Managing the Fedora Core 4 Firewall

Previous page
Table of content
Next page

If your Fedora Core 4 PC will be connected to a network at any time, whether by Ethernet, modem, or some other technology, the first task in securing your Linux computer should be to shore up your network security at the packet level.

Specifically, you need to be able to tell Linux exactly what kinds of network traffic you expect and want to receive so that Linux can discard all the rest of the network traffic it receives. This configuration is done with the Security Level Configuration tool.

Redefining the Firewall

More experienced network users may be confused by our use of the term firewall here. Traditional firewalls are dedicated embedded computer systems that act as gateways to corporate or private networks. They continually work to filter out harmful network traffic for hundreds or even thousands of users on local subnetworks.

Recently, the term firewalling has also been applied by many software companies to the general practice of packet filtering (blocking unwanted network traffic), even when it occurs in software on a single user's PC or workstation. It is this second, more flexible sense of the word firewall that we are using in this chaptersoftware packet filtering to block unwanted network traffic as it enters your computer.

It is possible to use Fedora Core 4 to build a dedicated firewall/gateway system, but uses of this type are beyond the scope of a beginning book like this one; an advanced Linux text or networking guide can provide additional details.


Using the Security Level Configuration Tool

To start the Security Level Configuration tool on the Linux desktop, choose Desktop, System Settings, Security Level. If you are not logged in as the root user, you'll be prompted for a password. After entering a password, the Security Level Configuration tool included with Fedora Core 4 appears, as shown in Figure 30.1.

Figure 30.1. Using the Security Level Configuration tool, you can configure the Fedora Core 4 firewalling properties.


The Security Level Configuration tool is easy to use:

  • Using the Security Level drop-down list, you can enable or disable the Linux firewall. Under most circumstances, your firewall should be enabled at all times.

  • If you plan to offer any of the services shown in the Trusted Services box, check the box next to the service you want to offer to allow it through your firewall.

  • If one of your network connections is known to be safe (for example, if it doesn't lead to the Internet and you receive no public traffic from itif it's purely for a small, local network) then check the Trusted box next to it if you want to allow all network traffic through. Never check the Trusted box for a network port that receives data from the Internet.

For the typical desktop user, the correct settings are to choose Enable Firewall from the Security level drop-down list, to check No Trusted Services, and to check No Trusted Devices.

Opening Your Firewall to Other Kinds of Traffic

If you provide network services not listed in the Allow Incoming area of the Security Level Configuration tool, you need to enable traffic for these services by entering the details for their network port and protocol types in the Other Ports entry box.

The port and protocol details for each network service are located in the /etc/ services file, which you can view at the command line by using a pager such as less or more. A segment of the /etc/services file is shown in Listing 30.1.

Listing 30.1. A Segment of the /etc/services File
 pop2         109/tcp     pop-2  postoffice   # POP version 2 pop2         109/udp     pop-2 pop3         110/tcp     pop-3          # POP version 3 pop3         110/udp     pop-3 sunrpc       111/tcp     portmapper     # RPC 4.0 portmapper TCP sunrpc       111/udp     portmapper     # RPC 4.0 portmapper UDP auth         113/tcp     authentication tap ident auth         113/udp     authentication tap ident sftp         115/tcp sftp         115/udp uucp-path    117/tcp uucp-path    117/udp nntp         119/tcp     readnews untp  # USENET News Transfer Protocol nntp         119/udp     readnews untp  # USENET News Transfer Protocol

The first column in the /etc/services file lists the service name. Some services are listed on more than one line; these services require more than one port or protocol. The second column in the /etc/services file lists the ports and protocols required by each service. For example, the pop3 (Post Office Protocol version 3) network service shown in Listing 31.1 requires the availability of network port 110 using both the tcp and udp protocols.

To enable a service in the Security Level Configuration tool, you must enter each of the required port and protocol pairs mentioned in the /etc/services file for the service, separating individual pairs with commas, in the following format:

 port1:proto1,port2:proto2,...

For example, to enable the Network News Transfer Protocol (nntp) and Post Office Protocol 3 (pop3) services as mentioned in Listing 30.1, you would enter the following text into the Other Ports entry box:

 119:tcp,119:udp,110:tcp,110:udp

After you configure the properties of your Fedora Core 4 firewall to suit your needs, click OK to save your changes, activate the new firewall settings, and close the Security Level Configuration tool.

Enabling and Disabling SELinux

You might recall that in Chapter 2, "Installing Fedora Core 4," you were instructed to disable SELinux by default for your Fedora Core 4 computer system.

If you will be using your computer while directly connected to the Internet (rather than through a company network or using a dedicated router for your local network), or if you expect large numbers of untrusted users to have access to your computer system, you should consider enabling SELinux, which provides a very high level of security.

You can choose to turn SELinux on and off by choosing the SELinux tab in the Security Level Configuration tool, as shown in Figure 30.2.

Figure 30.2. The SELinux tab of the Security Level Configuration tool is used to enable or disable SELinux.


To enable SELinux, check the Enabled box, click OK, and then reboot your Fedora Core 4 system.

Because SELinux is only really needed under particular circumstances (such as those just described), and because it adds significant user-unfriendliness and complexity to Linux, we won't discuss it further in this book. You can learn more about SELinux and its use by visiting the SELinux home page at http://www.nsa.gov/selinux/.


    Previous page
    Table of content
    Next page
    SAMS Teach Yourself Red Hat(r) Fedora(tm) 4 Linux(r) All in One
    Cisco ASA and PIX Firewall Handbook
    ISBN: N/A
    EAN: 2147483647
    Year: 2006
    Pages: 311
    Authors: David Hucaby
    BUY ON AMAZON
    Strategies for Information Technology Governance
    The .NET Developers Guide to Directory Services Programming
    Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
    101 Microsoft Visual Basic .NET Applications
    Java Concurrency in Practice
    .NET-A Complete Development Cycle
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy