Basic Firewall Configuration
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Basic Firewall Configuration as PDF for free.
More details
- Words: 1,193
- Pages: 7
Red Hat Enterprise Linux 4: System Administration Guide Prev
Next
Chapter 11. Basic Firewall Configuration Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer. A firewall exists between your computer and the network. It determines which services on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Enterprise Linux system with an Internet connection.
11.1. Security Level Configuration Tool During the Firewall Configuration screen of the Red Hat Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports. After installation, you can change this preference by using the Security Level Configuration Tool. To start the application, select Main Menu Button (on the Panel) => System Settings => Security Level or type the command systemconfig-securitylevel from a shell prompt (for example, in an XTerm or a GNOME terminal).
Figure 111. Security Level Configuration Tool Note
The Security Level Configuration Tool only configures a basic firewall. If the system needs more complex rules, refer to the Red Hat
Enterprise Linux Reference Guide for details on configuring specific iptables rules.
11.1.1. Enabling and Disabling the Firewall Select one of the following options: •
Disable firewall — Disabling the firewall provides complete access to your system and does no security checking. Security checking is the disabling of access to certain services. This should only be selected if you are running on a trusted network (not the Internet) or plan to do more firewall configuration later.
Warning
If you have a firewall configured or any customized firewall rules in the /etc/sysconfig/iptables file, the file is deleted by selecting Disable firewall and clicking OK to save the changes.
•
Enable firewall — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall. If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice.
11.1.2. Trusted Services Enabling options in the Trusted services list allows the specified service to pass through the firewall. WWW (HTTP) The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing webpages. You must have the httpd package installed to serve webpages. Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP. FTP The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. The vsftpd package must be installed for this option to be useful.
SSH Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, enable this option. The openssh-server package must be installed to access your machine remotely using SSH tools. Telnet Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow inbound Telnet access, you must have the telnet-server package installed. Mail (SMTP) To allow incoming mail delivery through your firewall so that remote hosts can connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
11.1.3. Trusted Devices Selecting any of the Trusted devices allows access to your system for all traffic from that device; it becomes excluded from the firewall rules. For example, if you are running a local network, but are connected to the Internet via a PPP dialup, you can check eth0 and any traffic coming from your local network is allowed. Selecting eth0 as trusted means all traffic over the Ethernet is allowed, but the ppp0 interface is still firewalled. To restrict traffic on an interface, leave it unchecked. You may have noticed a sit0 device in the Trusted devices section. This device stands for simple internet transition, which encapsulates IPv6 traffic into IPv4 traffic, and then is tunneled. For basic firewall rules, this device can be ignored and left as an untrusted device.
Important
It is not recommended that you make any device that is connected to public networks, such as the Internet, a Trusted device.
11.1.4. Other Ports The Security Level Configuration Tool includes the Other ports section for adding custom IP ports to become trusted by iptables. For example, to allow NFS, IRC, and Internet printing protocol (IPP) to be allowed to pass through the firewall, the following would be inserted in the Other ports section: 2049:tcp,194:tcp,631:tcp
11.1.5. Saving the Settings Click OK to save the changes and enable or disable the firewall. If Enable firewall was selected, the options selected are translated to iptables commands and written to the /etc/sysconfig/iptables file. The iptables service is also started so that the firewall is activated immediately after saving the selected options. If Disable firewall was selected, the /etc/sysconfig/iptables file is removed and the iptables service is stopped immediately. The options selected are also written to the /etc/sysconfig/systemconfig-securitylevel file so that the settings can be restored the next time the application is started. Do not edit this file by hand. Even though the firewall is activated immediately, the iptables service is not configured to start automatically at boot time refer to Section 11.2 Activating the iptables Service for details. Prev Saving and Restoring the Network
Home Up
Next Activating the iptables Service
Configuration Red Hat Enterprise Linux 4: System Administration Guide
Prev
Chapter 11. Basic Firewall Configuration
Next
11.2. Activating the iptables Service The firewall rules are only active if the iptables service is running. To manually start the service, use the command: /sbin/service iptables restart To ensure that it is started when the system is booted, issue the command: /sbin/chkconfig level 345 iptables on The ipchains service is not included in Red Hat Enterprise Linux. However, if ipchains is installed (for example, an upgrade was performed and the system had ipchains previously installed), the ipchains service should not be activated along with the iptables service. To make sure the ipchains service is disabled and configured not to start at boot time, execute the following two commands: /sbin/service ipchains stop /sbin/chkconfig level 345 ipchains off The Services Configuration Tool can be used to enable or disable the iptables and ipchains services. Prev Basic Firewall Configuration
Home Up
Next Controlling Access to Services
Next
Chapter 11. Basic Firewall Configuration Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer. A firewall exists between your computer and the network. It determines which services on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Enterprise Linux system with an Internet connection.
11.1. Security Level Configuration Tool During the Firewall Configuration screen of the Red Hat Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports. After installation, you can change this preference by using the Security Level Configuration Tool. To start the application, select Main Menu Button (on the Panel) => System Settings => Security Level or type the command systemconfig-securitylevel from a shell prompt (for example, in an XTerm or a GNOME terminal).
Figure 111. Security Level Configuration Tool Note
The Security Level Configuration Tool only configures a basic firewall. If the system needs more complex rules, refer to the Red Hat
Enterprise Linux Reference Guide for details on configuring specific iptables rules.
11.1.1. Enabling and Disabling the Firewall Select one of the following options: •
Disable firewall — Disabling the firewall provides complete access to your system and does no security checking. Security checking is the disabling of access to certain services. This should only be selected if you are running on a trusted network (not the Internet) or plan to do more firewall configuration later.
Warning
If you have a firewall configured or any customized firewall rules in the /etc/sysconfig/iptables file, the file is deleted by selecting Disable firewall and clicking OK to save the changes.
•
Enable firewall — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall. If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice.
11.1.2. Trusted Services Enabling options in the Trusted services list allows the specified service to pass through the firewall. WWW (HTTP) The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing webpages. You must have the httpd package installed to serve webpages. Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP. FTP The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. The vsftpd package must be installed for this option to be useful.
SSH Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, enable this option. The openssh-server package must be installed to access your machine remotely using SSH tools. Telnet Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow inbound Telnet access, you must have the telnet-server package installed. Mail (SMTP) To allow incoming mail delivery through your firewall so that remote hosts can connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
11.1.3. Trusted Devices Selecting any of the Trusted devices allows access to your system for all traffic from that device; it becomes excluded from the firewall rules. For example, if you are running a local network, but are connected to the Internet via a PPP dialup, you can check eth0 and any traffic coming from your local network is allowed. Selecting eth0 as trusted means all traffic over the Ethernet is allowed, but the ppp0 interface is still firewalled. To restrict traffic on an interface, leave it unchecked. You may have noticed a sit0 device in the Trusted devices section. This device stands for simple internet transition, which encapsulates IPv6 traffic into IPv4 traffic, and then is tunneled. For basic firewall rules, this device can be ignored and left as an untrusted device.
Important
It is not recommended that you make any device that is connected to public networks, such as the Internet, a Trusted device.
11.1.4. Other Ports The Security Level Configuration Tool includes the Other ports section for adding custom IP ports to become trusted by iptables. For example, to allow NFS, IRC, and Internet printing protocol (IPP) to be allowed to pass through the firewall, the following would be inserted in the Other ports section: 2049:tcp,194:tcp,631:tcp
11.1.5. Saving the Settings Click OK to save the changes and enable or disable the firewall. If Enable firewall was selected, the options selected are translated to iptables commands and written to the /etc/sysconfig/iptables file. The iptables service is also started so that the firewall is activated immediately after saving the selected options. If Disable firewall was selected, the /etc/sysconfig/iptables file is removed and the iptables service is stopped immediately. The options selected are also written to the /etc/sysconfig/systemconfig-securitylevel file so that the settings can be restored the next time the application is started. Do not edit this file by hand. Even though the firewall is activated immediately, the iptables service is not configured to start automatically at boot time refer to Section 11.2 Activating the iptables Service for details. Prev Saving and Restoring the Network
Home Up
Next Activating the iptables Service
Configuration Red Hat Enterprise Linux 4: System Administration Guide
Prev
Chapter 11. Basic Firewall Configuration
Next
11.2. Activating the iptables Service The firewall rules are only active if the iptables service is running. To manually start the service, use the command: /sbin/service iptables restart To ensure that it is started when the system is booted, issue the command: /sbin/chkconfig level 345 iptables on The ipchains service is not included in Red Hat Enterprise Linux. However, if ipchains is installed (for example, an upgrade was performed and the system had ipchains previously installed), the ipchains service should not be activated along with the iptables service. To make sure the ipchains service is disabled and configured not to start at boot time, execute the following two commands: /sbin/service ipchains stop /sbin/chkconfig level 345 ipchains off The Services Configuration Tool can be used to enable or disable the iptables and ipchains services. Prev Basic Firewall Configuration
Home Up
Next Controlling Access to Services
Related Documents
Basic Firewall Configuration
November 2019 15
Basic Configuration
April 2020 9
Gotoassist Optimal Firewall Configuration
November 2019 20
Ms-exchange Firewall Configuration
November 2019 10
Basic Router Configuration
November 2019 19