bastion-firewall is a firewall based in
Netfilter e iptables, it runs under
any version of Linux with the kernel 2.4 or higher and it's characteristics
- Developed by bgSEC (http://www.bgsec.com)
and Jose María López Hernández (firstname.lastname@example.org)
and distributed under the GPL license.
- Programmed in bash (99 per cent of the code) and C. This makes the
firewall very flexible and easy to modify. About 26000 lines of bash
code and C that provides a very high funcionality, implementing almost
all the kernel protections, included the ones that modifies the /proc
filesystem and the ones from the Netfilter/iptables system.
- Based on the Netfilter and Iptables facilities supplied by almost
all the Linux distribution and the official kernel. The firewall doesn't
use any strange code or programmed facilities, so the orders it uses
are iptables commands like any user script does, but without having
to write a single line of code.
- The system doesn't use perl, python, ruby or commands that can be
used by a supposed hacker as working tools after a system compromise.
bastion-firewall can run in a very reduced distribution, in text mode
and with a minimum number of installed packages.
- The administration of the firewall is based on plain text files that
are treated as bash code, allowing the user to put bash code into the
configuration files to generate the values for the variables.
- Web based administration using bastion-firewall-interface (THIS FUNCIONALITY
IS NOT WORKING AT THIS TIME) that modifies the configuration files,
allowing the administrator to do a mixed configuration, editing some
things with the interface and then touching some other things if it's
necessary in the configuration files.
- Configuration files fully commented and with help for each variable
that can alter the firewall. The files explain by themselfs and includes
documentation about the firewall functioning. In theory just with this
documentations should be enough to configure the firewall and all it's
options, without reading a single line of documentation.
- Web based traffic statistical system that contains graphics of the
traffic in the firewall generated by rrdtool. This graphics are automatically
generated just including a command in the firewall configuration files
or an option in each of the services or group of services that we want
to obtain graphics from. Automatic generation of a web page that allows
us to watch the statistical graphics in an easy way.
- Traffic division system and grouping and ordering of the rules, services
and protocols to obtain the maximum speed in the Netfilter treatment
of the rules. The idea is Netfilter has the mimum number of rules to
check, and the rules that are generated for a service and has more than
one port are grouped in one single command.
- Configuration files ready to be modified with local code by the administrator
in strategical points in the firewall rules loading, this systems allows
us to modify the firewall withouth having to edit the code.
- Possibility of writing plugins in a very simple manner to add funcionality
to the firewall. The firewall detects the new plugins and the rules
are integrated with the ones from the firewall. This is a very easy
and powerful way of adding code to bastion-firewall.
- Uses external programs and addons in an standard way, without modifying
the code, allowing the addons to be updated or substituted by other
in a very easy way.
- It works in systems and distributions with a minimum of command, it
basically uses bash, the standard unix command of Linux and it includes
rrdtool and ulogd in the distribution, so you don't have to install
them in your system.
- Blacklist system to block in a permanent way IP addresses. Whitelist
system to allow the addresses we never want to block. It has commands
to administer both lists and this commands can be used in an IDS or
IPS to block supposed attackers without the danger of having a denegation
of service attack.
- Blacklist and Whitelist system for MAC addresses. It's similar to
the blacklist/whitelist system for IP addresses.
- Restricted MAC system that allows us to choose the machines that can
talk with the firewall and the ones that can't, in the local network
and in the external network (useful for DMZ).
- Possibility of using IP lists in any place where we normally have
an IP address in the config files. bastion-firewall will expand the
IP list and will generate the rules for each IP.
- Possibility of creating new services, groups of services and groups
of networks, it allows us to manage the firewall just by editing a minimum
number of variables.
- MD5 system to detect changes in the configuration. This allows the
firewall to choose between regenerating the rules or loading the ones
in the cache system if the configuration has not been modified since
the last firewall reset.
- Double philosophy of working with the firewall, the first one using
traffic flows to block or allow the traffic, and the second one using
lists where the rules can be specified.
- It allows to specify the traffic flow for each service in the inner
and outer interfaces and the IPs in the local network and the remote
network. It can write the connections in the logs, pass them to ulogd
and if we want the firewall can generate statistics for the service.
- The administrator can add new services or groups of services using
commands in an easy way, and then specify the rules for this services
or groups. It's not needed to touch the code to add new services to
the firewall, and even a command exists to add a list of services contained
in a file to the firewall, allowing us to add a big number of new services
to the configuration files.
- It allows us to use the pom (Patch-o-matic) facilities included with
- Protects the systems against attacks to the kernel, spoofing, denegation
of service attacks, log flooding attacks, port scannings, etc.
- Possibility of specify how we want to reject or accept the packets.
Uses REJECT or DROP as specified by the administrator.
- It creates a script each time the rules are regenerated that contains
ALL the commands the firewall has run, with the ones to activate the
kernel protections and the iptables commands the firewall has used to
generate the rules. This script can be executed and it has the same
effect over the system that loading the firewall. The script includes
commentaries for each order it executes and for the services it allows
or blocks. This script allows us to use bastion-firewall as a powerful
script generator, and this scripts are firewalls by themselfs, allowing
the administrator to generate ad-hoc firewall to specific systems just
altering some variables in the configuration files. This is one of the
more powerful and userful characteristics of bastion-firewall.
- Generation of logs with the firewall running and warnings with the
start and stop of the firewall and for the addons.
- Detection and block of new traffic without a SYN, fragments of traffic,
traffic marked as invalid by the conntrack system or spoofed traffic.
- It allows us to send for example the HTTP traffic we have decided
to accept to snort-inline so this program inspects it and decides if
the firewall should block it or accept it. This is a quite efficent
form of IPS and quite secure if we mantain the snort-inline rules to
the minimum. The advantage of using this method is that snort-inline
can treat the HTTP traffic completely before checking it with the rules
and sending back to the firewall the accept or deny order.
- It allows the system to use ulogd to send the logs to a database as
mysql or postgresql, or any other kind of logs that can be treated with
swatch or similar programs.
- Complete treatment of the ICMP traffic with a default configuration.
Possibility of using ICMP messages with conntrack to reject traffic
- It allows to generate rules with lists using all the facilities of
the firewall, as IP address groups or groups of services in the firewall.
This lists of rules has precedence over the rest of the rules in the
firewall and allows us to adjust the firewall if we have some networks
we want to treat in a different way than the others.
- Transparent proxy funcionality, NAT, SNAT, DNAT o REDIRECT using lists
and configuration files. For each of the services an internal server
in the local network can be indicated to provide services to the exterior
using DNAT, you just have to put the IP of the server in the service
and the firewall generates the rules.
- It works without modification in the 2.4 and 2.6 versions of the Linux
- When the firewall is loading and if it has to regenerate the rules
it checks that all the commands are available and the correctness of
all the IPs, groups and lists included in the configuration files. It
also checks if the rules have a correct syntax and it can generate error
giving help about where and how the error was produced, to help the
administrator to find the error in the variables.
- It allows us to use ranks and lists of IPs, expanding them to IP addresses,
because iptables doesn't work with ranks of IPs.
- bastion-firewall can work with any number of interfaces in the inner
and outer connections, bearing in mind the routes have to be correct
between this interfaces and the networks they connect to. This allows
us for example to have several connections with several ADSL/DSL routers
from a LAN and specify the rules for all the traffic that will go out
of the network or into the network. It can be used the command ip from
the iproute2 system to enable the routes between the LAN and the interfaces
connecting the LAN to the routers.