Basic Fedora Linux Firewall Configuration
|Previous||Table of Contents||Next|
|Configuring Fedora Linux Wireless Networking||Using Firestarter to Configure a Fedora Linux Firewall|
Take your Fedora Linux Skills to the Next Level
A firewall is a vital component in protecting a computer system, or network of computers from external attack (typically from an internet connection). Any computer connected directly to an internet connection must run a firewall to protect against malicious activity. Similarly, any internal network must have some form of firewall between it and an external internet connection.
Fedora Linux is supplied with powerful firewall technology known as iptables built-in. Entire books can, and indeed have, been written about configuring iptables. If you would like to learn about iptables we recommend Linux Firewall Configuration - Packet Filtering and iptables.
Fortunately Fedora Linux also provides some tools that make firewall configuration easy for the average user. This chapter will cover the steps necessary to configure a Fedora Linux firewall using those tools.
Fedora Linux Firewall Options
Fedora Linux provides two firewall configuration options. The first is a basic yet effective and easy to use firewall configuration tool. Another, more advanced, option is called Firestarter. And yet another option is to use a tool called Guarddog.
In this chapter we will explore the basic firewall configuration tool and in the next chapter (Using Firestarter to Configure a Fedora Linux Firewall) we will look at the Firestarter firewall configuration tool in more detail.
Configuring a Basic Fedora Linux Firewall
To launch the standard Fedora configuration tool, open the desktop System menu and click on Administration and select Firewall. Alternatively, the tool can be launched from the command-line as follows:
Enter your password when prompted. Once loaded, the security level tool should appear as follows:
Enabling and Disabling the Firewall
By default, the firewall will be active on a newly installed Fedora system. This is the preferred state for the firewall unless the system is running within a secure network environment or has no network connection. To enable or disable the firewall, click on the corresponding button in the Firewall Configuration window toolbar.
The current status of the firewall is indicated in the status field at the bottom of the window.
Configuring Firewall Settings using the Wizard
By default, the firewall is configured to allow only secure shell (SSH) access to the system and views any network adapters installed as untrusted devices. These settings may be configured manually using the Firewall Configuration tool. Alternatively, the Wizard tool may be used to configure the firewall based on responses to a series of questions. To access the wizard simply click on the Wizard button in the toolbar of the Firewall Configuration tool.
The wizard will ask questions about whether the system is connected to a network, whether you are a beginner or experienced user and, finally, whether the system is being used as a desktop computer or a server. Once the information has been gathered, the wizard will configure the firewall accordingly. For example, if you state that you are a beginner using the system as a desktop computer, the wizard will configure the firewall to allow printing and access to file and printer sharing on other systems using Samba. Beginner mode also disables access to the more advanced firewall configuration options. To change the skill level or configuration profile (desktop or server) use the settings accessible via the Options menu.
Whilst the wizard approach is fine for very basic settings, it will be necessary to manually configure settings for more advanced requirements.
Configuring Firewall Port Settings
The main area of the Firewall Configuration tool consists of a list of categories on in the left hand pane and the current corresponding settings for that category in the right hand panel.
The Trusted Services category essentially defines which TCP/IP ports are open to traffic on the firewall. There a number of so called known ports which are assigned to specific servers (such as port 80 for a web server).
A summary of the primary services is as follows:
SSH - The secure shell provides an encrypted mechanism for allowing password protected remote access to your system. With SSH you can remotely log into to your system, copy files to and from your system and another systems and perform remote execution of programs. If you need remote access to your system you will need to activate this. If you do not need remote access leave this disabled. Note that the ssh server is not installed by default on Fedora Linux.
Telnet - Telnet provides remote terminal access to your system. It does not use encryption and use is strongly discouraged. Leave this disabled and use SSH instead for remote access.
WWW (HTTP) - If you are hosting a web server on your Fedora Linux System you will need to enable HTTP traffic through the firewall to enable web page requests to reach the http server. If you do not plan to host a web server, leave this disabled. Note that the Apache web server is not installed by default on Fedora Linux unless you specifically requested during the installation process.
Mail (SMTP) - Specifies whether the firewall blocks Simple Mail Transfer Protocol traffic. This is only necessary if you are hosting a mail server on your Fedora Linux system. If you only use a mail client to download email from a POP3 or IMAP server you can safely leave this disabled. Note that the SMTP server is not installed by default on Fedora Linux.
