Firewall rules are divided into three categories:
In most cases, the rules need to be symmetrical -- for instance, allowing request packets to go out to a remote web server only makes sense if the responses from that server are allowed to return.
The exception to this rule are the "SYN" packets which are used to initiate a new connection. For instance, even though packets using the http protocol are allowed in so that you can receive data from a remote web site, http packets requesting a new connection might be blocked, to prevent outsiders from connecting to internal web servers.
With ipchains and netfilter, additional user-defined rulesets may be created and referenced (or "chained") from other rulesets. Chains allow very complex firewalls to be created.
Each rule set consists of a list of rules which are compared to network packets and tested to see if they apply. The first rule to match the packet being tested determines what happens to that packet. The available dispositions are:
If no disposition is specified, the packet is logged but no action is taken; more rules will be tested to see what is to become of the packet.
In general, incoming connection requests should be severely restricted unless this system is a server, and even then only those ports which are actually needed should be enabled.
The output rules are usually set to be permissive unless you don't trust some of your users.
The forwarding rules should be set to deny all fowarding unless this system is going to be used as a router and/or a firewall.
Normally, only one or two criteria are used in any given rule. For example a rule might be used to deny all access to the system's smtp port, or perhaps limit access to the ftp port to certain IP addresses.
FTP is a little tricky because it uses two ports. In a typical transaction, the client application initiates a connection over port 21 (ftp) and the server initiates the return connection over port 20 (ftp-data).
Allowing an outside system (the server) to initiate a connection is somewhat risky. One solution is to install ftp proxy software in your firewall system. Another is to restrict ftp access to "passive mode" in which the client system initiates both connections. Fortunately, most ftp software will work this way.
For more information, see the LINUX Network Administrators's Guide by Olaf Kirch & Terry Dawson, published by O'Reilly books.
A misconfigured smtp server can allow spammers to relay spam through your system, so enable this with care. Make sure your mail server software is configured to disallow forwarding.
Finger was written in more trusting times, but now it serves as a way for crackers to get information about your system's users. In addition, a bug in the finger daemon was exploited by the Morris Worm to gain access to systems.
Still, some special-purpose finger daemons exist. For instance, there are servers which will return a PGP key id if you finger something like "keyid@keyserver"
Many services are available with both the TCP and UDP protocols. See the file /etc/services for a list of common services, their ports, and their protocols.
The protocol types which may be selected are: