To quote the author of the %man ipfwadm
Ipfwadm is used to set up, maintain, and inspect the IP firewall and accounting rules in the Linux kernel. These rules can be divided into four different catagories: accounting of IP packets, the IP input firewall, the IP output firewall, and the IP forwarding firewall. For each of these catagories, a separate list of rules is maintained. See ipfw(4) for more details.
It should be noted that when combined with various other firewalling technologies including fwtk it can create a very robust, secure, firewall device. It is important to mention that it unto itself is a very flexible single technology firewalling solution. When combined with fwtk which operates at the application level it becomes even more powerful.
Traditional routers are vulnerable to different kinds of attacks. Somebody who has access to machines on the Internet, in any fashion, can gain unauthorized access to your systems in a multitude of ways. It is also possible for such a person to destroy or alter at will any unprotected areas of your network.
ipfwadm protects against:
To encapsulate it can act as a walling off point to all the services based on tcp, udp, or icmp that your network offers or allows access to from your network.
ipfwadm will not protect you from attacks based on weaknesses inherent in clear text based services for those you will be required to utilize encryption. It will also not protect you from malicious after authentication attacks. So be wise and use a secure authentication system that is unpredictable and hopefully more difficult to crack.
If you allow user services on the firewall that is running ipfwadm then all bets are off as each service provided increases the odds of compromise. One needs only look at the serious issues that unaddressed holes in exploder have surfaced to understand the security issues involved. In fact security administrators should seriously consider not allowing any service that you do not understand the implications of providing. Since this is sometimes unrealistic consider this if for instance you offer net meeting without analysing exactly how it provides service then you are dead in the water before you begin. In conclusion any service that you offer through your firewall can only be as secure as the service itself is... If in doubt deny access to it. Plus if you are lost with which services to run through the firewall with a personal inventory of a secure solution beyond your time or means then do not allow it or face the consequences. Perhaps a better solution if this is the case is to contact a professional whose business is computer security.
For more extensive information, please refer to the ipfwadm
and ipfw man files.
IPFWADM works by analysing the packets flowing either into your network or
flowing out of your network and applying a series of rules depending on what
specific action the IP packet is taking. The actual firewall is divided into
4 action specific modules each responsible for a specific purpose. The 4 components
are divided as follows:
1- a rules based input firewall module for tcp, udp, and icmp related packets
2- a rules based output firewall module for tcp, udp, and icmp related packets
3- a rules based forwarding firewall module for tcp, udp, and icmp related packets
4- a rules based accounting firewall module for recording tcp, udp, and icmp related packets
By manipulating the using of these above rules the firewall administrator controls the personality
of the firewall explicitely.
Next Chapter, Previous Chapter
Table of contents of this chapter, General table of contents
Top of the document, Beginning of this Chapter