If your Fedora Core 4 PC will be connected to a network at any time, whether by Ethernet, modem, or some other technology, the first task in securing your Linux computer should be to shore up your network security at the packet level. Specifically, you need to be able to tell Linux exactly what kinds of network traffic you expect and want to receive so that Linux can discard all the rest of the network traffic it receives. This configuration is done with the Security Level Configuration tool.
Using the Security Level Configuration ToolTo start the Security Level Configuration tool on the Linux desktop, choose Desktop, System Settings, Security Level. If you are not logged in as the root user, you'll be prompted for a password. After entering a password, the Security Level Configuration tool included with Fedora Core 4 appears, as shown in Figure 30.1. Figure 30.1. Using the Security Level Configuration tool, you can configure the Fedora Core 4 firewalling properties.The Security Level Configuration tool is easy to use:
For the typical desktop user, the correct settings are to choose Enable Firewall from the Security level drop-down list, to check No Trusted Services, and to check No Trusted Devices. Opening Your Firewall to Other Kinds of TrafficIf you provide network services not listed in the Allow Incoming area of the Security Level Configuration tool, you need to enable traffic for these services by entering the details for their network port and protocol types in the Other Ports entry box. The port and protocol details for each network service are located in the /etc/ services file, which you can view at the command line by using a pager such as less or more. A segment of the /etc/services file is shown in Listing 30.1. Listing 30.1. A Segment of the /etc/services Filepop2 109/tcp pop-2 postoffice # POP version 2 pop2 109/udp pop-2 pop3 110/tcp pop-3 # POP version 3 pop3 110/udp pop-3 sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP auth 113/tcp authentication tap ident auth 113/udp authentication tap ident sftp 115/tcp sftp 115/udp uucp-path 117/tcp uucp-path 117/udp nntp 119/tcp readnews untp # USENET News Transfer Protocol nntp 119/udp readnews untp # USENET News Transfer Protocol The first column in the /etc/services file lists the service name. Some services are listed on more than one line; these services require more than one port or protocol. The second column in the /etc/services file lists the ports and protocols required by each service. For example, the pop3 (Post Office Protocol version 3) network service shown in Listing 31.1 requires the availability of network port 110 using both the tcp and udp protocols. To enable a service in the Security Level Configuration tool, you must enter each of the required port and protocol pairs mentioned in the /etc/services file for the service, separating individual pairs with commas, in the following format: port1:proto1,port2:proto2,... For example, to enable the Network News Transfer Protocol (nntp) and Post Office Protocol 3 (pop3) services as mentioned in Listing 30.1, you would enter the following text into the Other Ports entry box: 119:tcp,119:udp,110:tcp,110:udp After you configure the properties of your Fedora Core 4 firewall to suit your needs, click OK to save your changes, activate the new firewall settings, and close the Security Level Configuration tool. Enabling and Disabling SELinuxYou might recall that in Chapter 2, "Installing Fedora Core 4," you were instructed to disable SELinux by default for your Fedora Core 4 computer system. If you will be using your computer while directly connected to the Internet (rather than through a company network or using a dedicated router for your local network), or if you expect large numbers of untrusted users to have access to your computer system, you should consider enabling SELinux, which provides a very high level of security. You can choose to turn SELinux on and off by choosing the SELinux tab in the Security Level Configuration tool, as shown in Figure 30.2. Figure 30.2. The SELinux tab of the Security Level Configuration tool is used to enable or disable SELinux.To enable SELinux, check the Enabled box, click OK, and then reboot your Fedora Core 4 system. Because SELinux is only really needed under particular circumstances (such as those just described), and because it adds significant user-unfriendliness and complexity to Linux, we won't discuss it further in this book. You can learn more about SELinux and its use by visiting the SELinux home page at http://www.nsa.gov/selinux/. |