Chapter 22: Basic Firewall Configuration

Previous page
Table of content
Next page


Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer. A firewall exists between your computer and the network. It determines which services on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Linux system with an Internet connection.

The Security Level Configuration Tool

During the Firewall Configuration sequence of the Red Hat Linux installation, you were given the option to choose a high, medium, or no security level as well as allow specific devices, incoming services, and ports. After installation, you can change the security level of your system by using the Security Level Configuration Tool. If you prefer a wizard-based application, refer to the “GNOME Lokkit” section of this chapter. To start the application, select Main Menu Button (on the Panel) > System Settings > Security Level or type redhat-config-securitylevel at a shell prompt (for example, in an XTerm window or a GNOME terminal window).

High

If you choose High, your system will not accept connections (other than the default settings) that are not explicitly defined by you. By default, only the following connections are allowed:

  • DNS replies

  • DHCP, so any network interfaces that use DHCP can be properly configured

If you choose High, your firewall will not allow the following:

  • Active mode FTP (passive mode FTP, used by default in most clients, should still work)

  • IRC DCC file transfers

  • RealAudio

  • Remote X Window System clients

If you are connecting your system to the Internet but do not plan to run a server, this is the safest choice. If additional services are needed, you can choose Customize to allow specific services through the firewall.

click to expand
Figure 22-1: The Security Level Configuration Tool

Select the desired security level from the pull-down menu.

Note

If you select a medium or high firewall, network authentication methods (NIS and LDAP) will not work.

Medium

If you choose Medium, your firewall will not allow remote machines to have access to certain resources on your system. By default, access to the following resources are not allowed:

  • Ports lower than 1023 — the standard reserved ports, used by most system services, such as FTP, SSH, telnet, HTTP, and NIS.

  • The NFS server port (2049) — NFS is disabled for both remote servers and local clients.

  • The local X Window System display for remote X clients.

  • The X Font server port (by default, xfs does not listen on the network; it is disabled in the font server).

If you want to allow resources such as RealAudio while still blocking access to normal system services, choose Medium. Select Customize to allow specific services through the firewall.

Note

If you select a medium or high firewall, network authentication methods (NIS and LDAP) will not work.

No Firewall

No firewall provides complete access to your system and does no security checking. Security checking is the disabling of access to certain services. This should be selected only if you are running on a trusted network (not the Internet) or plan to do more firewall configuration later. Choose Customize to add trusted devices or to allow additional incoming services.

Trusted Devices

Selecting any of the Trusted Devices allows access to your system for all traffic from that device; it is excluded from the firewall rules. For example, if you are running a local network but are connected to the Internet via a PPP dialup, you can check eth0, and any traffic coming from your local network will be allowed. Selecting eth0 as trusted means all traffic over the Ethernet is allowed, but the ppp0 interface is still firewalled. If you want to restrict traffic on an interface, leave this option unchecked.

Warning

It is not recommended that you make any device that is connected to public networks, such as the Internet, a Trusted Device.

Allow Incoming

Enabling these options allows the specified services to pass through the firewall. Note that during a workstation installation, the majority of these services are not installed on the system.

DHCP

If you allow incoming DHCP queries and replies, you allow any network interface that uses DHCP to determine its IP address. DHCP is normally enabled. If DHCP is not enabled, your computer can no longer get an IP address.

SSH

SSH (Secure SHell) is a suite of tools for logging in to and executing commands on a remote machine. If you plan to use SSH tools to access your machine through a firewall, enable this option. You need to have the openssh-server package installed in order to access your machine remotely, using SSH tools.

Telnet

Telnet is a protocol for logging in to remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. If you do want to allow inbound Telnet access, you need to install the telnet-server package.

WWW (HTTP)

The HTTP protocol is used by Apache (and by other Web servers) to serve Web pages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing Web pages. You will need to install the apache package if you want to serve Web pages. Enabling WWW (HTTP) will not open a port for HTTPS. To enable HTTPS, specify it in the Other ports field.

Mail (SMTP)

If you want to allow incoming mail delivery through your firewall so that remote hosts can connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP’s server using POP3 or IMAP, or if you use a tool such as Fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.

FTP

The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. You need to install the wu-ftpd package (and possibly the anonftp package) for this option to be useful.

Other ports

You can allow access to ports that are not listed here by listing them in the Other ports field. Use the following format: port:protocol. For example, if you want to allow IMAP access through your firewall, specify imap:tcp. You can also explicitly specify numeric ports; to allow UDP packets on port 1234 through the firewall, enter 1234:udp. To specify multiple ports, separate them with commas. You must have the iptables service enabled and running to activate the security level. Refer to the section “Activating the iptables Service” later in this chapter for details.


Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Managing Enterprise Systems with the Windows Script Host
C & Data Structures (Charles River Media Computer Engineering)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Web Systems Design and Online Consumer Behavior
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy