A Personal firewall for Linux Sten Darre (s030171) Thesis - IMM, DTU. 30th August 2005 Abstract This constitutes the investigation and development of a user-friendly tool for firewall-configuration and -management, based on the netfilter/iptables-firewall-code residing in current Linux-kernels. It aims to be a personal firewall for Linux. It provides a KDE-GUI for netfilter/iptables that lists and edits firewall-rules, lists running processes, and lists connection-attempts to the host. Connection attempts can be accepted/dropped on the fly or permanently handled by manipulation of the firewall-rules. This thesis constitutes the report-part for obtaining a Masters degree in Computer Science at IMM - DTU. Contents 1 Introduction 6 1.1 The Current state of computer security . 6 1.1.1 Microsoft survey of computer security breaches. 7 1.1.2 Conventional security threat assessment . 7 1.2 Summary . 8 1.3 Project-audience and target-groups . 8 1.3.1 Pre-requsite skills and programming issues . 9 1.4 Readers guide to digestion . 10 2 Background and goal 11 2.1 Firewalls - a computer security issue . 11 2.2 The realms of firewalls . 12 2.2.1 The CIA-paradigm . 12 2.3 Firewall- and Networking-terminology . 13 2.3.1 The OSI-Model . 13 2.3.2 The Internet in OSI-terms . 15 2.3.2.1 The wiring of the Internet (Layer 1-2, Physical-DataLink) . 15 2.3.2.2 The Internet does comes in Packets (Layer 3, IP) . 15 2.3.2.3 The virtual wires of the Internet (Layer 4, TCP/UDP) . 16 2.3.2.4 Internet programs (Layers 5-7, any protocol) . 16 2.3.2.5 An example of Internet communication . 16 2.3.2.6 Summery of the OSI-model of the Internet . 18 2.3.2.7 Key points . 18 2.3.3 Firewall-types . 19 2.3.4 Definition of "the personal firewall" . 20 2.4 Purpose and goal . 22 3 Project prelude - Engineering strategy 23 3.1 Processes and procedures . 23 3.1.1 Development-process models . 23 3.1.2 Process iteration . 25 3.2 Requirements handling . 26 3.2.1 Requirements template . 27 3.3 API-Coding strategy . 28 4 Requirements 29 4.1 The list of requirements . 29 4.1.1 Usability-requirements . 30 4.1.2 Interactiveness-requirements . 33 4.1.3 Framework-requirements . 34 1 5 Linux Firewall-solutions 35 5.1 The Linux packet filter (netfilter/iptables) . 35 5.2 Survey of existing OpenSource-solutions . 38 5.3 Related academic work . 43 6 Our solution - User interface and System Architecture 47 6.1 The layered approach . 48 6.1.1 Database view . 49 6.1.2 Firewall filter view . 49 6.1.3 Process communication view . 54 6.1.4 Total network model . 56 6.2 System Design (Overall Design) . 60 7 Detailed Design issues 63 7.1 Knowledge discovery and acquisition . 63 7.2 Plugin-system . 64 7.2.1 The linkage-problem . 65 7.2.2 The KDE solution . 65 7.2.3 Summary . 67 7.3 Defined Parts of the main system . 67 7.3.1 The main application frame . 68 7.4 The Database . 69 7.4.1 Choosing a Database-engine . 69 7.4.2 The ER-model . 69 7.4.3 The Postgres Table definitions . 71 7.4.4 The database-setup . 72 7.5 The GUI-Views . 74 7.5.1 Experience using KDE and Qt . 74 7.5.2 Debugging and testing GUI-code . 75 7.5.3 The RuleView . 75 7.5.4 The ProcView . 79 7.6 Root-execution security . 79 7.7 Capturing packets (QUEUE-handler) . 80 7.8 Setup Wizard . 81 7.9 Development- and Test-environment . 82 8 Concluding Remarks and Future work 84 8.1 Rule verification and integrity . 84 8.2 A concept of Object-Oriented firewall-configuration . 86 8.3 Future Modules for lpfw . 87 8.3.1 Setup-Wizard GUI-Frontends . 88 8.3.2 Rule-checkers and -verifyers . 88 8.3.3 Routing parser and NetworkView . 88 8.3.4 Statistics and quota . 88 8.3.5 Process-signature checking . 88 8.3.6 Network-wide approach . 89 8.4 Future Modules for netfilter . 89 8.5 Summary . 90 9 Conclusion 91 A Firewall configuration example 93 2 B Timetable 110 B.1 Project schedule . 110 B.2 Project progress diary . 111 C User guide 113 3 List of Figures 2.1 CIA model. 12 2.2 OSI-7 model. 14 2.3 OSI-7 model physical extend. 14 2.4 OSI-7 vs. Internet. 15 2.5 OSI-7 example session. 17 3.1 Iterative development-spiral. 25 5.1 Netfilter-flow (iptables) - (See also Fig. 6.5 on page 57 for a more complete view). 36 5.2 KMyFirewall. 40 5.3 Firewall Builder. 41 5.4 FieryFilter. 42 6.1 DBView (in process of executing an SQL-Query. ) . 50 6.2 Configuration dialog: Connection-details (handles) and verbosity (in the background) 51 6.3 RuleView (in process of changing a parameter in a rule. ) . 52 6.4 ProcView (in process of accepting an incoming SSH-connection. ) . 55 6.5 Complete firewall-network-model of a host (illustration). 57 6.6 Three models of networking on a host (prototype-sketch). 58 6.7 Simple process view (prototype-sketch with dot). 58 6.8 Advanced process view (prototype-sketch with dot). 59 6.9 System overview.. (See also Fig. 6.5 on page 57 for relations to the OS(I)-network-stack.) . 61 7.1 ER-model overview.. 70 7.2 Tables filled with test-data (pgaccess). 73 7.3 States for an ListViewItem . 77 7.4 Setup Wizard (in process of assigning NIC's to Zones. ) . 81 4 List of Tables 3.2 Example of Requirements. 27 5.1 FireHOL example. 39 5 Chapter 1 Introduction When this author tried to setup and configure a firewall for SOHO1-usage on an SuSE-Linux installation, it took considerable insight into networking and security to see though the tech-hype - and plenty of documentation on issues, configurations and.