Building a Bridging Firewall with Linux

Upon examining several proprietary and open-source solutions, we found a major drawback to many of them was the requirement that our internal networks would need to be renumbered into a private address range, as per RFC 1918. With over 200 systems on three different subnets, some of which are embedded microprocessors that would require burning new EEPROMs, this was a daunting task. So we began searching for a way to implement a transparent firewall that would allow us to retain all of our current addresses, yet still offer good protection.

The Linux kernels v2.2 and higher have support for Ethernet bridging. In a bridge, all packets received by one interface are passed to the other, without regard to source or destination IP address, by examining the Ethernet MAC destination address of the packet. AC2I, a French company, distributes a kernel patch that allows the ipchains packet filter to work on the bridged interfaces. This configuration allows you to set up a firewall system that is invisible to the Internet, yet provides a high level of protection and access control for your private network. The remainder of this article explains the steps necessary to get a bridging firewall up and running.

To perform as an effective firewall and network monitor, a CPU must be sufficiently fast. The prototype system was built on a 500MHz Celeron processor with 256MB of memory. Tests show the bridge can keep up with a fully-saturated 10MB/s Ethernet, with no lost packets. Install two additional Network Interface Cards (NICs), because you will need two for the bridge and a third for administering the firewall.

Disk capacity is not particularly important, as all logging should be to a secure syslog server. If you want to maintain some local logging (useful for some of the configuration and monitoring tools), ensure an abundance of free space--firewall and intrusion detection system (IDS) logs can get very large, very quickly.

The following sections are based on the Linux 2.2.16 kernel (Red Hat 7.0 distribution). When the 2.4 kernel is released, instead of ipchains, the iptables package will be used for firewalling as the kernel firewall code changes.

Perform a standard Linux installation, but deselect almost everything. Do not even install inetd/xinetd--you are not going to run any services on this system. Do not install any compilers/development tools. If, however unlikely, someone does manage to gain access to the firewall, you do not want them to be (easily) able to rebuild any binaries. Do install Perl (for some of the reporting tools) and OpenSSH (for remote administration). Make sure you install the ipchains package--this is needed for the firewall setup. A web browser can be useful, and NTP can't hurt as long as you only accept time updates from inside the protected net. You will probably want your favorite editor(s), and maybe some X11 applications (xterm, gtop, etc.). Install network monitoring packages (whois, finger, tcpdump, traceroute, nc) and tcpwrappers. Create a non-root administrator user and use this account for all logins. Perform the installation with either no network connection at all or with the primary NIC connected to an otherwise empty hub or switch.

At installation, only configure the primary Ethernet interface--the one that will be a part of the protected network--and give it a fixed IP address. When the system reboots after installation, type linux 1 at the LILO boot: prompt to boot into single-user mode, and then put a line into /etc/hosts.allow for sshd to allow access only from a specified internal-network workstation. Then reboot into runlevel 3. It is now safe to connect the primary Ethernet interface to the internal network.

This step must be performed on some other system with the same kernel version as is installed on the firewall. You will do a standard Linux kernel configuration, disabling most features and enabling the bridging code.

Change directory to /usr/src. Copy the kernel source tree to another directory:

   # mkdir linux-fw;cd linux-2.2.16;tar cf - . |
   # (cd ../linux-fw;tar xpf -);<\\>
   cd ..; rm linux;ln -s ./linux-fw linux

Apply the linux_brfw2 patch. This patch adds a new built-in bridgein chain to ipchains. This is the chain you will use for the bridging firewall. This patch can be obtained from http://ac2i.tzo.com/bridge_filter/linux_brfw2.diff:

  # patch -p0 <linux_brfw2.diff

Change directory to /usr/src/linux and configure the kernel. You should definitely read the kernel how-to document at http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO.html before performing this step. The relevant configuration options are:

<il>CONFIG_MODVERSIONS=N<il>CONFIG_FIREWALL=Y<il>CONFIG_FILTER=Y<il>CONFIG_IP_FIREWALL=Y<il>CONFIG_IP_FIREWALL_NETLINK=Y<il>CONFIG_IP_ROUTE_FWMARK=Y<il>CONFIG_BRIDGE=Y

Create a temporary directory somewhere to hold the new kernel and system map, and uncomment the INSTALL_PATH= line in /usr/src/linux/Makefile to reflect this location (you don't want to overwrite your running kernel!). Also, edit /sbin/installkernel in the same way.

  # make dep;make clean;make bzImage install

Copy vmlinuz-2.2.xx-yy and System.map-2.2.xx-yy from your temporary directory to /boot on the firewall, being sure to first move any existing files by the same name. Login to the firewall, change directory to /boot, and link vmlinuz and System.map to the new files.

Edit /etc/lilo.conf adding a new image section:

      image=/boot/vmlinuz
      label=firewall
      read-only
      root=/dev/hda1

Run LILO and lilo -D firewall make the new kernel the default, and reboot the firewall system.