The SUSE Linux Firewall

A firewall is a set of programs that protects your PC when it's online. It does this by watching what data comes into your PC from the Internet and allowing in only what it is sure is secure (which usually is what you've asked for). It also attempts to close off various aspects of your Internet connection so that crackers don't have a way in should they target your system.

SUSE Linux includes a powerful firewall, which can protect everything from a complex server setup to a simple home PC. It really does provide industrial-level protection and, uniquely, steps in early in the boot process to ensure your PC is protected at all times.

Unlike desktop firewall software for Windows, the SUSE Linux firewall keeps itself out of the way and won't bother you once it's configured.

The benefit of running the firewall is that even if your system has security vulnerabilities because of buggy software, crackers will find it a lot harder to exploit them across the Internet. When someone attempts to probe your system, it will appear to be virtually invisible.

You can activate the firewall via the YaST2 configuration tool. Follow these steps to configure your firewall:

1. Select K menu ®Control Center, and then click the YaST2 Modules icon on the left.

2. Click the Security and Users icon, and then click Firewall. You'll see the first screen in the step-by-step wizard, as shown in Figure 9-6.

   
   Figure 9-6. Configuring the firewall is simply a matter of following a step-by-step wizard.

3. Changes made here apply to the entire system, so you'll need to click the Administrator Mode button on the bottom-left side of the screen, and then enter your root password.

4. Provided your Internet connection is already up and running (follow the steps in Chapter 8 if it isn't), the first step is to choose the network connection you want to protect. You can select the connection from the External Interface drop-down list. In the case of an Ethernet connection (a LAN or DSL/cable modem router connection), you should select Ethernet. In the case of a modem connection—whether it's dial-up or via a directly connected DSL modem—you should select the PPP entry. In any case, unless you've set up more than one network connection on your computer, there will most likely be only one choice in the list. You can leave the Internal Interface box set to (none). This is designed to be used when your computer is operating as a gateway or router for a network. Click Next to move to the next wizard step.

5. The next screen lists services you can enable, as shown in Figure 9-7. Select any services you want to make available to other computers, such as other machines on the Internet. This is vital if your computer is acting as a server. In the case of a desktop computer, this screen can be largely ignored and the check boxes left blank. Click Next to continue.

   
   Figure 9-7. For a desktop PC, you can leave all of these services unchecked, although you might want to enable SSH later on.

   Tip

   In Chapter 34, you'll learn about using Secure Shell (SSH) to connect to your computer remotely across the Internet. You will need to return to the second firewall configuration screen and select SSH here, because you'll need to allow SSH to work through the firewall.

6. Next, you are offered the chance to activate various firewall features, as follows. Click Next after making your selections.

   • The Forward Traffic and Do Masquerading option allows your computer to act as a firewall gateway and thereby create a subnet for other computers. This is useful if your computer is acting as a firewall for other computers, but it is not something that most desktop SUSE Linux installations will need to use. You can leave the box unchecked.

   • You can select to protect your computer from the internal network, which means computers on the same subnet as your own. Unless you're offering services to computers on your local network (such as file or printer shares), it's a good idea to put a check in this box. This will add an extra layer of security to your system.

   • The Protect All Running Services option is a definite necessity, and should be checked. This effectively activates the firewall and ensures it protects your computer (although any services you selected to be accessible on the previous screen won't be affected by this option).

   • The Allow Traceroute option lets other computers use the traceroute command to discover the network route to your computer (which is to say that your computer will respond to the traceroute command). This is useful in diagnostic situations, especially on local area networks, but removing the check will add an extra degree of security by making it harder for outsiders to detect your computer's presence.

   • The Treat IPsec Traffic as Internal option is a system setting within SUSE Linux used to configure virtual private networks. The default setting of disabled is fine for most desktop PC configurations.

7. The final step of the firewall configuration process lets you control the logging function of the firewall. This gives you the option of writing to file a detailed log of any unusual firewall events, such as dropped packets (data that is turned away). This can be useful, and the default options of logging critical accepted and dropped packets is fine. The log file is located at /var/log/firewall and can be read using a text editor.

   Caution

   Don't be tempted to click the Log All options on the firewall logging configuration screen. Depending on the nature of your system, your log files could fill up with data very rapidly. This would make tracing problems very difficult. If the files were to become very large, this could even start to affect the performance of your system.

After you've enabled the SUSE Linux firewall, you can test it. A variety of online web sites, such as www.dslreports.com/scan, are able to probe your system and pretend to be crackers trying to gain entrance. These are perfectly safe to use. Once you've run this test, you should see that your computer is running in stealth mode and is invisible to the outside world.

Linux offers so much potential when it comes to providing firewall services that, in some instances, it's used for nothing else. This usually involves installing Linux on an old PC (perhaps one that's been abandoned because it's underpowered by modern standards), which is then used to protect a network by filtering all incoming and outgoing Internet data. There are a variety of specialized Linux distributions that offer solely firewall functions and, as your knowledge of Linux increases, you might like to investigate them. Examples include Smoothwall (www.smoothwall.org) and LEAF (http://leaf.sourceforge.net).

There's a fine line between security and paranoia. SUSE Linux gives you the opportunity to ensure your system is secure, without needing to constantly reassess your system for threats and live in fear.

When considering your system security, it's necessary to remember that most burglars don't enter a house through the front door. Most take advantage of an open window or poor security elsewhere in the house. In other words, when configuring your system's security, you should always select every option and extra layer of security, even if it might not appear to be useful. You should lock every door and close every window, even if you don't think an attacker would ever use them.

Provided a security setting doesn't impact your ordinary use of the computer, you should select it. For example, deactivating the traceroute response of your computer might sound like a paranoid action, but it's useful on several levels. First, it means your computer is less easy to detect when it's online. Second, and equally important, it means that if there's ever a security flaw in the traceroute tool (or any software connected with it), you'll be automatically protected. The traceroute and ping tools have frequently been misused in past attacks on various systems.

This illustrates how you must think when configuring your system's security: try to imagine every situation that might arise. Remember that you can never take too many precautions!