Basic Firewall Configuration
Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent malicious software from spreading to your computer. It also helps to prevent unauthorized users from accessing your computer.
In a default Community Enterprise Linux installation, a firewall exists between your computer or network and any untrusted networks, for example the Internet. It determines which services on your computer remote users can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Community Enterprise Linux system with an Internet connection.
During the Firewall Configuration screen of the Community Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports.
After installation, you can change this preference by using the Security Level Configuration Tool.
To start this application, use the following command:
Security Level Configuration The Security Level Configuration Tool only configures a basic firewall. If the system needs more complex rules, refer to "IPTables" for details on configuring specific Select one of the following options for the firewall:
Firewall configurations and any customized firewall rules are stored in the If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice. Enabling options in the Trusted services list allows the specified service to pass through the firewall.
The HTTP protocol is used by Apache (and by other Web servers) to serve web pages. If you plan on making your Web server publicly available, select this check box. This option is not required for viewing pages locally or for developing web pages. This service requires that the Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP. If this service is required, select the Secure WWW (HTTPS) check box.
The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, select this check box. This service requires that the Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, select this check box. This service requires that the Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow remote access to the machine via telnet, select this check box. This service requires that the SMTP is a protocol that allows remote hosts to connect directly to your machine to deliver mail. You do not need to enable this service if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as The Network File System (NFS) is a file sharing protocol commonly used on *NIX systems. Version 4 of this protocol is more secure than its predecessors. If you want to share files or directories on your system with other network users, select this check box.
Samba is an implementation of Microsoft's proprietary SMB networking protocol. If you need to share files, directories, or locally-connected printers with Microsoft Windows machines, select this check box. The Security Level Configuration Tool includes an Other ports section for specifying custom IP ports as being trusted by Click OK to save the changes and enable or disable the firewall. If Enable firewall was selected, the options selected are translated to The selected options are also written to the Even though the firewall is activated immediately, the The firewall rules are only active if the To ensure that The Security Level Configuration Tool
system-config-securitylevel
Figure 46.15. Security Level Configuration Tool
iptables rules.Enabling and Disabling the Firewall
/etc/sysconfig/iptables file. If you choose Disabled and click OK, these configurations and firewall rules will be lost.
Trusted Services
httpd package be installed.
vsftpd package be installed.
openssh-server package be installed.
telnet-server package be installed.
fetchmail. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
Other Ports
iptables. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the Other ports section:
194:tcp,631:tcpSaving the Settings
iptables commands and written to the /etc/sysconfig/iptables file. The iptables service is also started so that the firewall is activated immediately after saving the selected options. If Disable firewall was selected, the /etc/sysconfig/iptables file is removed and the iptables service is stopped immediately.
/etc/sysconfig/system-config-securitylevel file so that the settings can be restored the next time the application is started. Do not edit this file by hand.
iptables service is not configured to start automatically at boot time. Refer to "Activating the IPTables Service" for more information.Activating the IPTables Service
iptables service is running. To manually start the service, use the following command:
service iptables restartiptables starts when the system is booted, use the following command:
chkconfig --level 345 iptables onipchains service is not included in Community Enterprise Linux. However, if ipchains is installed (for example, an upgrade was performed and the system had ipchains previously installed), the ipchains and iptables services should not be activated simultaneously. To make sure the ipchains service is disabled and configured not to start at boot time, use the following two commands:
service ipchains stop
chkconfig --level 345 ipchains off