Your linux firewall using FIAIF.

The purpose of a firewall is to control what packets are allowed in and allowed out. Running a cablemodem without a firewall is pure suicide. The bad guys will discover you in a matter of minutes and launch an attack.

Under Linux, the newest firewalling method is called Netfilter and works through an interface called iptables. Not everyone is going to agree with me, but the philosophy I employ is this: You can't build your own firewall properly using iptables commands. It's just too damn complicated. It's analogous to writing a large application in machine language. There are people who can do it and some of them might even enjoy it. I prefer to use a higher level interface to accomplish the same goal.

Selection of a firewall.

There are two types of interfaces: Some sort of a GUI setup versus some sort of a text interface. The current state of things are that the GUI systems are so simplified that they don't give you the fine controls you really need (or want). In the text interfaces, there are a number of decent ones to choose from. There's something called Monmatha's Firewall which is one big shell script. There's something called Shorewall which is also exellent. I use something called FIAIF, which stands for FIAIF Is An Intelligent Firewall. Besides the fact that it's a self-referential palindrome, I like the controls available in it. A few tips on using FIAIF:

Under the documentation directory is a paper which you should read before diving into the man pages.

The INPUT rule that I use for my external zone looks like this:

INPUT[0]="ACCEPT tcp smtp,finger,http,8080,ssh,netbios-dgm,netbios-ssn 0.0.0.0/0=>0.0.0.0/0"
INPUT[1]="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0"
INPUT[2]="DROP_NOLOG udp netbios-ns 0.0.0.0/0=>0.0.0.0/0"
INPUT[3]="ACCEPT ALL 207.172.3.8/31=>0.0.0.0/0"
INPUT[4]="DROP ALL 0.0.0.0/0=>0.0.0.0/0"

The OUTPUT rule I use is this:

OUTPUT[0]="ACCEPT tcp ftp,ftp-data,bootpc,bootps,ssh,telnet,netbios-ns,netbios-dgm,netbios-ssn 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[1]="ACCEPT tcp smtp,domain,nicname,finger,http,pgpkeyserver 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[2]="ACCEPT tcp auth,nntp,ntp,prospero,irc,https,webster,2703,2628,8080 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[3]="ACCEPT tcp echo 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[4]="ACCEPT udp 1:65535 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[5]="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[6]="DROP ALL 0.0.0.0/0=>0.0.0.0/0"

and the REPLY_AUTH rule is:

REPLY_AUTH="EXT tcp-reset tcp auth,domain 0.0.0.0/0=>0.0.0.0/0"

For INPUT, specify all ports that you have servers running on. For OUTPUT, be exhaustively selective about what you want to allow out. Someone could get in and try to phone home on some hidden port without you knowing about it. The REPLY_AUTH rule I'm using just sends the originator of those two ports a tcp-reset and keeps it out of my daily firewall report. In addition, packets can be applied to the DROP_NOLOG chain, which is what I do with the ubiquitous netbios packets.