FTP - Controls whether File Transfer Protocol traffic is permitted through the firewall. Unless you plan to set up an ftp server (unlikely for typical users) leave this option disabled. Note that the FTP server is not installed by default on Fedora Linux.
Samba - The Samba service is allows files and printers to be shared between Linux and Windows systems. If this traffic is blocked in the firewall, it will not be possible to use Samba on this system.
A more extensive list of services and ports can be found on-line at:
To activate or deactivate a option use the simply click on the check box next the to service.
Configuring Other Ports
The list of well known ports are not, of course, the only ports available. In fact there are thousands of ports available for use by applications and services. To open a specific port, use the Other ports category of the Firewall Configuration tool. To open a port, click on the Add button to display the Port and Protocol dialog shown below:
This dialog provides a far more extensive list of ports. Either select the desired port from the list, or enter it manually if it is not listed by selecting the User Defined option. When manually defining the port, both the port number and protocol (TCP or UDP) will need to be provided to ensure the firewall does not interfere with traffic on that port.
Configuring Trusted Interfaces
A trusted interface is a network adapter (either physical or software based) on which traffic is known to be coming from a secure network environment. For example, a Fedora system acting as a firewall for an internal network might contain two network adapters, one of which is connected via a gateway or modem to the internet while the other is connected to the secure internal network. In such a situation, the first adapter would be configured as untrusted, since it is exposed to traffic from the outside world. Assuming internal network is protected by the firewall and other intrusion prevention measures, the second adapter can be considered to be trustworthy.
Masquerading is better known in networking circles as Network Address Translation (NAT). When using a Fedora system as a gateway to the internet for a network of computers, masquerading allows all of the internal systems to use the IP address of the Fedora system when communicating over the internet. This has the advantage of hiding the internal IP addresses of any systems from malicious external entities and also avoids the necessity to allocate a public IP address to every computer on the network.
This service is also provided by most routers and gateways so this feature of the Fedora Firewall is rarely used.
Port forwarding is used in conjunction with masquerading when the Fedora system is acting as a gateway to the internet for an internal network of computer systems. Port forwarding allows traffic arriving at the firewall via the internet on a specific port to be forwarded to a particular system on the internal network. This is perhaps best described by way of an example.
Suppose that a Fedora system is acting as the firewall for an internal network of computers. One of the systems on the network is configured as a web server. Let's assume the web server system has an IP address of 192.168.2.20. The domain record for the web site hosted on this system is configured with the public IP address behind which the Fedora firewall system sits. When an HTTP web page request arrives on port 80 the Fedora system acting as the firewall needs to know what to do with it. By configuring port forwarding it is possible to direct all web traffic to the internal system hosting the web server (in this case, IP address 192.168.2.20), either continuing to use port 80 or diverting the traffic to a different port on the destination server. In fact, port forwarding can even be configured to forward the traffic to a different port on the same system as the firewall (a concept known as local forwarding).
Configure port forwarding by selecting the Port Forwarding category in the Firewall Configuration window and clicking on the Add button. This will display the following dialog:
From within the above dialog, select the network device from which the traffic is to be forwarded (the network device that handles traffic coming from the internet), the protocol and port for which the forwarding is to be effective and the IP address of the system on the internal network to which the traffic is to be diverted. Optionally, also provide an alternate port number on the target system if required.
To forward traffic to a different port on the local system (in other words the system running the firewall), select the Local forwarding option and specify the destination port.
The Internet Control Message Protocol (ICMP) is used by client systems on networks to send error messages to each other. It is also the foundation of the ping command which is used to by network administrators and users to detect whether a particular client is alive on a network. The ICMP Filtering category allows for the blocking of specific ICMP message types. For example, an administrator might choose to block incoming ping (Echo Request) ICMP messages to prevent the possibility of a ping based denial of service (DoS) attack (where a server is maliciously bombarded with so many ping messages that it becomes unable to respond to legitimate requests).
The Custom Rules category allows individual iptabes rules to be specified and loaded into the firewall. This provides a high level of flexibility to perform tasks such as blocking messages from a specific IP address or ranges of addresses. The power and flexibility of iptables allows just about any imaginable restrictions to be placed on the traffic passing through the firewall. This very power, unfortunately, makes a detailed overview of the technology far beyond the scope of this book.
This chapter has covered the basics of Fedora Linux firewall configuration.
Take your Fedora Linux Skills to the Next Level