we have a LAN and a gateway in it. We want to hold all the packets coming into the gateway for compression /modification. we want help for this.
thank you.

Give a complete code not just a part of it

Anonymous's picture

Would you please give a complete code not a part.

My email id:-

Re: Building a Linux firewall

Anonymous's picture

Would you please give a complete code not a part.

My email id:-

Building a Linux firewall

juno's picture

hi there..we are currently working on a firewall for our thesis..i was hoping if anybody can help me.. can you send me the complete source's my email:

thank you..