Design

The idea behind FIAIF is that it is too hard to setup a complex, yet secure firewall under Linux. Doing so requires deep insight into building a firewall and complete understanding of the Linux firewalling modules, Netfilter and iptables.

The foremost requirement of FIAIF is that it should be secure and easy to configure. If FIAIF is too difficult to configure, errors are more likely to occur and an insecure firewall might result.

Also it is a requirement that FIAIF is expansible and flexible. FIAIF should be able to handle both simple and complex network configurations in an generic manner.

Zones

To satisfy extendability a new term, zones, is introduced. A zone defines a network to which the firewall is connected, and enables the administrator to setup different security policies for each zone.

The security policies for each zone has been chosen to primarally limit the traffic entering a zone, and not restricting network traffic coming from machines within a zone. This has been chosen, as it enables to administrator to add new zone definitions to an existing configuration without having to modify the configuration of other zones, to either allow or deny network communication.

On figure fig:zones is an example of a network split into three zones:

External zone

: This zone defines the whole Internet.

Internal zone

: This zone defines all machines on a LAN. The primary function of the firewall is to protect machines on the LAN from unauthorised access from the Internet.

Demilitarised zone

: A demilitarised zone defines a group of machines which runs services exposed to the Internet. Examples of these services es are: Login server, Web-server, Mail gateway etc. As users from the Internet can gain access to these server, very strict security must be in place, under the assumption that these services are not 100 percent secure².

Figure 1: A network split into three zones

Statefull firewalling

As Linux supports statefull inspection of all packets entering and/or leaving the firewall, configuration of a zone only concerns packets with the NEW state, as explained in section sec:netfilter. Related and established packets are automatically accepted. The reason for this design is that it allows a bi-directional communication between two zones, even if one zone does not permit communication entering from any zone, but only if the communication is initiated from a trusted zone. The goal is to keep zone configuration very simple. The dogma is: ``If no communication must exist, do not allow it in the first place''.

Network address translation

Apart from controlling the connections that can be established from one zone to another, zones also control network address translation (NAT). NAT is used to alter source and destination of IP datagrams.