Linux firewall configuration - basic articles

RedHat Linux provides firewall protection for increased system security. A firewall exists between your computer and the network to determine which resources on your computer are accessible to remote users on your network. A properly configured firewall can greatly increase your system security.

map for your system to select the appropriate security level.
"Advanced"
If you choose "Advanced", your system will not accept connections that are not specified by you (except for the default settings). Only the following connections are allowed by default:
DNS Response
DHCP — Any network interface using DHCP can be configured accordingly.
If you choose "Advanced", your firewall will not allow the following connections:
1. Active FTP (Passive state FTP used by default in most clients should work properly.)
2. IRC DCC File Transfer
3.RealAudio
4. Remote X Window System Client
This is the safest option if you want to connect your system to the Internet but don't plan to run the server. If additional services are required, you can choose Custom to specify the services that are allowed to pass through the firewall.
Note: If you choose to set up an intermediate or advanced firewall during installation, the network authentication method (NIS and LDAP) will not work.
"Intermediate"
If you choose "Intermediate", your firewall will not allow your system to access certain resources. Access to the following resources is not allowed by default:
1. Ports below 1023 — These are the ports to be reserved by the standard and are used by some system services such as FTP, SSH, telnet, HTTP, and NIS.
2. NFS server port (2049) & mdash; NFS has been disabled on both remote and local clients.
3. Display of the local X window system set up for the remote X client.
4.X font server port (xfs is not listening on the network; it is disabled by default in the font server).
If you want to allow access to resources such as RealAudio, but still want to block access to normal system services, select "Intermediate". You can choose Custom to allow specific services to pass through the firewall.
Note: If you choose to set up an intermediate or advanced firewall during installation, the network authentication method (NIS and LDAP) will not work.
"No Firewall"
No firewall gives full access and does not do any security checks. Security checks are disabled for certain services. It is recommended that you only select this option when running on a trusted network (not the Internet), or if you want to perform detailed firewall configuration later.
Select "Custom" to add trusted devices or allow other access interfaces.
"Trusted Devices"
Selecting "trusted devices" will allow your system to accept all traffic from this device; it is not subject to firewall rules. For example, if you are running a LAN but are connected to the Internet via PPP dial-up, you can select "eth0" and all traffic from your LAN will be allowed. Selecting "eth0" as "trusted" means that all traffic within this Ethernet is allowed, but the ppp0 interface still has firewall restrictions. If you want to limit traffic on an interface, don't choose it.
It is recommended that you do not designate devices connected to the public network such as the Internet as "trusted devices".
"Allow Access"
Enabling these options will allow specific specified services to pass through the firewall. Note: Most of these services are not installed in the system during workstation type installation.
"DHCP"
If you allow incoming DHCP queries and responses, you will allow any network interface that uses DHCP to determine its IP address. DHCP is usually enabled. If DHCP is not enabled, your computer will not be able to obtain an IP address.
"SSH"
Secure SHELL (SSH) is a set of tools for logging in and executing commands on a remote machine. Enable this option if you plan to use SSH tools to access your machine through a firewall. You need to install the openssh-server package to use SSH tools to access your machine remotely.
"Telnet"

Telnet is a protocol used to log in on a remote machine. Telnet communication is not encrypted and provides almost no security measures against network spying. It is recommended that you do not allow access to Telnet access. If you want to allow incoming Telnet access, you will need to install the telnet-server package.
"WWW (HTTP)"
The HTTP protocol is used by Apache (and other web servers) for web services. If you plan to open your web server to the public, enable this option. You don't need to enable this option to view local web pages or develop web pages. If you plan to provide web services, you will need to install the httpd package.
Enabling "WWW (HTTP)" will not open a port for HTTPS. To enable HTTPS, specify it in the "Other Ports" field.
"Mail (SMTP)"
Enable this option if you need to allow remote hosts to connect directly to your machine to send mail. Do not enable this option if you want to receive POP3 or IMAP mail from your ISP server, or if you are using a tool like fetchmail. Note that an incorrectly configured SMTP server will allow remote machines to use your server to send spam.
"FTP"
The FTP protocol is a protocol for transferring files between network machines. Enable this option if you plan to make your FTP server publicly available. You need to install the vsftpd package to take advantage of this option.
"Other Ports"
You can allow access to other ports not listed here by listing them in the "Other Ports" field. The format is: Port: Protocol. For example, if you want to allow IMAP to pass through your firewall, you can specify imap:tcp . You can also specify the port number. To allow UDP packets to pass through the firewall on port 1234, enter 1234:udp. To specify multiple ports, separate them with a comma.
Tip: To change your security level configuration after installation, use the security level configuration tool. Start the security level configuration tool by typing the redhat-config-securitylevel command at the shell prompt. If you are not the root user, it will prompt you to enter the root password before proceeding.